Secure Software Design is an area which is in serious need of inclusion in modern computer science curriculum which are cranking out many unaware software engineers who can create software, but lack the basic understanding of how to create secure software. Because there is a significant gap between cyber security aware software engineers and unaware software engineers and an explosion of software programs being produced and pushed out to the public and governments around the world, the number of software vulnerabilities continues to grow each years. For example, Risk Based Security came up with the following metrics for their own project tracking vulnerabilities, VulnDB, and found "22,022 vulnerabilities published in 2018, which is a 6.4% increase...from 2017" (Sanders, 2019).
As a software engineer, cyber architect, and cyber security professional, it's my professional and ethical duty to ensure that the organization I work for do not produce software which has vulnerabilities which can harm customers, the government, or my organizations reputation. By using a Secure Software Design program which implements the same principals and standards applied to Safety Engineering I can ensure that my organization has an approach to identify vulnerabilities early and reduce costs and harms. This has become even more paramount as we enter an era where an Internet of Things, small devices connected to networks, are connected and communicating with and within critical infrastructure, or within corporate environments.
But a secure software design program requires experienced software engineers, and this requires training. Unfortunately, this training is often not given from the Universities and programs which produce software engineers. Axelrod discusses numerous paths forward for training and implementing software systems by using available frameworks and implementing validation and verification processes (Axelrod, 2012). These provide the opportunities for software engineers to detect security errors and learn how to prevent them from occurring in the future programs. Additionally, Ian Sommerville discussing Agile software development, requirements engineering, software engineering ethics, system modeling and software testing to address an approach to improving software being produced by organizations.
The material to produce secure software is not difficult to find, for example, Carnegie Mellon University produces an entire website dedicated to identifying and remediating common software engineering flaws through it's Software Engineering Institute (Carnegie Mellon University). However, as a cyber security architect it is my job to ensure that software engineers understand flaws I find, and that I point them to resources or acquire training in house to provide them the secure software architecture knowledge they require to produce quality, safe, and secure software.
References
As a software engineer, cyber architect, and cyber security professional, it's my professional and ethical duty to ensure that the organization I work for do not produce software which has vulnerabilities which can harm customers, the government, or my organizations reputation. By using a Secure Software Design program which implements the same principals and standards applied to Safety Engineering I can ensure that my organization has an approach to identify vulnerabilities early and reduce costs and harms. This has become even more paramount as we enter an era where an Internet of Things, small devices connected to networks, are connected and communicating with and within critical infrastructure, or within corporate environments.
But a secure software design program requires experienced software engineers, and this requires training. Unfortunately, this training is often not given from the Universities and programs which produce software engineers. Axelrod discusses numerous paths forward for training and implementing software systems by using available frameworks and implementing validation and verification processes (Axelrod, 2012). These provide the opportunities for software engineers to detect security errors and learn how to prevent them from occurring in the future programs. Additionally, Ian Sommerville discussing Agile software development, requirements engineering, software engineering ethics, system modeling and software testing to address an approach to improving software being produced by organizations.
The material to produce secure software is not difficult to find, for example, Carnegie Mellon University produces an entire website dedicated to identifying and remediating common software engineering flaws through it's Software Engineering Institute (Carnegie Mellon University). However, as a cyber security architect it is my job to ensure that software engineers understand flaws I find, and that I point them to resources or acquire training in house to provide them the secure software architecture knowledge they require to produce quality, safe, and secure software.
References
- Axelrod, C. (2012). Engineering safe and secure software systems (1st ed.). Norwood, MA: Artech House.
- Carnegie Mellon University. (n.d.). Software Engineering Institute. Retrieved July 29, 2019, from https://www.sei.cmu.edu/
- Sanders, J. (2019, February 27). Software vulnerabilities are becoming more numerous, less understood. Retrieved July 28, 2019, from https://www.techrepublic.com/article/software-vulnerabilities-are-becoming-more-numerous-less-understood/
- Sommerville, I. (2015). Software engineering. (10th ed.). Essex, United Kingdom: Pearson.