Security is critical to the success of software,particularly in today’s fast-paced,technology-driven environment.It ensures that data,code,and services maintain their CIA(Confidentiality,Integrity,and Availability).T...Security is critical to the success of software,particularly in today’s fast-paced,technology-driven environment.It ensures that data,code,and services maintain their CIA(Confidentiality,Integrity,and Availability).This is only possible if security is taken into account at all stages of the SDLC(Software Development Life Cycle).Various approaches to software quality have been developed,such as CMMI(Capabilitymaturitymodel integration).However,there exists no explicit solution for incorporating security into all phases of SDLC.One of the major causes of pervasive vulnerabilities is a failure to prioritize security.Even the most proactive companies use the“patch and penetrate”strategy,inwhich security is accessed once the job is completed.Increased cost,time overrun,not integrating testing and input in SDLC,usage of third-party tools and components,and lack of knowledge are all reasons for not paying attention to the security angle during the SDLC,despite the fact that secure software development is essential for business continuity and survival in today’s ICT world.There is a need to implement best practices in SDLC to address security at all levels.To fill this gap,we have provided a detailed overview of secure software development practices while taking care of project costs and deadlines.We proposed a secure SDLC framework based on the identified practices,which integrates the best security practices in various SDLC phases.A mathematical model is used to validate the proposed framework.A case study and findings show that the proposed system aids in the integration of security best practices into the overall SDLC,resulting in more secure applications.展开更多
Many organizations,to save costs,are moving to the Bring Your Own Mobile Device(BYOD)model and adopting applications built by third-parties at an unprecedented rate.Our research examines software assurance methodologi...Many organizations,to save costs,are moving to the Bring Your Own Mobile Device(BYOD)model and adopting applications built by third-parties at an unprecedented rate.Our research examines software assurance methodologies specifically focusing on security analysis coverage of the program analysis for mobile malware detection,mitigation,and prevention.This research focuses on secure software development of Android applications by developing knowledge graphs for threats reported by the Open Web Application Security Project(OWASP).OWASP maintains lists of the top ten security threats to web and mobile applications.We develop knowledge graphs based on the two most recent top ten threat years and show how the knowledge graph relationships can be discovered in mobile application source code.We analyze 200+healthcare applications from GitHub to gain an understanding of their software assurance of their developed software for one of the OWASP top ten mobile threats,the threat of“Insecure Data Storage.”We find that many of the applications are storing personally identifying information(PII)in potentially vulnerable places leaving users exposed to higher risks for the loss of their sensitive data.展开更多
During the initial stages of software development,the primary goal is to define precise and detailed requirements without concern for software realizations.Security constraints should be introduced then and must be ba...During the initial stages of software development,the primary goal is to define precise and detailed requirements without concern for software realizations.Security constraints should be introduced then and must be based on the semantic aspects of applications,not on their software architectures,as it is the case in most secure development methodologies.In these stages,we need to identify threats as attacker goals and indicate what conceptual security defenses are needed to thwart these goals,without consideration of implementation details.We can consider the effects of threats on the application assets and try to find ways to stop them.These threats should be controlled with abstract security mechanisms that can be realized by abstract security patterns(ASPs),that include only the core functions of these mechanisms,which must be present in every implementation of them.An abstract security pattern describes a conceptual security mechanism that includes functions able to stop or mitigate a threat or comply with a regulation or institutional policy.We describe here the properties of ASPs and present a detailed example.We relate ASPs to each other and to Security Solution Frames,which describe families of related patterns.We show how to include ASPs to secure an application,as well as how to derive concrete patterns from them.Finally,we discuss their practical value,including their use in“security by design”and IoT systems design.展开更多
文摘Security is critical to the success of software,particularly in today’s fast-paced,technology-driven environment.It ensures that data,code,and services maintain their CIA(Confidentiality,Integrity,and Availability).This is only possible if security is taken into account at all stages of the SDLC(Software Development Life Cycle).Various approaches to software quality have been developed,such as CMMI(Capabilitymaturitymodel integration).However,there exists no explicit solution for incorporating security into all phases of SDLC.One of the major causes of pervasive vulnerabilities is a failure to prioritize security.Even the most proactive companies use the“patch and penetrate”strategy,inwhich security is accessed once the job is completed.Increased cost,time overrun,not integrating testing and input in SDLC,usage of third-party tools and components,and lack of knowledge are all reasons for not paying attention to the security angle during the SDLC,despite the fact that secure software development is essential for business continuity and survival in today’s ICT world.There is a need to implement best practices in SDLC to address security at all levels.To fill this gap,we have provided a detailed overview of secure software development practices while taking care of project costs and deadlines.We proposed a secure SDLC framework based on the identified practices,which integrates the best security practices in various SDLC phases.A mathematical model is used to validate the proposed framework.A case study and findings show that the proposed system aids in the integration of security best practices into the overall SDLC,resulting in more secure applications.
文摘Many organizations,to save costs,are moving to the Bring Your Own Mobile Device(BYOD)model and adopting applications built by third-parties at an unprecedented rate.Our research examines software assurance methodologies specifically focusing on security analysis coverage of the program analysis for mobile malware detection,mitigation,and prevention.This research focuses on secure software development of Android applications by developing knowledge graphs for threats reported by the Open Web Application Security Project(OWASP).OWASP maintains lists of the top ten security threats to web and mobile applications.We develop knowledge graphs based on the two most recent top ten threat years and show how the knowledge graph relationships can be discovered in mobile application source code.We analyze 200+healthcare applications from GitHub to gain an understanding of their software assurance of their developed software for one of the OWASP top ten mobile threats,the threat of“Insecure Data Storage.”We find that many of the applications are storing personally identifying information(PII)in potentially vulnerable places leaving users exposed to higher risks for the loss of their sensitive data.
基金This work received no external funding,but the National Institute of Informatics of Japan funded the trip of the first and fourth authors to Tokyo to participate in meetings where the idea of this paper was developed.
文摘During the initial stages of software development,the primary goal is to define precise and detailed requirements without concern for software realizations.Security constraints should be introduced then and must be based on the semantic aspects of applications,not on their software architectures,as it is the case in most secure development methodologies.In these stages,we need to identify threats as attacker goals and indicate what conceptual security defenses are needed to thwart these goals,without consideration of implementation details.We can consider the effects of threats on the application assets and try to find ways to stop them.These threats should be controlled with abstract security mechanisms that can be realized by abstract security patterns(ASPs),that include only the core functions of these mechanisms,which must be present in every implementation of them.An abstract security pattern describes a conceptual security mechanism that includes functions able to stop or mitigate a threat or comply with a regulation or institutional policy.We describe here the properties of ASPs and present a detailed example.We relate ASPs to each other and to Security Solution Frames,which describe families of related patterns.We show how to include ASPs to secure an application,as well as how to derive concrete patterns from them.Finally,we discuss their practical value,including their use in“security by design”and IoT systems design.
