Security
Security is protection from, or resilience against, potential harm (or other unwanted coercive change) caused by others, by restraining the freedom of others to act. Beneficiaries (technically referents) of security may be of persons and social ...
, as part of the
software development process
In software engineering, a software development process is a process of dividing software development work into smaller, parallel, or sequential steps or sub-processes to improve design, product management. It is also known as a software devel ...
, is an ongoing process involving people and practices, and ensures application confidentiality, integrity, and availability. Secure software is the result of security aware software development processes where security is built in and thus software is developed with security in mind.
Security is most effective if planned and managed throughout every stage of
software development life cycle (SDLC), especially in critical applications or those that process sensitive information.
The solution to
software development
Software development is the process of conceiving, specifying, designing, programming, documenting, testing, and bug fixing involved in creating and maintaining applications, frameworks, or other software components. Software development invol ...
security is more than just the technology.
Software development challenges
As
technology advances,
application environments become more complex and application development security becomes more challenging. Applications, systems, and networks are constantly under various security attacks such as
malicious code
Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, depr ...
or
denial of service. Some of the challenges from the
application development security point of view include Viruses, Trojan horses, Logic bombs, Worms, Agents, and Applets.
Applications can contain
security vulnerabilities that may be introduced by
software engineers either intentionally or carelessly.
Software, environmental, and hardware
controls are required although they cannot prevent problems created from poor programming practice. Using limit and sequence checks to validate users’ input will improve the quality of data. Even though programmers may follow best practices, an application can still fail due to unpredictable conditions and therefore should handle unexpected failures successfully by first logging all the information it can capture in preparation for auditing. As security increases, so does the relative cost and administrative overhead.
Applications are typically developed using high-level
programming languages which in themselves can have security implications. The core activities essential to the software development process to produce secure applications and systems include: conceptual definition, functional requirements, control specification, design review, code review and walk-through, system test review, and maintenance and change management.
Building secure software is not only the responsibility of a
software engineer but also the responsibility of the stakeholders which include: management, project managers, business analysts, quality assurance managers, technical architects, security specialists, application owners, and developers.
Basic principles
There are a number of basic
guiding principles to software security. Stakeholders’ knowledge of these and how they may be implemented in software is vital to software security. These include:
* Protection from disclosure
* Protection from alteration
* Protection from destruction
* Who is making the request
* What rights and privileges does the requester have
* Ability to build historical evidence
* Management of configuration, sessions and errors/exceptions
Basic practices
The following lists some of the recommended
web security practices that are more specific for software developers.
* Sanitize inputs at the client side and server side
* Encode request/response
* Use HTTPS for domain entries
* Use only current encryption and hashing algorithms
* Do not allow for directory listing
* Do not store sensitive data inside cookies
* Check the randomness of the session
* Set secure and HttpOnly flags in cookies
* Use TLS not SSL
* Set strong password policy
* Do not store sensitive information in a form’s hidden fields
* Verify file upload functionality
* Set secure response headers
* Make sure third party libraries are secured
* Hide web server information
Security testing
Common attributes of
security testing include authentication, authorization, confidentiality, availability, integrity, non-repudiation, and resilience. Security testing is essential to ensure that the system prevents unauthorized users to access its resources and data. Some application data is sent over the internet which travels through a series of servers and network devices. This gives ample opportunities to unscrupulous hackers.
Summary
All secure systems implement
security controls within the
software,
hardware,
systems
A system is a group of interacting or interrelated elements that act according to a set of rules to form a unified whole. A system, surrounded and influenced by its environment, is described by its boundaries, structure and purpose and express ...
, and
networks - each component or process has a layer of isolation to protect an organization's most valuable resource which is its data. There are various security controls that can be incorporated into an application's development process to ensure security and prevent unauthorized access.
References
* Stewart, James (2012). CISSP Certified Information Systems Security Professional Study Guide Sixth Edition. Canada: John Wiley & Sons, Inc. pp. 275–319. .
* Report from Dagstuhl Seminar 12401Web Application Security Edited by Lieven Desmet, Martin Johns, Benjamin Livshits, and Andrei Sabelfeld, http://research.microsoft.com/en-us/um/people/livshits/papers%5Ctr%5Cdagrep_s12401.pdf
* Web Application Security Consortium, The 80/20 Rule for Web Application Security by Jeremiah Grossman 2005, http://www.webappsec.org/projects/articles/013105.shtml
* Wikipedia Web Application Security page,
Web application security
* Web Security Wiki page, https://www.w3.org/Security/wiki/Main_Page
* Wikipedia Web Security Exploits page,
:Web security exploits
* Open Web Application Security Project (OWASP), https://www.owasp.org/index.php/Main_Page
* Wikipedia Network Security page,
Network security
* Open Web Application Security Project (OWASP) web site, https://www.owasp.org/images/8/83/Securing_Enterprise_Web_Applications_at_the_Source.pdf
{{Software quality
Software development
Software quality