Sw Security

Only available on StudyMode
  • Download(s) : 44
  • Published : January 26, 2013
Open Document
Text Preview
Building Security In
Editor: Gary McGraw, gem@cigital.com

Software Security

S

oftware security is the idea of engineering software
so that it continues to function correctly under
malicious attack. Most technologists acknowledge
this undertaking’s importance, but they need some

help in understanding how to tackle it. This new department

GARY
MCG RAW
Cigital

80

aims to provide that help by exploring software security best practices. The software security field is a relatively new one. The first books and academic classes on the topic appeared
in 2001, demonstrating how recently
developers, architects, and computer
scientists have started systematically
studying how to build secure software.
The field’s recent appearance is one
reason why best practices are neither
widely adopted nor obvious.
A central and critical aspect of the
computer security problem is a software problem. Software defects with security ramifications—including
implementation bugs such as buffer
overflows and design flaws such as
inconsistent error handling—
promise to be with us for years. All
too often, malicious intruders can
hack into systems by exploiting software defects.1 Internet-enabled software applications present the most common security risk encountered
today, with software’s ever-expanding complexity and extensibility adding further fuel to the fire. By any
measure, security holes in software
are common, and the problem is
growing: CERT Coordination
Center identified 4,129 reported
vulnerabilities in 2003 (a 70 percent
increase over 2002, and an almost
fourfold increase since 2001).2,3
Software security best practices
PUBLISHED BY THE IEEE COMPUTER SOCIETY



leverage good software engineering
practice and involve thinking about
security early in the software life
cycle, knowing and understanding
common threats (including language-based flaws and pitfalls), designing for security, and subjecting all software artifacts to thorough objective risk analyses and testing. Let’s look at how software security fits into

the overall concept of operational security and examine some best practices for building security in.

...versus application
security
Application security means many different things to many different people. In IEEE Security & Privacy magazine, it has come to mean the protection of software after it’s already
built. Although the notion of protecting software is an important one, it’s just plain easier to protect something
that is defect-free than something riddled with vulnerabilities. Pondering the question, “What is
the most effective way to protect software?” can help untangle software security and application security. On
one hand, software security is about
building secure software: designing
software to be secure, making sure
that software is secure, and educating
software developers, architects, and
users about how to build secure
1540-7993/04/$20.00 © 2004 IEEE



things. On the other hand, application security is about protecting software and the systems that software runs in a post facto way, after development is complete. Issues critical to this subfield include sandboxing code

(as the Java virtual machine does),
protecting against malicious code,
obfuscating code, locking down executables, monitoring programs as they run (especially their input), enforcing the software use policy with technology, and dealing with extensible systems.
Application security follows naturally from a network-centric approach to security, by embracing standard approaches such as penetrate and patch4 and input filtering (trying to block malicious input) and

by providing value in a reactive way.
Put succinctly, application security is
based primarily on finding and fixing known security problems after they’ve been exploited in fielded systems. Software security—the process of designing, building, and testing software for security—identifies and expunges problems in the software...
tracking img