Seguridad En Java
Páginas: 14 (3326 palabras)
Publicado: 12 de octubre de 2012
Best practices for software security: An overview
Ansar-Ul-Haque Yasar
Distrinet Katholieke Universiteit Leuven Celestijnenlaan 200A B-3001 Leuven Belgium +32 16 32 75 35
ansarulhaque.yasar@cs.kuleuven.be
Davy Preuveneers
Distrinet Katholieke Universiteit Leuven Celestijnenlaan 200A B-3001 Leuven Belgium +32 16 32 78 53
davy.preuveneers@cs.kuleuven.be
Yolande Berbers
DistrinetKatholieke Universiteit Leuven Celestijnenlaan 200A B-3001 Leuven Belgium +32 16 32 76 36
yolande.berbers@cs.kuleuven.be
Ghasan Bhatti
Linkoping University SE-58183 Linkoping Sweden +46 76 23 23 375
shani572@hotmail.com
Abstract 1. Introduction
With the growth of software flaws there is a rise in the demand of security embedding to achieve the goal of secure software development in a moreefficient manner. Different practices are in use to keep the software intact. These practices also meant to be scrutinized for better results on the basis of the level of security, efficiency and complexity they are providing. It may also be weighted on the basis of Confidentiality, Integrity and Availability (CIA). Software security is a step by step procedure which can not be achieved just at aspecific level but it should be taken into account from the beginning of the Software Development Life Cycle (SDLC). In this paper, we have taken into account some of the best practices for secure software development and categorized them based on the phases in software development lifecycle. The results enable us to draw a clear picture of the best practices in software development which will enable adeveloper to follow them on a particular SDLC phase. Keywords: Software, Security, SDLC. With increasing technologies there is a more excess to the software which is a threat to the security of software. Hidden attacking factors from inside or outside the organization are increasing day by day. Intrusion and malicious software not only cause a financial loss but also the loss of credibility andintegrity of organization data. Software security issues directly affect the Confidentiality, Integrity and Availability (CIA). Security is not a feature it’s a property of software which has to be taken care of during the complete software lifecycle. So the security model, which has to be implemented, must consider these issues effectively and efficiently. If the software is not secure, then allits operations are exposed to attacks. As mentioned software security spread covers the whole Software Development Life Cycle phases. Each of the phases should be carefully observed for building secure software.
2. Background
While coding software every coder make some coding mistakes unintentionally, which introduce the majority of software vulnerabilities. Some of the examples of suchvulnerabilities can be buffer overflows, integer overflow, format string vulnerabilities etc. Vulnerabilities in software can be classified as in figure 1.
- Mitigation of the risk. The risk in this case is to be considered the harmful beyond the safety level so there is a response needed to reduce the risk up to a standard level. - Acceptance i.e. the threat is accepted with its risk but nottackling the risk as it is but different plan of action designed to overcome the risk indirectly. - Insurance this refers to as we redirect the vulnerability of a risk to a third party. Similar to threat analysis for avoiding the potential problems we would also like to discuss about the basic principles for secure software according to John Viega and Gary McGraw[3]: i. Secure the Weakest Link. ii.Practice defense in depth. iii. Fail Securely. iv. Follow the principle of least privilege. v. Compartmentalize. vi. Keep it Simple. vii. Promote privacy. viii. Remember that hiding secrets is hard. ix. Be reluctant to trust. x. Use your community resources. Viega and McGraw have explained that developers can avoid 90% of the problems using these principles [3].
Figure-1: Summary of Vulnerability...
Ansar-Ul-Haque Yasar
Distrinet Katholieke Universiteit Leuven Celestijnenlaan 200A B-3001 Leuven Belgium +32 16 32 75 35
ansarulhaque.yasar@cs.kuleuven.be
Davy Preuveneers
Distrinet Katholieke Universiteit Leuven Celestijnenlaan 200A B-3001 Leuven Belgium +32 16 32 78 53
davy.preuveneers@cs.kuleuven.be
Yolande Berbers
DistrinetKatholieke Universiteit Leuven Celestijnenlaan 200A B-3001 Leuven Belgium +32 16 32 76 36
yolande.berbers@cs.kuleuven.be
Ghasan Bhatti
Linkoping University SE-58183 Linkoping Sweden +46 76 23 23 375
shani572@hotmail.com
Abstract 1. Introduction
With the growth of software flaws there is a rise in the demand of security embedding to achieve the goal of secure software development in a moreefficient manner. Different practices are in use to keep the software intact. These practices also meant to be scrutinized for better results on the basis of the level of security, efficiency and complexity they are providing. It may also be weighted on the basis of Confidentiality, Integrity and Availability (CIA). Software security is a step by step procedure which can not be achieved just at aspecific level but it should be taken into account from the beginning of the Software Development Life Cycle (SDLC). In this paper, we have taken into account some of the best practices for secure software development and categorized them based on the phases in software development lifecycle. The results enable us to draw a clear picture of the best practices in software development which will enable adeveloper to follow them on a particular SDLC phase. Keywords: Software, Security, SDLC. With increasing technologies there is a more excess to the software which is a threat to the security of software. Hidden attacking factors from inside or outside the organization are increasing day by day. Intrusion and malicious software not only cause a financial loss but also the loss of credibility andintegrity of organization data. Software security issues directly affect the Confidentiality, Integrity and Availability (CIA). Security is not a feature it’s a property of software which has to be taken care of during the complete software lifecycle. So the security model, which has to be implemented, must consider these issues effectively and efficiently. If the software is not secure, then allits operations are exposed to attacks. As mentioned software security spread covers the whole Software Development Life Cycle phases. Each of the phases should be carefully observed for building secure software.
2. Background
While coding software every coder make some coding mistakes unintentionally, which introduce the majority of software vulnerabilities. Some of the examples of suchvulnerabilities can be buffer overflows, integer overflow, format string vulnerabilities etc. Vulnerabilities in software can be classified as in figure 1.
- Mitigation of the risk. The risk in this case is to be considered the harmful beyond the safety level so there is a response needed to reduce the risk up to a standard level. - Acceptance i.e. the threat is accepted with its risk but nottackling the risk as it is but different plan of action designed to overcome the risk indirectly. - Insurance this refers to as we redirect the vulnerability of a risk to a third party. Similar to threat analysis for avoiding the potential problems we would also like to discuss about the basic principles for secure software according to John Viega and Gary McGraw[3]: i. Secure the Weakest Link. ii.Practice defense in depth. iii. Fail Securely. iv. Follow the principle of least privilege. v. Compartmentalize. vi. Keep it Simple. vii. Promote privacy. viii. Remember that hiding secrets is hard. ix. Be reluctant to trust. x. Use your community resources. Viega and McGraw have explained that developers can avoid 90% of the problems using these principles [3].
Figure-1: Summary of Vulnerability...
Leer documento completo
Regístrate para leer el documento completo.