scholarly journals Challenging software developers: dialectic as a foundation for security assurance techniques

2020 ◽  
Vol 6 (1) ◽  
Author(s):  
Charles Weir ◽  
Awais Rashid ◽  
James Noble
Keyword(s):  
Software Security ◽  
Software Developers ◽  
Security Assurance ◽  
App Development ◽  
Development Teams ◽  
Development Cycle

Abstract Development teams are increasingly expected to deliver secure code, but how can they best achieve this? Traditional security practice, which emphasizes ‘telling developers what to do’ using checklists, processes and errors to avoid, has proved difficult to introduce. From analysis of industry interviews with a dozen experts in app development security, we find that secure development requires ‘dialectic’: a challenging dialog between the developers and a range of counterparties, continued throughout the development cycle. Analysing a further survey of 16 industry developer security advocates, we identify the six assurance techniques that are most effective at achieving this dialectic in existing development teams, and conclude that the introduction of these techniques is best driven by the developers themselves. Concentrating on these six assurance techniques, and the dialectical interactions they involve, has the potential to increase the security of development activities and thus improve software security for everyone.

scholarly journals Modeling and Characterizing Software Vulnerabilities

2017 ◽  
Vol 2 (4) ◽  
pp. 288-299 ◽  
Author(s):  
Navneet Bhatt ◽  
Adarsh Anand ◽  
V. S. S. Yadavalli ◽  
Vijay Kumar
Keyword(s):  
Operating Systems ◽  
Software Security ◽  
Software Developers ◽  
Security Assurance ◽  
Quantitative Classification ◽  
Software Vulnerabilities ◽  
Systems Software ◽  
Vulnerability Discovery ◽  
Empirical Illustration

With the association of software security assurance in the development of code based systems; software developers are relying on the Vulnerability discovery models to mitigate the breaches by estimating the total number of vulnerabilities, before they’re exploited by the intruders. Vulnerability Discovery Models (VDMs) provide the quantitative classification of the flaws that exists in a software that will be discovered after a software is released. In this paper, we develop a vulnerability discovery model that accumulate the vulnerabilities due to the influence of previously discovered vulnerabilities. We further evaluate the proportion of previously discovered vulnerabilities along with the fraction additional vulnerabilities detected. The quantification methodology presented in this article has been accompanied with an empirical illustration on popular operating systems’ vulnerability data.

Building an Ambidextrous Software Security Initiative

2021 ◽  
pp. 167-188
Author(s):  
Daniela Soares Cruzes ◽  
Espen Agnalt Johansen
Keyword(s):  
Software Development ◽  
Software Security ◽  
Top Down ◽  
Bottom Up ◽  
Software Companies ◽  
Adoption And Implementation ◽  
Development Teams ◽  
Software Development Teams ◽  
Professional Self ◽  
Global And Local

Improving software security in software development teams is an enduring challenge for software companies. In this chapter, the authors present one strategy for addressing this pursuit of improvement. The approach is ambidextrous in the sense that it focuses on approaching software security activities both from a top-down and a bottom-up perspective, combining elements usually found separately in software security initiatives. The approach combines (1) top-down formal regulatory mechanisms deterring breaches of protocol and enacting penalties where they occur and (2) bottom-up capacity building and persuasive encouragement of adherence to guidance by professional self-determination, implementation, and improvement support (e.g., training, stimulating, interventions). The ambidextrous governance framework illustrates distinct, yet complementary, global and local roles: (1) ensuring the adoption and implementation of software security practices, (2) enabling and (3) empowering software development teams to adapt and add to overall mandates, and (4) embedding cultures of improvement.

Building an Ambidextrous Software Security Initiative

2022 ◽  
pp. 627-648
Author(s):  
Daniela Soares Cruzes ◽  
Espen Agnalt Johansen
Keyword(s):  
Software Development ◽  
Software Security ◽  
Top Down ◽  
Bottom Up ◽  
Software Companies ◽  
Adoption And Implementation ◽  
Development Teams ◽  
Software Development Teams ◽  
Professional Self ◽  
Global And Local

Improving software security in software development teams is an enduring challenge for software companies. In this chapter, the authors present one strategy for addressing this pursuit of improvement. The approach is ambidextrous in the sense that it focuses on approaching software security activities both from a top-down and a bottom-up perspective, combining elements usually found separately in software security initiatives. The approach combines (1) top-down formal regulatory mechanisms deterring breaches of protocol and enacting penalties where they occur and (2) bottom-up capacity building and persuasive encouragement of adherence to guidance by professional self-determination, implementation, and improvement support (e.g., training, stimulating, interventions). The ambidextrous governance framework illustrates distinct, yet complementary, global and local roles: (1) ensuring the adoption and implementation of software security practices, (2) enabling and (3) empowering software development teams to adapt and add to overall mandates, and (4) embedding cultures of improvement.

Where to Integrate Security Practices on DevOps Platform

2016 ◽  
Vol 7 (4) ◽  
pp. 39-50 ◽  
Author(s):  
Hasan Yasar ◽  
Kiriakos Kontostathis
Keyword(s):  
Software Security ◽  
Rapid Development ◽  
Software Developers ◽  
Proactive Approach ◽  
Development Lifecycle ◽  
Security Practices ◽  
Programming Effort ◽  
Attack Surface ◽  
Negative Feelings ◽  
Reliable Software

“Software security” often evokes negative feelings amongst software developers because this term is associated with additional programming effort, uncertainty and road blocker activity on rapid development and release cycles. The Secure DevOps movement attempts to combat the toxic environment surrounding software security by shifting the paradigm from following rules and guidelines to creatively determining solutions for tough security problems (Taschner, 2015). Secure software should be focused on a proactive approach that limits the attack surface and produces reliable software. Secure DevOps developers want their software to bend but not break, which means the software absorbs attacks and continues to function. The burgeoning concepts of DevOps include a number of concepts that can be applied to increase the security of developed applications. Applying these and other DevOps principles can have a big impact on creating an environment that is resilient and secure. Specifically, this paper clearly explains how to address security concerns in the early stages of the development lifecycle and leverage that knowledge throughout the SDLC.

The Design of Software Protection Mechanism Based on Virtual Machine

2014 ◽  
Vol 977 ◽  
pp. 525-531
Author(s):  
Si Qi Hu
Keyword(s):  
Protective Effect ◽  
Virtual Machine ◽  
Software Security ◽  
Rapid Development ◽  
Software Protection ◽  
Software Developers ◽  
Generation Algorithm ◽  
Protection Mechanism ◽  
Assembly Instructions ◽  
Reverse Analysis

Software security is facing enormous challenges with the rapid development of attacking technology.Obsolete software protection methods can no longer meet the needs of modern software security. In this paper,we proposed a software protection mechanism based on virtual machine which can compile the x86 assembly instructions into virtual instructions.The execution of instructions will be completed in the virtue machine so this mechanism can resist the attack of reverse analysis,meanwhile, the rights of software developers and intellectual property will be protected. furthermore, we design a random instruction generation algorithm to make the code of instructions haphazard, so that the protective ability of VM can be enhanced. We use some experiment to illustrate its superiority and the experimental results indicated that the protective effect of the proposed mechanism is excellent.

Rule-based auditing system for software security assurance

2009 ◽  
Author(s):  
Changbok Jang ◽  
Jeongseok Kim ◽  
Hyokyung Jang ◽  
Sundo Park ◽  
Bokman Jang ◽  
...  
Keyword(s):  
Software Security ◽  
Rule Based ◽  
Security Assurance
Sign in / Sign up

Export Citation Format

Share Document