Software Systems Security Vulnerabilities Management by Exploring the Capabilities of Language Models Using NLP

Security of the software system is a prime focus area for software development teams. This paper explores some data science methods to build a knowledge management system that can assist the software development team to ensure a secure software system is being developed. Various approaches in this context are explored using data of insurance domain-based software development. These approaches will facilitate an easy understanding of the practical challenges associated with actual-world implementation. This paper also discusses the capabilities of language modeling and its role in the knowledge system. The source code is modeled to build a deep software security analysis model. The proposed model can help software engineers build secure software by assessing the software security during software development time. Extensive experiments show that the proposed models can efficiently explore the software language modeling capabilities to classify software systems’ security vulnerabilities.

Download Full-text

Software Development Initiatives to Identify and Mitigate Security Threats - Two Systematic Mapping Studies

CLEI electronic journal ◽

10.19153/cleiej.19.3.5 ◽

2016 ◽

Cited By ~ 1

Author(s):

Paulina Silva ◽

René Noël ◽

Santiago Matalonga ◽

Hernán Astudillo ◽

Diego Gatica ◽

...

Keyword(s):

Software Development ◽

Software Security ◽

The Other ◽

Software Systems ◽

Security Threats ◽

Controlled Experiments ◽

Systematic Mapping ◽

Development Lifecycle ◽

Secure Software ◽

Software Development Lifecycle

Software Security and development experts have addressed the problem of building secure software systems. There are several processes and initiatives to achieve secure software systems. However, most of these lack empirical evidence of its application and impact in building secure software systems. Two systematic mapping studies (SM) have been conducted to cover the existent initiatives for identification and mitigation of security threats. The SMs created were executed in two steps, first in 2015 July, and complemented through a backward snowballing in 2016 July. Integrated results of these two SM studies show a total of 30 relevant sources were identified; 17 different initiatives covering threats identification and 14 covering the mitigation of threats were found. All the initiatives were associated to at least one activity of the Software Development Lifecycle (SDLC); while 6 showed signs of being applied in industrial settings, only 3 initiatives presented experimental evidence of its results through controlled experiments, some of the other selected studies presented case studies or proposals.

Download Full-text

Creating and Applying Security Goal Indicator Trees in an Industrial Environment

Software Design and Development ◽

10.4018/978-1-4666-4301-7.ch048 ◽

2014 ◽

pp. 999-1013

Author(s):

Alessandra Bagnato ◽

Fabio Raiteri ◽

Christian Jung ◽

Frank Elberzhager

Keyword(s):

Software Development ◽

Software Systems ◽

Full Potential ◽

Security Vulnerabilities ◽

Industrial Project ◽

Project Environment ◽

Development Tools ◽

Development Lifecycle ◽

Software Development Lifecycle

Security inspections are increasingly important for bringing security-relevant aspects into software systems, particularly during the early stages of development. Nowadays, such inspections often do not focus specifically on security. With regard to security, the well-known and approved benefits of inspections are not exploited to their full potential. This book chapter focuses on the Security Goal Indicator Tree application for eliminating existing shortcomings, the training that led to their creation in an industrial project environment, their usage, and their reuse by a team in industry. SGITs are a new approach for modeling and checking security-relevant aspects throughout the entire software development lifecycle. This book chapter describes the modeling of such security goal based trees as part of requirements engineering using the GOAT tool dedicated plug-in and the retrieval of these models during the various phases of the software development lifecycle in a project by means of Software Vulnerability Repository Services (SVRS) created in the European project SHIELDS (SHIELDS - Detecting known security vulnerabilities from within design and development tools).

Download Full-text

Measuring Developers' Software Security Skills, Usage, and Training Needs

Exploring Security in Software Architecture and Design - Advances in Information Security, Privacy, and Ethics ◽

10.4018/978-1-5225-6313-6.ch011 ◽

2019 ◽

pp. 260-286 ◽

Cited By ~ 1

Author(s):

Tosin Daniel Oyetoyan ◽

Martin Gilje Gilje Jaatun ◽

Daniela Soares Cruzes

Keyword(s):

Software Development ◽

Software Security ◽

Training Needs ◽

Theoretical Background ◽

Practical Skills ◽

Divine Intervention ◽

Development Organizations ◽

Secure Software ◽

Training Need ◽

And Training

Software security does not emerge fully formed by divine intervention in deserving software development organizations; it requires that developers have the required theoretical background and practical skills to enable them to write secure software, and that the software security activities are actually performed, not just documented procedures that sit gathering dust on a shelf. In this chapter, the authors present a survey instrument that can be used to investigate software security usage, competence, and training needs in agile organizations. They present results of using this instrument in two organizations. They find that regardless of cost or benefit, skill drives the kind of activities that are performed, and secure design may be the most important training need.

Download Full-text

A Tagging Approach to Extract Security Requirements in Non-Traditional Software Development Processes

International Journal of Secure Software Engineering ◽

10.4018/ijsse.2014100102 ◽

2014 ◽

Vol 5 (4) ◽

pp. 31-47 ◽

Cited By ~ 2

Author(s):

Annette Tetmeyer ◽

Daniel Hein ◽

Hossein Saiedian

Keyword(s):

Software Development ◽

Software Security ◽

Security Requirements ◽

Software Systems ◽

Small Organizations ◽

Pos Tagging ◽

Part Of Speech ◽

Security Requirements Engineering ◽

Development Processes

While software security has become an expectation, stakeholders often have difficulty expressing such expectations. Elaborate (and expensive) frameworks to identify, analyze, validate and incorporate security requirements for large software systems (and organizations) have been proposed, however, small organizations working within short development lifecycles and minimal resources cannot justify such frameworks and often need a light and practical approach to security requirements engineering that can be easily integrated into their existing development processes. This work presents an approach for eliciting, analyzing, prioritizing and developing security requirements which can be integrated into existing software development lifecycles for small organizations. The approach is based on identifying candidate security goals using part of speech (POS) tagging, categorizing security goals based on canonical security definitions, and understanding the stakeholder goals to develop preliminary security requirements and to prioritize them. It uses a case study to validate the feasibility and effectiveness of the proposed approach.

Download Full-text

Toward an Integrative Model of Application-Software Security

Practicing Software Engineering in the 21st Century ◽

10.4018/978-1-93177-750-6.ch011 ◽

2003 ◽

pp. 157-163

Author(s):

Vijay V. Raghavan

Keyword(s):

Software Security ◽

Social Engineering ◽

Systems Development ◽

System Level ◽

Integrative Model ◽

Software Systems ◽

Execution Monitoring ◽

Systems Security ◽

Least Privilege ◽

Implementation Stages

Populist approaches to studying information systems security include architectural, infrastructure-related and system-level security. This study focuses on software security implemented and monitored during systems development and implementation stages. Moving away from the past checklist methods of studying software security, this study provides a model that could be used in categorizing checklists into meaningful clusters. Many constructs, such as principle of least privilege, execution monitoring, social engineering and formalism and pragmatism in security implementations, are identified in the model. The identification of useful constructs to study can form the basis of evaluating security in software systems as well as provide guidelines of implementing security in new systems developed.

Download Full-text

Reinforcement Learning for Generating Secure Configurations

Electronics ◽

10.3390/electronics10192392 ◽

2021 ◽

Vol 10 (19) ◽

pp. 2392

Author(s):

Shuvalaxmi Dass ◽

Akbar Siami Namin

Keyword(s):

Reinforcement Learning ◽

Software Systems ◽

Moving Target ◽

Large Set ◽

Software System ◽

Secure Software ◽

Attack Surface ◽

Diversification Techniques ◽

System Configurations ◽

Attack Surfaces

Many security problems in software systems are because of vulnerabilities caused by improper configurations. A poorly configured software system leads to a multitude of vulnerabilities that can be exploited by adversaries. The problem becomes even more serious when the architecture of the underlying system is static and the misconfiguration remains for a longer period of time, enabling adversaries to thoroughly inspect the software system under attack during the reconnaissance stage. Employing diversification techniques such as Moving Target Defense (MTD) can minimize the risk of exposing vulnerabilities. MTD is an evolving defense technique through which the attack surface of the underlying system is continuously changing. However, the effectiveness of such dynamically changing platform depends not only on the goodness of the next configuration setting with respect to minimization of attack surfaces but also the diversity of set of configurations generated. To address the problem of generating a diverse and large set of secure software and system configurations, this paper introduces an approach based on Reinforcement Learning (RL) through which an agent is trained to generate the desirable set of configurations. The paper reports the performance of the RL-based secure and diverse configurations through some case studies.

Download Full-text

Handling of Software Quality Defects in Agile Software Development

Agile Software Development Quality Assurance ◽

10.4018/978-1-59904-216-9.ch005 ◽

2011 ◽

pp. 90-113 ◽

Cited By ~ 2

Author(s):

J. Rech

Keyword(s):

Software Development ◽

Software Quality ◽

Software Maintenance ◽

Agile Software Development ◽

Agile Development ◽

Software Systems ◽

Software System ◽

History Of ◽

Effective Development ◽

Agile Software

Software quality assurance is concerned with the efficient and effective development of large, reliable, and high-quality software systems. In agile software development and maintenance, refactoring is an important phase for the continuous improvement of a software system by removing quality defects like code smells. As time is a crucial factor in agile development, not all quality defects can be removed in one refactoring phase (especially in one iteration). Documentation of quality defects that are found during automated or manual discovery activities (e.g., pair programming) is necessary to avoid wasting time by rediscovering them in later phases. Unfortunately, the documentation and handling of existing quality defects and refactoring activities is a common problem in software maintenance. To recall the rationales why changes were carried out, information has to be extracted from either proprietary documentations or software versioning systems. In this chapter, we describe a process for the recurring and sustainable discovery, handling, and treatment of quality defects in software systems. An annotation language is presented that is used to store information about quality defects found in source code and that represents the defect and treatment history of a part of a software system. The process and annotation language can not only be used to support quality defect discovery processes, but is also applicable in testing and inspection processes.

Download Full-text

Open Source Software Development Model

Encyclopedia of Information Science and Technology, First Edition ◽

10.4018/978-1-59140-553-5.ch391 ◽

2005 ◽

pp. 2221-2224 ◽

Cited By ~ 1

Author(s):

Luyin Zhao ◽

Fadi P. Deek

Keyword(s):

Software Development ◽

Open Source ◽

Open Source Software ◽

Free Software ◽

Development Model ◽

Software Systems ◽

Software System ◽

Software Development Model ◽

Hacker Culture ◽

Free Software Foundation

The open source movement can be traced back to the hacker culture in the ’60s and ’70s. In the early 1980s, the tenet of free software for sharing was explicitly raised by Richard Stallman, who was working on developing software systems and invited others to share, contribute, and give back to the community of cooperative hackers. Stallman, together with other volunteers, established the Free Software Foundation to host GNU (Gnu’s Not Unix, a set of UNIX-compatible software system). Eric Raymond, Stallman’s collaborator, is the primary founder of the Open Source Initiative. Both communities are considered the principal drivers of open source movement.

Download Full-text

A Survey on Secure Software Development Lifecycles

Software Design and Development ◽

10.4018/978-1-4666-4301-7.ch002 ◽

2014 ◽

pp. 17-33

Author(s):

José Fonseca ◽

Marco Vieira

Keyword(s):

Software Development ◽

Software Security ◽

Software Products ◽

Development Lifecycle ◽

Software Product ◽

Secure Software ◽

Secure Software Development ◽

Software Development Practices ◽

Complete Solutions ◽

The Web

This chapter presents a survey on the most relevant software development practices that are used nowadays to build software products for the web, with security built in. It starts by presenting three of the most relevant Secure Software Development Lifecycles, which are complete solutions that can be adopted by development companies: the CLASP, the Microsoft Secure Development Lifecycle, and the Software Security Touchpoints. However it is not always feasible to change ongoing projects or replace the methodology in place. So, this chapter also discusses other relevant initiatives that can be integrated into existing development practices, which can be used to build and maintain safer software products: the OpenSAMM, the BSIMM, the SAFECode, and the Securosis. The main features of these security development proposals are also compared according to their highlights and the goals of the target software product.

Download Full-text

Computational Statistics of Data Science for Secured Software Engineering

Methodologies and Applications of Computational Statistics for Machine Intelligence - Advances in Systems Analysis, Software Engineering, and High Performance Computing ◽

10.4018/978-1-7998-7701-1.ch005 ◽

2021 ◽

pp. 81-96

Author(s):

Raghavendra Rao Althar ◽

Debabrata Samanta

Keyword(s):

Software Engineering ◽

Software Development ◽

Language Processing ◽

Data Science ◽

Systems Development ◽

Data Sources ◽

Software Systems ◽

Computational Statistics ◽

Critical Dimensions ◽

Work Done

The chapter focuses on exploring the work done for applying data science for software engineering, focusing on secured software systems development. With requirements management being the first stage of the life cycle, all the approaches that can help security mindset right at the beginning are explored. By exploring the work done in this area, various key themes of security and its data sources are explored, which will mark the setup of base for advanced exploration of the better approaches to make software systems mature. Based on the assessments of some of the work done in this area, possible prospects are explored. This exploration also helps to emphasize the key challenges that are causing trouble for the software development community. The work also explores the possible collaboration across machine learning, deep learning, and natural language processing approaches. The work helps to throw light on critical dimensions of software development where security plays a key role.

Download Full-text