Towards a Security Competence of Software Developers

Software growth has been explosive as people depend heavily on software on daily basis. Software development is a human-intensive effort, and developers' competence in software security is essential for secure software development. In addition, ubiquitous computing provides an added complexity to software security. Studies have treated security competences of software developers as a subsidiary of security engineers' competence instead of software engineers' competence, limiting the full knowledge of the security competences of software developers. This presents a crucial challenge for developers, educators, and users to maintain developers' competences in security. As a first step in pushing for the developers' security competence studies, this chapter utilises a literature review to identify the security competences of software developers. Thirteen security competences of software developers were identified and mapped to the common body of knowledge for information security professional framework. Lastly, the implications for, with, and without the competences are analysed and presented.

Checklist Usage in Secure Software Development

Checklists have been used to increase safety in aviation and help prevent mistakes in surgeries. However, despite the success of checklists in many domains, checklists have not been universally successful in improving safety. A large volume of checklists is being published online for helping software developers produce more secure code and avoid mistakes that lead to cyber-security vulnerabilities. It is not clear if these secure development checklists are an effective method of teaching developers to avoid cyber-security mistakes and reducing coding errors that introduce vulnerabilities. This paper presents in-process research looking at the secure coding checklists available online, how they map to well-known checklist formats investigated in prior human factors research, and unique pitfalls that some secure development checklists exhibit related to decidability, abstraction, and reuse.

An Approach to basic GUI-enabled CI/CD pipeline with Static Analysis tool

Automation in the software delivery process is considered best practice in secure Software development life cycle(SDLC) and DevOps Deployment of software occurs multiple times in a week, day or within a span of few minutes. Manual deployment of the code and database which comprises the desired software is not only tedious but also prone to errors. The Continuous Integration and Continuous Deployment (CI/CD) pipeline ensure that the software delivery is done in an efficient and reliable way so that the software is available for use at any instant of time. In this paper, we discuss a basic approach towards the development of a customized CI/CD pipeline with static analysis tool (SAT) integration providing greater reliability to our architecture. SAT is one of the major components of SDLC which checks the codebase for static errors that helps in identifying potential bugs and vulnerabilities. This approach is vital for smaller teams in industries having less bandwidth or in long-term academic projects. We discuss the development of a customized CI/CD pipeline in detail. Finally, a ReactJS based GUI is designed to obtain the pipeline status and SAT results.

Keamanan Sistem Perangkat Lunak dengan Secure Software Development Lifecycle

Saat ini, pengembangan perangkat lunak lebih kompleks daripada sebelumnya di mana keamanan menjadi salah satu yang paling krusial. Masalah keamanan menjadi bagian penting untuk developer perangkat lunak.Kebutuhan keamanan dalam pengembangan perangkat lunak menghasilkanpenciptaan yang disebut Secure Software Development Life Cycle (SSDLC). Paper ini menyoroti kerentanan perangkat lunak dan pendekatan untuk mengatasinya. Untuk itu akan dibahas beberapa tool keamanan seperti OWASP dan ISSAF. Tujuannya agar dapat mengetahui sejauh mana tool-tool tersebut meminimalkan kerentanan dalam pengembangan perangkat lunak.