Towards a Security Competence of Software Developers

Software growth has been explosive as people depend heavily on software on daily basis. Software development is a human-intensive effort, and developers' competence in software security is essential for secure software development. In addition, ubiquitous computing provides an added complexity to software security. Studies have treated security competences of software developers as a subsidiary of security engineers' competence instead of software engineers' competence, limiting the full knowledge of the security competences of software developers. This presents a crucial challenge for developers, educators, and users to maintain developers' competences in security. As a first step in pushing for the developers' security competence studies, this chapter utilises a literature review to identify the security competences of software developers. Thirteen security competences of software developers were identified and mapped to the common body of knowledge for information security professional framework. Lastly, the implications for, with, and without the competences are analysed and presented.

Measuring Developers' Software Security Skills, Usage, and Training Needs

Software security does not emerge fully formed by divine intervention in deserving software development organizations; it requires that developers have the required theoretical background and practical skills to enable them to write secure software, and that the software security activities are actually performed, not just documented procedures that sit gathering dust on a shelf. In this chapter, the authors present a survey instrument that can be used to investigate software security usage, competence, and training needs in agile organizations. They present results of using this instrument in two organizations. They find that regardless of cost or benefit, skill drives the kind of activities that are performed, and secure design may be the most important training need.

Software Systems Security Vulnerabilities Management by Exploring the Capabilities of Language Models Using NLP

Security of the software system is a prime focus area for software development teams. This paper explores some data science methods to build a knowledge management system that can assist the software development team to ensure a secure software system is being developed. Various approaches in this context are explored using data of insurance domain-based software development. These approaches will facilitate an easy understanding of the practical challenges associated with actual-world implementation. This paper also discusses the capabilities of language modeling and its role in the knowledge system. The source code is modeled to build a deep software security analysis model. The proposed model can help software engineers build secure software by assessing the software security during software development time. Extensive experiments show that the proposed models can efficiently explore the software language modeling capabilities to classify software systems’ security vulnerabilities.

Urge for Novel and Secure Software Framework for Extraction and Decoding of Mobile Artifacts

Mobile Forensics is now days, increasingly becoming more challenging as it is the field of science that is continuously evolving with respect to the rapidly developing technologies and techniques for the extraction of the mobile data and its decoding. Majority of the crimes are getting committed digitally and especially the criminals are preferring mobile handsets than a laptop or desktop machines, leaving the footprints behind which could be evidence against them. The mobile handsets along with their software applications are getting more advanced and sophisticated mainly due to advances in Cloud computing where clouds are used to store data, Anti-forensics where efforts are made to defeat forensic procedures and Encryption which is used to secure the data during transit. But when compared with the pace of development in mobile hardware and software, the forensic tools and techniques are growing very slowly. Hence the contemporary forensic tools and methodologies are becoming increasingly obsolete and hence urges for the advanced forensic tools, methods which could comply with the need of today’s mobile forensics. Hence, this work presents a detailed survey of the contemporary challenges faced by the forensic experts with the current forensic tools and its methodologies and also the need, scope and opportunities associated with the novel and secure software framework that can address the majority of issues occurring while extraction and decoding of mobile artifacts.

Checklist Usage in Secure Software Development

Checklists have been used to increase safety in aviation and help prevent mistakes in surgeries. However, despite the success of checklists in many domains, checklists have not been universally successful in improving safety. A large volume of checklists is being published online for helping software developers produce more secure code and avoid mistakes that lead to cyber-security vulnerabilities. It is not clear if these secure development checklists are an effective method of teaching developers to avoid cyber-security mistakes and reducing coding errors that introduce vulnerabilities. This paper presents in-process research looking at the secure coding checklists available online, how they map to well-known checklist formats investigated in prior human factors research, and unique pitfalls that some secure development checklists exhibit related to decidability, abstraction, and reuse.

ENHANCED MULTI-DEVICE TWO-FACTOR AUTHENTICATION USING PUBLIC-KEY CRYPTOGRAPHY

This paper proposes a secure two-factor authentication (TFA) system that relies on a password and a crypto-capable device. In cases like a compromise of communication lines, server or device vulnerabilities, and offline and online attacks on user passwords, the approach provides the highest feasible security bounds given the collection of compromised components. Using either SAS Message Authentication or any PIN-based Authentication, the suggested approach constructs a TFA scheme. The paper also proposes a secure software architecture for implementing an enhanced public key cryptography system for mobile applications and an efficient implementation of this modular structure that can use any password-based client-server authentication method without relying on risky single- layer password authentication architecture.

ENHANCED MULTI-DEVICE TWO-FACTOR AUTHENTICATION USING PUBLIC-KEY CRYPTOGRAPHY

This paper proposes a secure two-factor authentication (TFA) system that relies on a password and a crypto-capable device. In cases like a compromise of communication lines, server or device vulnerabilities, and offline and online attacks on user passwords, the approach provides the highest feasible security bounds given the collection of compromised components. Using either SAS Message Authentication or any PIN-based Authentication, the suggested approach constructs a TFA scheme. The paper also proposes a secure software architecture for implementing an enhanced public key cryptography system for mobile applications and an efficient implementation of this modular structure that can use any password-based client-server authentication method without relying on risky single- layer password authentication architecture.