Security in Software Engineering PRESENTED BY ROHIT MUKHERJEE AND RAMAKRISHNA VEERAVALLI

Goal  Minimize the number of security vulnerabilities design, implementation and documentation  Identify and remove vulnerabilities in the development lifecycle as early as possible!!!

Motivation  This application development process in its essence fails to address security issues.  very small number of companies invest in application security strategy, design, and code review services.

Overview  How much security ?  Security in SDLC  Privacy and Protection  Security Measurement Analysis  Reusing quality requirements

What is Software Security ?  Protect software against malicious attack and other hacker risks  Function correctly under such potential risks.  Provide integrity, authentication and availability.

Continued.. “100 Times More Expensive to Fix Security Bug at Production Than Design” – IBM Systems Sciences Institute Example :  SQL injections can be used to bypass login credentials.  Sometimes SQL injections fetch important information from a database or delete all important data from a database.

Threats and Vulnerability What are threats and vulnerability ?  Threats refers to anything that cause serious harm to a computer system.  A threat is something that may or may not happen, but has the potential to cause serious damage.  Vulnerability refers to a flaw in a system that can leave it open to attack.  A vulnerability is anything that leaves information security exposed to a threat.

How much security ?  Total security is unachievable.  More security means higher cost and less convenience and functionality.  Security should not irritate users Example: forcing a password change frequently. Effect : users stop using it. Choose security level according to your needs.

Security in SDLC Introduce security at every stage of software development.  Requirement analysis  Design  Implementation  Testing  Deployment.

Continued..  All security issues must be addressed  Risk analysis - Identifying the threats  Design - Use case diagrams for security  Implementation – follow coding standards  Code reviews  Through testing –software is secured or not

SOFTWARE PRIVACY AND PROTECTION  Software privacy is one of the challenges in software engineering  Security in software system has a significant financial impact  Security goals of a software system need to be satisfied by users who use the system, equipment around the software

Security Engineering Techniques  Encryption  Utilization of tamper resistant hardware  Mobile code  Watermarking

Continued  Each software product has license file.  License file has product key in order to authenticate the product.  Software product checks for the product key and system properties before starting functional operations.  Self-destruct approaches can be used when pirated copies of software product found.  Software will be stored in encrypted form on any machine and decrypted prior to execution using an independently stored key.

software security measurement analysis(SSMA)  Software assurance means how much extent the software is free from vulnerabilities.  SSMA addresses two questions.  How much extent the software system is secured to perform operational needs.  Ascertain the degree, whether the software system achieved the intended level of security or not.  17 drivers were provided to measure security in SSMA.  Drivers will check whether objectives or not.

[4]

SECURITY QUALITY REQUIREMENTS ENGINEERING(SQUARE)  SQUARE involves the communication between requirement engineering team and stakeholders.  Requirement team carefully analyzes the requirements  Categorize and prioritize the requirements for management use.  Final stage is inspection.This stage verifies security requirements, whether they are consistent or not.  By applying SQUARE, vulnerabilities, potential attacks and threats can be removed  The life time of the product will be increased.

Activity-Based Quality Model(ABQM)  Activities describe actions that can be performed on or with the support of the system.  Allows the efficient reuse of quality requirements.  Efficiently support the reuse of requirements among differing volatile project environments  ABQM needs a notion of projects and its goals and parameters

[2]

Conclusion  Security must be addressed in every phase of SDLC.  Total security is unachievable.  By applying SQUARE, threats can be detected at the earlier phases.  Reuse of quality requirements by using ABQM.

References [1] Baca, Dejan., Carlsson, Bengt., Agile development with security engineering activities,Proceeding ICSSP '11 Proceedings of the 2011 International Conference on Software and Systems Process,New York, NY, USA, , Pages [2] Luckey, Markus., Baumann, Andrea., Méndez, Daniel., Wagner,Stefan., Reusing security requirements using an extended quality model, Proceeding SESS '10 Proceedings of the 2010 ICSE Workshop on Software Engineering for Secure Systems, New York, NY, USA, , Pages 1-7. [3] M Kiran Kumar, T., A Road Map to the Software Engineering Security, Proceeding ICCEE '09 Proceedings of the 2009 Second International Conference on Computer and Electrical Engineering - Volume 02, IEEE Computer Society Washington, DC, USA, , pages [4] Mead, Nancy R., Measuring the Software Security Requirements Engineering Process, Proceedings Computer Software and Applications Conference Workshops (COMPSACW), 2012 IEEE 36th Annual, Izmir, Turkey, , Pages 583 – 588. [5] Radack, Shirley., The System Development life cycle, Communication Research Student Conference (CRSC) on software life cycle security 2009, Federal Information Processing Standards(FIPS) and Information Technology Laboratory (ITL) Bulletins, Italy, Rome, pages [6]Walden,James., E Frank,Charles., Secure software engineering teaching modules, Proceeding InfoSeCD ’06 proceedings of the 3rd annual conference on information security curriculum development, New York, USA, , pages