skip to Main Content
measec_home

Software Security

Introduction

A Computer is a functional unit that can perform substantial computations, including numerous arithmetic operations and logic operations without human intervention [1]. A computer is constituted by hardware and software.

Hardware refers to the physical components that can be seen and touched (e.g., hard drive, mouse, keyboard, etc.).

Software (i.e., Computer Program) is a combination of instructions and data definitions that enable a computer to perform computational or control functions (i.e., arithmetic operations and logic operations without human intervention). The software can include procedures, and possibly associated documentation and data, pertaining to the operation of a computer system [1]. The software can be categorized according to what it is designed to accomplish. There are two main types of software: Systems Software and Application Software. Systems Software is the software designed for managing the computer itself, such as the operating system. Application Software is the software designed to help users perform particular tasks or handle particular types of problems, as distinct from system software [1]. Figure 1 illustrates three examples of common computers and related software. More examples of computers (i.e., embedded systems) surrounding our daily lives can be found in my dedicated article Embedded Systems Security.

Figure 1 – Examples of Computers and Software

Software shall be secure, which means that it must be capable of protecting information and data in such a way that unauthorized persons or systems can not read or modify it and that authorized persons or systems are not denied access to it [2]. We can then define Software Security as the collection of all activities to be carried out on the software to make it secure, in other words, providing the software with the ability to protect the information and data it manages from accidental or malicious access, use, modification, destruction or disclosure [1].

The software can be threatened, where a threat is any circumstance or event with the potential to adversely impact the information managed by the software through unauthorized access, destruction, disclosure, modification of data, and/or denial of service. Based on how it is designed and implemented, the software may have weaknesses (i.e., Software Vulnerabilities), and the threats may exploit these weaknesses by using, modifying, destroying, or disclosing the information that the software manages [3]. In order to prevent their exploitation, software vulnerabilities should be detected, identified, evaluated, and properly treated, taking appropriate and timely action to address the associated security risks described above [4].

We are surrounded by computers (ref. Embedded Systems Security), and, as an unavoidable consequence, vulnerabilities in software can be exploited for accidental or malicious use, modification, destruction or disclosure of sensitive (e.g., employee records, facility plans, intellectual property, financial data, etc.) and protected (e.g., medical records, bank statements, credit reports, genetic data, etc.) information. This is the main reason why we need to ensure that the software is secure, as defined above.

The life cycle of the software consists of four main processes, as shown in Figure 2: Software Implementation, Software Operation, Software Maintenance, and Software Disposal. Software security shall be ensured in each of these processes by means of specific professionals, methodologies, and technologies.

Figure 2 – Software life cycle

Software Security Along With Software Implementation

Software is produced by a process called Software Implementation (also known as the Software Development Life Cycle ( SDLC)) that transforms the requirements and constraints of specified stakeholders (e.g., users, owners, operators) into intermediate elements through coordinated activities. The result of the software implementation process is the software itself that meets the initial requirements and constraints through verification and validation. The main activities of the software implementation process (Figure 3) are Software Requirements Analysis, Software Architectural Design, Software Detailed Design, Software Construction, Software Integration, Software Qualification Testing, with the following purposes [5]:

  • Software Requirements Analysis, to establish the requirements of the software.
  • Software Architectural Design, to provide a software design that implements and can be verified against the requirements.
  • Software Detailed Design, to provide a software design that implements and can be verified against the requirements and architecture of the software and is sufficiently detailed to allow for coding and testing.
  • Software Construction, to produce executable software units that accurately reflect the design of the software.
  • Software Integration, to combine software units and software components, to produce integrated software elements that are consistent with the software design, to demonstrate that the functional and non-functional requirements of the software are met on an equivalent or complete operating platform.
  • Software Qualification Testing, to confirm that the integrated software product satisfies its defined requirements.

There are also other support processes that we are not listing here for simplicity.

Software vulnerabilities are the result of Software Defects introduced along with the software implementation process (Figure 3). Defects introduced during the Software Construction and Software Integration phases are referred to as bugs, while software defects introduced during the Software Requirements Analysis, Software Architectural Design, and Software Detailed Design phases are referred to as flaws [7].

Figure 3 – Software Implementation Process and Software Defects introduction

At this point, it is useful to summarize the main elements introduced so far, and the relationship between them, as shown in Figure 5.

Figure 4 – Defect, Threat, Vulnerability Relationship

Along with each activity of the software implementation process, and in any case before the end of the activity and the start of the next activity, software defects (i.e., vulnerabilities) should be detected, identified, evaluated, and removed.

Show Me The Money!

In Jerry Maguire ‘s movie, Rod Tidwell asked, “Show me the money!” We ‘re right here.

A software defect, other than potentially result as software vulnerability, is a waste in software product implementation because it adds no value to the software product in the eyes of the customer and only adds cost and time” (Womack and Jones, 1996). For these reasons, early detection and correction of software defects along with software implementation, it is essential to increase the overall level of software security and minimize the cost of software production. A defect (i.e., vulnerability) introduced during the implementation process of the software may exponentially generate other vulnerabilities, either directly or indirectly, in subsequent activities, and, in the event that it is found at a later stage, the software may require redesign and reconstruction. This iterative cycle is costly in terms of time and resources. In order to truly understand security threats to software, security needs to be addressed in the earliest stages of the software implementation process. A study conducted by the IBM System Science Institute [6] showed that fixing a defect introduced during the initial stages of software implementation would cost 6 times more if detected during software construction/integration, would cost 15 times more if detected during software testing, and would cost 100 times more if detected during software maintenance (Figure 5).

Figure 5 – IBM System Science Institute Relative Cost of Fixing Software Vulnerabilities

References

[1] ISO/IEC/IEEE 24765 Systems and software engineering — Vocabulary

[2] ISO/IEC 9126 Software engineering — Product quality

[3] National Information Assurance (IA) Glossary, Committee on National Security Systems (CNSS), 2015

[4] ISO/IEC 27002 Information technology — Security techniques — Code of practice for information security controls

[5] ISO/IEC 12207 Systems and software engineering — Software life cycle processes

[6] Integrating Software Assurance into the Software Development Life Cycle (SDLC) – Maurice Dawson, Darrell Norman Burrell, Emad Rahim, Stephen Brewster -2010

[7] Secure Software Engineering: Learning from the Past to Address Future Challenges – Daniel Hein, Hossein Saiedian – 2009

[8] ISO/IEC/IEEE 90003 Software engineering — Guidelines for the application of ISO 9001 to computer software

0 0 vote
Article Rating
guest
4 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
rerouting
3 months ago

Highlʏ energetic article, I liked that bit. Wilⅼ there be a part 2?

Andrea
2 months ago

test

Company
zeroclock
Andrea
2 months ago

ciao

Company
zeroclock
4
0
Would love your thoughts, please comment.x
()
x
Back To Top