Engineering Or Not Engineering? That Is Still The Question

Abstract

In this paper, we present the results of an inquiry on security vulnerabilities in software, aiming also to contribute to a critical reflection about Software Engineering and, as consequence, to System Engineering as well. Data was gathered from a sample of security analysis done between January/ 2013 and June/ 2018 with the aid of penetration tests (pentests), by a cyberintelligence company that operates in a dozen countries (Tempest Security Intelligence). This sample was analyzed from a quantitative and qualitative perspective. Results in the sample suggest that: a) security vulnerabilities in software are found in the three layers of an information system (infrastructure, communications and application); b) a determined vulnerability may appear more than once in a system, resulting in points of vulnerabilities; c) it is huge the amount of points of vulnerabilities found in the period (23721 points of vulnerabilities in 1046 security analysis done with pentests); d) although absolute numbers indicate discrepancies in the distribution of points of security vulnerabilities in systems from different economic segments (Traditional Commerce, E-commerce, Industry, Energy, Finances, Services and others), normalized data reveal the opposite; e) there is no huge difference in normalized quantities of points of vulnerabilities found in the economic segments considered, even Energy and Industry stand out in this criterion; f) isolated numbers of points of vulnerabilities were elevated in Finances because, as a consequence of a natural concern in this segment, more pentests were done in it; g) the more pentests are done, the more points of vulnerabilities are identified; h) in the application layer (web application), the top 9 vulnerabilities found according to their severity and frequency are Cross-Site Scripting (XSS), Failures in Access Control, Failures in Authentication, Sensitive Data Exposure, Failures in Session Management, Remote Script Inclusion, Missing HTTPS, SQL Injection and Failure in the Upload Mechanism; i) the picture exposed by the data related to vulnerabilities in applications is compatible with the OWASP Top 10 Application Security Risks; j) the amount of security vulnerabilities and the insecurity of softwares are independent of niche, being, probably, linked to the Engineering involved in the construction of information systems; k) considered the 23721 points of security vulnerabilities identified in this study and, consequently, the evident failure in the development of the softwares analyzed, it may be inappropriate saying that there is, today, a “Software Engineering”; l) even, since the first time the term “Software Engineering” was used (1968), development methods had been created, new languages were conceived and new paradigms emerged, there is, in fact, no real Engineering related to software; m) if isolated efforts have not resulted in a mature new Engineering, the key for a change may involve integration and reuniting efforts, as well as thinking globally and not about isolated disciplines in Computer Science, after all Science is simply one.