Secure Software by Design

Abstract

Based on the calculated cost of a lost record, Yahoo, who “lost” 3 billion records, would be in debt for 450 BILLION DOLLARS. What drives organizations to seek better methods to protect data? The cost of losing data can be high, and it will get higher. Large organizations are able to withstand the malware onslaught, small and mid-size companies have 50-50 chance of remaining in business. To reduce the damage caused by malware, organizations are investing in technology and research. Current research in supervised machine learning is promising. Small and mid-sized companies do not have security professionals to maintain and monitor them. Another area of research is “Honeypots” and “Red Flags”. These techniques may work in espionage, but “white hat testers” demonstrate that these traps are recognized and avoided. Organizations guilty of a data breach, even with clear evidence of negligence are seldom prosecuted. It is very rare that civil or criminal charges are brought against those negligent of reasonable efforts. Can the current environment change? New technologies will eventually be available for small and mid-sized organizations. Laws are changing to make senior management culpable for negligence in protecting sensitive data. Organizations need another way to protect against a data breach. An alternate, and easier strategy for fighting malware is to write software more difficult to hack. This research is identifying how current software practices, lessons learned from malware software, and a novel method to identify critical code, can reduce successful malware attacks. The objective of the research is to search for and identify critical sections in code that should be modified for reducing vulnerabilities. The critical application logic is identified and alternate designs are implemented making it more difficult for the malware author to locate and modify. This research examines easy processes to learn and apply. The work is applicable for all organization, but the existing focus is on helping small and mid-sized organizations. A goal is to reduce the complexity in designing more secure software. The primary considerations are that there are only small additional burdens on software designers and that management sees business value for supporting and requiring more secure software. Because small and mid-sized organizations are more tightly integrated into the supply chain, it the in the interest of large organization, government agencies and the public that these small and mid-sized organizations create more secure software. With an increasing shortage of cyber security professionals, the short-term alternative is to better train software developers for designing more secure software.