Software Security Engineering – Part I

Abstract

It has been reported in the literature that about twenty new software vulnerabilities are reported weekly. This situation has increased the security awareness in the software community. Nowadays, software services are expected not only to satisfy functional requirements but also to resist malicious attacks. As demand for more trustworthy systems is increasing, the software industry is adjusting itself to security standards and practices by increasing security assessment and testing effort. Even though there is a consensus that better software engineering is to improve software quality in the early stage of software development, so far, various approaches that have been proposed to analyze and quantitatively measure the software security target, primarily show the finished software products in their operational life. There are few achievements on how to reduce or effectively mitigate the security risks faced by software products during the development process. In this chapter, the authors introduce a novel model-driven perspective on secure software engineering, which integrates seamlessly software security analysis with traditional software development activities. A systematic security engineering process that starts in the early stages of the software development process and spans the entire software lifecycle is presented. Fundamental software security concepts and analysis techniques are also introduced, and several illustrative examples are presented, with focus on security requirements and risk analysis.