Secure software engineering: Learning from the past to address future challenges

Information Security Journal

Volumn 18, Issue 1, 2009, Pages 8-25

  Hein, Daniel ^a   Saiedian, Hossein ^b  

^a Garmin International Inc   (United States)

^b UNIVERSITY OF KANSAS   (United States)

Author keywords

Metrics for software security; Secure software systems engineering; Security threats; Software security vulnerabilities

Indexed keywords

EID: 85009069580     PISSN: 19393555     EISSN: 19393547     Source Type: Journal    
DOI: 10.1080/19393550802623206     Document Type: Article

References (56)

1. Ahmad, D. (2007). The contemporary software security landscape. IEEE Security and Privacy, 5(3), 75-77.
2. Ihazmi, O., Malaiya, Y., and Ray, I. (2005, August). Security vulnerabilities in software systems: A quantitative perspective. Data and Applications Security XIX, 3654, 281-294.
3. Anderson, R. (2001). Why information security is hard—An economic perspective. In 17th Annual Computer Security Applications Conference (ACSAC'01), pages 358-365, Los Alamitos, CA.
4. Anderson, R. (2002). Security in open versus closed systems — The dance of Boltzmann, Coase and Moore. Technical report, Cambridge University, England.
5. Avizienis, A., Laprie, J.-C., Randell, B., and Landwehr, C. (2004). Basic concepts and taxonomy of dependable and secure computing. IEEE Transactions Dependable and Secure Computing, 1(1), 11-33.
6. Barnum, S. and Sethi, A. (2006). Introduction to attack patterns. US-CERT: Build security in Web site. Citigal. Available at https://buildsecu rityin. us-cert.gov/daisy/bsi/articles/knowledge/attack/585.html
7. Bellovin, S. S. (2006). On the brittleness of software and the infeasibility of security metrics. IEEE Security and Privacy, 4(4), 96.
8. Beznosov, K. and Kruchten, P. (2004). Towards agile security assurance. In NSPW '04: Proceedings of the 2004 workshop on New security paradigms, pages 47-54, New York: ACM Press.
9. Boehmand, B. W. and Basili, V. R. (2001). Software defect reduction top 10 list. IEEE Computer, 34(1), 135-137.
10. Buyens, K., De Win, B., and Joosen, W. (2007). Empirical and statistical analysis of risk analysis-driven techniques for threat management. In The Second International Conference on Availability, Reliability and Security (ARES'07), pages 1034-1041, Los Alamitos, CA. IEEE Computer Society.
11. MITRE Corporation. (2007, September). About CWE. Technical report. Available at http://cwe.mitre.org/about/index.html
12. MITRE Corporation. (2007). CWE List (Draft 7). Technical report. Available at http://cwe.mitre.org/data/index.html
13. Geer, D., Hoo, K.-S., and Jaquith, A. (2003). Information security: Why the future belongs to the quants. IEEE Security and Privacy, 1(4), 24-32.
14. Davis, N., Humphrey, W., Redwine, S. T., Jr., Zibulski, G., and McGraw, G. (2004). Processes for producing secure software: Summary of us national cyber-security summit subgroup report. IEEE Security and Privacy, 2(3), 18-25.
15. Essafi, M., Labed, L., and Ghezala, H. B. (2006). ASASI: An environment for addressing software application security issues. In International Conference on Systems and Networks Communications, p. 19, Los Alamitos, CA. IEEE Computer Society.
16. Firesmith, D. G. (2007). Engineering safety and security related requirements for software intensive systems. In 29th International Conference on Software Engineering (ICSE'07Companion), p. 169, Los Alamitos, CA. IEEE Computer Society.
17. Garcia, A. and Horowitz, B. (2007, February). The potential for underinvestment in Internet security: Implications for regulatory policy. Journal of Regulatory Economics, 31(1), 37-55.
18. Gregoire, J., Buyens, K., De Win, B., Scandariato, R., and Joosen, W. (2007). On the secure software development process: CLASP and SDL compared. In SESS'07: Proceedings of the Third International Workshop on Software Engineering for Secure Systems, p. 1, Washington, DC, IEEE Computer Society.
19. Hoglund, G. and McGraw, G. (2002). Point/counterpoint. IEEE Software, 19(6), 56-59.
20. Hoglund, G. and McGraw, G. (2004). Exploiting software: How to break code. Boston, MA: Addison-Wesley, pp. 1-23, 37-70.
21. Hoo, K.-S., Sudbury, A. W., and Jaquith, A. R. (2001, Fourth Quarter). Tangible ROI through secure software engineering. Secure Business Quarterly, 1(2).
22. Howard, M., LeBlanc, D., and Viega, J. (2005). 19 deadly sins of software security. New York: McGraw-Hill/Osborne.
23. Jones, J. R. (2007). Estimating software vulnerabilities. IEEE Security and Privacy, 5(4), 28-32.
24. Krsul, I. V. (1998, May). Software vulnerability analysis. PhD thesis, Purdue University, West Lafayette, IN.
25. Landwehr, C. E., Bull, A. R., McDermott, J. P., and Choi, W. S. (1994). A taxonomy of computer program security flaws. ACM Computing Surveys, 26(3), 211-254.
26. Leavitt, N. (2005). Will proposed standards make mobile phones more secure? Computer, 38(12), 20-22.
27. Manadhata, P. and Wing, J. M. (2005, July). An attack surface metric. Technical Report CMU-CS-05-1 55, School of Computer Science, Carnegie Mellon University, Pittsburgh, PA.
28. Martin, R. A. and Barnum, S. (2008). A status update: The common weaknesses enumeration. Technical report, MITRE Corporation. Available at http://cwe.mitre.org/documents/cwe_update.pdf
29. Martin, R. A., Christey, S. M., and Jarzombek, J. (2005, November). The case for common flaw enumeration. NIST Workshop on Software Security Assurance Tools, Techniques, and Metrics.
30. McGraw, G. (1999). Software assurance for security. Computer, 32(4), 103-105.
31. McGraw, G. (2003). From the ground up: The DIMACS software security workshop. IEEE Security and Privacy, 1(2), 59-66.
32. McGraw, G. (2004). Software security. IEEE Security and Privacy, 2(2), 80-83.
33. McGraw, G. (2006). Software security: Building security. In: Addison- Wesley Software Security Series. Upper Saddle River, NJ: Addison- Wesley, pp.13-37, 277-298.
34. McGraw, G. and Potter, B. (2004). Software security testing. IEEE Security and Privacy, 2(5), 81-85.
35. Nichols, E. A. and Peterson, G. (2007). A metrics framework to drive application security improvement. IEEE Security and Privacy, 5(2), 88-91.
36. NIST. National Vulnerability Database (NVD). (2007). Technical report, National Institute of Standards and Technology. Retrieved January 12, 2009 from http://nvd.nist. gov/statistics.cfm
37. OWASP - The Open Web Application Security Project. (2007). OWASP top ten: The ten most critical Web application security vulnerabilities, 2007 update edition.
38. Panko, R. R. (2003). Corporate computer and network security. Upper Saddle River, NJ: Prentice Hall, pp. 324-330.
39. Peine, H. (2005). Rules of thumb for secure software engineering. In: ICSE'05: Proceedings of the 27th International Conference on Software Engineering. ACM Press: New York, pp. 702-703.
40. Popek, G. P. and Kline, C. S. (1979). Encryption and secure computer networks. ACM Computing Surveys, 11(4), 331-356.
41. Common Criteria Portal. CC-Common Criteria. (2007). Technical report. Available at http://www.commoncriteriaportal.org/public/developer/ index.php?menu=2
42. Sachitano, A., Chapman, R. O., and Hamilton, J. A. (2004). Security in software architecture: A case study. In: Information Assurance Workshop, Proceedings of the Fifth Annual IEEE SMC, June, pages 370-376.
43. Schneidewind, N. F. (2002). Body of knowledge for software quality measurement. Computer, 35(2), 77-83.
44. Sindre, G., and Opdahl, A. L. (2005, January). Eliciting security requirements with misuse cases. Requirements Engineering, 10(1), 34-44.
45. Kim, Y., Park, G., Kim, T., and Lee, S. (2007). Security evaluation for information assurance. In: The 2007 International Conference on Computational Science and its Applications, pp 227-230, Los Alamitos, CA, IEEE Computer Society.
46. Tsipenyuk, K., Chess, B., and McGraw, G. (2005). Seven pernicious kingdoms: A taxonomy of software security errors. IEEE Security and Privacy, 3(6), 81-84.
47. US-CERT. US-CERT Vulnerability Notes Database. (2007). Technical report, US-CERT: United States Computer Emergency Readiness Team. Retrieved January 12, 2009 from http://www.kb.cert.org/vuls/
48. van Wyk, K. R. and McGraw, G. (2005). Bridging the gap between software development and information security. IEEE Security and Privacy, 3(5), 75-79.
49. van Wyk, K. R. and Steven, J. (2006). Essential factors for successful software security awareness training. IEEE Security and Privacy, 4(5), 80-83.
50. Verdon, D. and McGraw, G. (2004). Risk analysis in software design. IEEE Security and Privacy, 2(4), 79-84.
51. Viega, J., Bloch, J. T., Kohno, T., and McGraw, G. (2002). Token-based scanning of source code for security problems. ACM Transactions on Information Systems Security, 5(3), 238-261.
52. Viega, J., Bloch, J. T., Kohno, T., and McGraw, G. (2000). ITS4: A static vulnerability scanner for C and C++ code. Technical report, Citigal, Dulles, VA. Available at http://www.cigital.com/papers/download/ its4.pdf
53. Viega, J. and McGraw, G. (2001, September 24). Building secure software: How to avoid security problems the right way. Addison- Wesley Professional, 1st edition. pp. 1-6.
54. Wing, J. M. (2003). A call to action: Look beyond the horizon. IEEE Security and Privacy, 1(6). 62-67.
55. Xie, N., Mead, N., Chen, P., Dean, M., Lopez, L., Ojoko-Adams, D., and Osman, H. (2004). Square project: Cost/bene?t analysis framework for information security improvement projects in small companies. Technical Report (CMU/SEI-2004-TN-045, ADA431118), Software Engineering Institute, Carnegie Mellon University Pittsburgh, PA. Available at http://www.sei.cmu.edu/publications/documents/04. reports/04tn045.html
56. Zitser, M., Lippmann, R., and Leek, T. (2004). Testing static analysis tools using exploitable buffer over?ows from open source code. In: SIGSOFT '04/FSE-12: Proceedings of the 12th ACMSIGSOFT International Symposium on Foundations of Software Engineering, ACM Press, New York, pp. 97-106.