Sw Security
Building Security In
Editor: Gary McGraw, gem@cigital.com
Software Security
S
oftware security is the idea of engineering software so that it continues to function correctly under malicious attack. Most technologists acknowledge this undertaking’s importance, but they need some
help in understanding how to tackle it. This new department
GARY
MCG RAW
Cigital
80
aims to provide that help by exploring software security best practices.
The software security field is a relatively new one. The first books and academic classes on the topic appeared in 2001, demonstrating how recently developers, architects, and computer scientists have started systematically studying how to build secure software.
The field’s recent appearance is one reason why best practices are neither widely adopted nor obvious.
A central and critical aspect of the computer security problem is a software problem. Software defects with security ramifications—including implementation bugs such as buffer overflows and design flaws such as inconsistent error handling— promise to be with us for years. All too often, malicious intruders can hack into systems by exploiting software defects.1 Internet-enabled software applications present the most common security risk encountered today, with software’s ever-expanding complexity and extensibility adding further fuel to the fire. By any measure, security holes in software are common, and the problem is growing: CERT Coordination
Center identified 4,129 reported vulnerabilities in 2003 (a 70 percent increase over 2002, and an almost fourfold increase since 2001).2,3
Software security best practices
PUBLISHED BY THE IEEE COMPUTER SOCIETY
■
leverage good software engineering practice and involve thinking about security early in the software life cycle, knowing and understanding common threats (including language-based flaws and pitfalls), designing for security, and subjecting all software artifacts to
Editor: Gary McGraw, gem@cigital.com
Software Security
S
oftware security is the idea of engineering software so that it continues to function correctly under malicious attack. Most technologists acknowledge this undertaking’s importance, but they need some
help in understanding how to tackle it. This new department
GARY
MCG RAW
Cigital
80
aims to provide that help by exploring software security best practices.
The software security field is a relatively new one. The first books and academic classes on the topic appeared in 2001, demonstrating how recently developers, architects, and computer scientists have started systematically studying how to build secure software.
The field’s recent appearance is one reason why best practices are neither widely adopted nor obvious.
A central and critical aspect of the computer security problem is a software problem. Software defects with security ramifications—including implementation bugs such as buffer overflows and design flaws such as inconsistent error handling— promise to be with us for years. All too often, malicious intruders can hack into systems by exploiting software defects.1 Internet-enabled software applications present the most common security risk encountered today, with software’s ever-expanding complexity and extensibility adding further fuel to the fire. By any measure, security holes in software are common, and the problem is growing: CERT Coordination
Center identified 4,129 reported vulnerabilities in 2003 (a 70 percent increase over 2002, and an almost fourfold increase since 2001).2,3
Software security best practices
PUBLISHED BY THE IEEE COMPUTER SOCIETY
■
leverage good software engineering practice and involve thinking about security early in the software life cycle, knowing and understanding common threats (including language-based flaws and pitfalls), designing for security, and subjecting all software artifacts to
References: Code, Addison-Wesley, 2004. Security Workshop,” IEEE Security & Privacy, vol. 1, no. 2, 2003, pp Should Scrap Penetrate-andPatch,” IEEE Aerospace and Electronic Systems, vol. 13, no. 4, 1998, pp 5. L. Walsh, “Trustworthy Yet?” Information Security Magazine, Feb. 2003; http://infosecuritymag.techtarget. 1, 2003, pp. 57–61. Indigo. He also is coauthor of Exploiting Software (Addison-Wesley, 2004), Building Secure Software (Addison-Wesley, 2001), Java Security (John Wiley & Sons, 1996), and four other books