Secure Software Design and Development (CSOL 560)

Introduction

Over the past couple of decades, the exponential increase in modularity and complexity in functions introduced many gaps and holes in the software design and implementation. According to (Axelrod) Engineering Safe and Secure Software Systems, the unrelenting increase in the demand for more functional capabilities from software products and software-intensive systems, together with the aggregation and combining of systems, are leading to systems of systems and cyber-physical systems of ever greater complexity and with higher safety and security needs. Over the past five years, we have seen an increase in malicious attacks across and within systems of large and small companies. Although preventing such attacks requires an end-to-end, holistic solution, below are a few leading and design practices for developing and deploying application systems.

- Understand the requirement completely and address weaknesses early on

o It is vital to understand the needs entirely before starting the design process. Ensure that all requested functionality is delivered, not more, and nothing less. With that said, the design phase can address and eliminate obviously, and not so glaring security weaknesses within each requirement.

- Enforce coding standards

o Most complex projects require multiple teams and possible external partners and vendors to complete the implementation. Implementing, enforce, and using a coding standard improves security by ensuring code written by any developer is consistent, readable, auditable, efficient, and maintainable.

- Peer source code review

o Peers shall review source code before it is submitted to identify any code error and coding security mistakes. A team of high-trained security experts should conduct the code review looking for such errors that cause memory leaks, access violations, arithmetic errors, arrays, and string overruns.

- End to end quality assurance and securing testing

o From unit testing, the source code to fully integrated systems testing, ensure all required functions are implemented and no unexpected features are introduced during development. Perform multiple security testing that includes, but is not limited to, DOS (Denial of services), penetration, software, and systems exploits, to name a few.

- Implement error handling systems - error traceability

o All errors, software, and system errors must be traceable and handled elegantly. The error system logs and allows traceability to determine the root cause and enable fixes. Any security issues should also “bubble” up the error processing systems and provide a critical alert to security engineers.

I think the above safety and security best practices are both competing and complementary to the requirements. It adds complexity, time, and cost but also ensures functional efficiency, scalability, accuracy, and, most importantly, security.

Coursework

Developing and implementing a secured systems does not happen by accident. In fact, it takes a high level of discipline in processes and people resources to attain a certain level of security. Below, working with my classmates, we interviewed stakeholders and industry experts to develop system artifacts and vision. The three documents below contains the stakeholder interviews, artifacts and vision for a secured system implementation of a Supply Chain Risk Management Reporting Tool.

Stakeholder Interviews

System Artifacts

Vision Documents

Reflections

Everything we interact with today has connective technology built-in. While connectivity gives us convenience and improves our quality of life, but also brings new challenges. When technology is not implemented correctly, it allows malicious actors to take advantage of us and our safety. Traditional software development life cycle (SDLC), such as Agile, Waterfall, Iterative, and Incremental and Spiral models, is inadequate for delivering today’s related software and products. Every product and device relies on connectivity over the public internet, exposing it to vast security holes ripped by malicious actors. With the proliferation of cyber attacks over the last decades, companies large and small are doing everything they can to close the security gaps by adopting security first appropriate to software development and create an SSDLC (Secure Software Development Life Cycle). I believe every organization has the moral and ethical duty to ensure that every product is secure and safe for the public. The permeation of software into every aspect of our lives makes it impossible to avoid. The software has transcended from a technical process into the realm of social morality. Therefore, the consequences are on a massive scale across the whole of society. The security of that software is not a technical question but a moral one, and companies need to treat it that way (Wysopal, 2018).

References:

Wysopal, C. (2018). The ethics of creating secure software. Retrieved from https://www.csoonline.com/: https://www.csoonline.com/article/3304300/the-ethics-of-creating-secure-software.html

Axelrod, C. Warren. Engineering Safe and Secure Software Systems (Artech House Information Security and Privacy) . Artech House. Kindle Edition.