Towards Building Secure Software Systems
Sodiya, A. S., Onashoga, S. A., Ajayi, O. B., Issues in Informing Science & Information Technology
Software security breaches are now very extremely common and a larger percentage is caused by software design defects. Since individuals and organizations now completely depend on software systems for their day-to-day operations, it is then important to produce secure software products. This paper discusses the problems of producing secure software products and provides a model for improving software security. The model--Secure Software Development Model (SSDM), is unified model that integrates security engineering with software engineering so as to ensure effective production of secure software products. Supporting structure in form of laws is also presented to guide developers throughout the development process. We then present our experience that validates the model.
Keywords: Security breaches, Software system, Software security, Software design, Design defects
Computer software systems are increasingly faced with both internal and external penetrations. One major reason for this is the fact that software systems are still with development defects which still make them to be vulnerable. This has brought issue of security into sharp focus because organisations, including governments, depend largely on software systems for their day-today operations. The case is even more sensitive in environments where software systems are used for critical missions. This is why building secure software is gaining attention of today's business world and researchers in field of security. In addition, because customers (organizations) have experienced unfortunate security incidence, there is increase awareness and agitation for secure software products.
However, in building secure software systems, a lot has to be done. Security techniques have to be implemented in all the stages of the software engineering. Devanbu and Stubblebine (2000) stated that security concerns must inform every phase of software development, from requirements to design, implementation, testing and deployment. This is necessary because software developer might unknowingly inject defects in all stages of the development process. Microsoft found out that 50% of software security problems were caused by design flaws (McGraw, 2003). Wilander and Gustavsson (2005) reported that, in 2004, more than new security vulnerabilities were found in commercial and open source software everyday. Jones (2000) reported the software benchmark studies conducted on hundreds of software projects and stated that the average specification, design, and implementation defects content of released software varies from 1 to 7 defects per thousand lines of new and changed code produced. Commonly computer systems are hacked by exploiting software bugs. Redwine and Davis, (2004) stated that no existing processes or practices have currently shown to consistently produce secure software. If there is no adequate security, the availability, reliability and safety of the software are not guaranteed.
Consequently, software development process must be carefully engineered and integrated with security requirements. Common development practices must change so as to produce software with few or no security weaknesses. The ultimate challenge for software engineers is then to develop software systems with desired quality, within the reasonable time and budget, and the software must be secure. Wilander and Gustavsson (2005) stated that to build more secure software, accurate and consistent security requirements must be specified. It is therefore important to continue to seek for ways of improving security of software systems. In this paper, we discuss the technical issues of software security and provided the model and support for improving software security.
The rest of this paper is organized as follows. The next section presents review of existing literature in software security. Software security issues are presented after that, followed by a discussion of the architecture for improving security of software systems. …