Paper Authors

Abstract

NOTE: The first page of text has been automatically extracted and included below in lieu of an abstract

Integrating Secure Development Practices into a Software Engineering Course

Abstract

Many security incidents arise from flaws in the code or design of software systems. CERT reported over 5000 software vulnerabilities in 2005. These vulnerabilities are the result of inadequate con- sideration of security during the development process. However, typical software engineering courses and textbooks do not address security issues. In response to this problem, software engi- neering courses with an integrated coverage of security have been introduced at two universities. Information security has been integrated into every phase of the software life-cycle. Teams in both courses developed web application software, requiring them to address common web application security issues such as access control and injection flaws. Students have come out of the courses with a better appreciation of the need for software security and a basic understanding of how to develop secure software. However, finding the time required to cover software security effectively remains a considerable challenge, especially as both institutions only offer a single semester of software engineering.

Introduction

Application software has become highly interconnected as the Internet and wireless networking have grown in importance. While security flaws were previously exposed only to users sitting in front of the computer, the Internet allows attackers from around the world to exploit security vulnerabilities in networked applications. Even embedded systems like cell phones are vulnerable to remote attacks.1 This increased exposure to attack has greatly increased the importance of software security. CERT reported over 5000 software vulnerabilities in 2005.2 These flaws result from inade- quate consideration of security during requirements analysis, design, implementation, and testing of software systems. This lack of consideration is often the result of security being viewed as an add-on feature. This viewpoint typically leads to the “penetrate-and-patch” methodology, where security issues are dealt with by issuing a patch after the software product has been released. The scale of this problem results from the fact that many developers aren’t aware of the im- portance of security or don’t know how to build secure applications. Typical software engineering courses and textbooks pay little attention to security issues. In order to significantly reduce the number of vulnerabilities, security must be taught as part of the foundation of the development process in the software engineering curriculum. Software engineering courses with an integrated coverage of security have been introduced at two universities. Security issues have been integrated into every phase of the software life-cycle from requirements through testing. Both approaches use a threat model to document and drive security concerns throughout the development process. Students analyze the risk of each threat documented in the threat model, then use the evaluations to design appropriate security measures such as access control and encryption. Implementation is guided by checklists and verified with code reviews. Finally, students test their systems against the threats they’ve analyzed to verify their software’s security properties.

• Citation

• Format
  • APA
  • APA - LaTeX bibitem
  • MLA
  • MLA - LaTeX bibitem
  • Bibtex
  • EndNote - RIS

Walden, J., & Shumba, R. (2006, June), Integrating Secure Development Practices Into A Software Engineering Course Paper presented at 2006 Annual Conference & Exposition, Chicago, Illinois. 10.18260/1-2--1339