There are two distinct ways on how you can build security into your software:
Or, as Gary McGraw just wrote, in much better words:
Unfortunately the concept of "anticipating attacks" seems to be quite alien for the average developer - recognized by responding to a threat scenario with "but why would someone do that?".
It also seems to be hard to teach. There is a new effort that I think has lots of promise: the IEEE Center for Secure Design tries to tackle the problem from the design angle. This is their mission statement:
The IEEE Computer Society's CSD will gather software security expertise from industry, academia and government. The CSD provides guidance on:
- Recognizing software system designs that are likely vulnerable to compromise.
- Designing and building software systems with strong, identifiable security properties.
The CSD is part of the IEEE Computer Society's larger cybersecurity initiative, launched in 2014.
If you're interested in the topic, I would encourage you to read their document. It tries to explain the most common design flaws that lead to vulnerabilities. Every security architect in your team should have read (and understood) those, ideally:
These are the topics explained in more details in the PDF (click on the image to read it):
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
6 | |
5 | |
3 | |
3 | |
2 | |
2 | |
2 | |
1 | |
1 | |
1 |