Enhancing the Development Life Cycle to Produce Secure Software
in CrossTalk: The Journal of Defense Software Engineering, September 2008
Over the past decades, efforts to enhance software development life cycle (SDLC) practices have been shown to improve... more Over the past decades, efforts to enhance software development life cycle (SDLC) practices have been shown to improve software quality, reliability, and fault-tolerance. More recently, similar strategies to improve the security of software in organizations such as Microsoft, Oracle, and Motorola have resulted in software products with less vulnerabilities and greater dependability, trustworthiness, and resilience. In its mission to improve the security of software used in America’s critical infrastructure and information systems, the Department of Homeland Security’s (DHS) Software Assurance Program has sponsored the creation of the book Enhancing the Development Life Cycle to Produce Secure Software, a source of practical information intended to help developers, integrators, and testers identify and systematically apply security and assurance principles, methodologies, and techniques to current SDLC practices, and thereby increase the security of the software that results. Unlike the numerous other books on secure software development, Enhancing the Development Life Cycle does not espouse any specific methodology, process model, or development philosophy. Instead it explains the essentials of what makes software secure, and takes an unbiased look at the numerous security principles and secure development methodologies, practices, techniques, and tools that developers are finding effective for developing secure software – information that readers can leverage in defining their own SDLC security-enhancement strategies.
Security in the Software Life Cycle
in CrossTalk: The Journal of Defense Software Engineering, September 2006
Co-authors: Joe Jarzombek, Department of Homeland Security and Karen Mercedes Goertzel, Booz Allen Hamilton
As a freely downloadable reference document, “Security in the Software Life Cycle: Making Application Development... more As a freely downloadable reference document, “Security in the Software Life Cycle: Making Application Development Processes – and Software Produced by Them – More Secure” presents key issues in the security of software and its development processes. It introduces a number of process improvement models, risk management and development methodologies, and sound practices and supporting tools that have been reported to help reduce the vulnerabilities and exploitable defects in software and diminish the possibility that malicious logic and trap doors may be surreptitiously introduced during its development. No single practice, process, or methodology offers the universal silver bullet for software security. “Security in the Software Life Cycle” has been compiled as a reference document with practical guidance intended to tie it together and inform software practitioners of a number of practices and methodologies from which they can evaluate and selectively adopt to reshape their development processes to increase not only the security but also the quality and reliability of their software applications, services, and systems, both in development and deployment.
Software Survivability: Where Safety and Security Converge
in CrossTalk: The Journal of Defense Software Engineering, September/October 2009
As safety-critical software moves from closed environments to open and commodity technologies, security threats will... more As safety-critical software moves from closed environments to open and commodity technologies, security threats will inevitably increase. Organizations dependent on mission-critical systems and networks are recognizing that the traditional “protect-detect-react” (PDR) strategy for countering intrusions and attacks is ineffective. A new information assurance and cybersecurity strategy is needed that augments PDR with the ability of systems and networks to “fight through” attacks. This article examines techniques that both security- and safety-critical software developers can leverage to increase their soft- ware’s survivability.
The Uploader 2.0.4 (Eng/Ita) Remote File Upload
by Danny Moules
CVE-2011-2944; EDB-ID: 18518
This [Metasploit] module exploits various flaws in The Uploader to upload a PHP payload to target system. When run... more This [Metasploit] module exploits various flaws in The Uploader to upload a PHP payload to target system. When run with defaults it will search possible URIs for the application and exploit it automatically. Works against both English and Italian language versions. Notably it disables pre-emptive email warnings before uploading the payload, though it leaves log cleanup as a post-exploitation task.
Application of Aspect Oriented programming to Secure Software Development
by Obi Onuorah
Information systems security continues to be the focus of tremendous amount of research with various security models... more
Information systems security continues to be the focus of tremendous amount of research with various security models and frameworks being developed over the years.
Application architecture and source code management are also security issues because with complex applications, it is important that security is designed into the application from the
onset irrespective of the security model being implemented.
Aspect Oriented Programming has been demonstrated to be a viable framework for implementing complex security models in software development.
This paper provides a historical review of security models for software development and presents an illustration of how Aspect Oriented Programming can be applied to implement security these security models by separating security aspects and other non functional requirements from an application while maintaining manageable and more secure source code.
Download (.pdf) Security Testing: Automated or Manual?
One of the hottest and most discussed topics by people involved in the security testing field is this: Should security... more One of the hottest and most discussed topics by people involved in the security testing field is this: Should security testing be based on automatic or manual methods? However, what is the truth about using these tools to detect vulnerabilities in systems, networks or applications? Can these tools help an organization obtain good security results; can they identify weaknesses in order to put in place the required measures/defences to prevent real attacks by potential intruders? Moreover, are these automated efforts enough to accomplish the objective of detecting real vulnerabilities? In this article, we will cover some aspects of web application security testing, and we will see how manual testing could be an essential element, working alongside automated testing procedures to reduce false-positives, leading to defining real vulnerabilities better, which will ultimately lead to a significant impact on the overall security of the organization in question.