IEEE Software
Security Properties of Software Components
ISW '99 Proceedings of the Second International Workshop on Information Security
Software Security Checklist for the Software Life Cycle
WETICE '03 Proceedings of the Twelfth International Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises
Secure Software Engineering: Learning from the Past to Address Future Challenges
Information Security Journal: A Global Perspective
Security testing: mind the knowledge gap
ACM SIGCSE Bulletin
Addressing software application security issues
ICCOMP'06 Proceedings of the 10th WSEAS international conference on Computers
| Hi-index | 4.10 |
The article discusses an approach to security analysis that we have applied successfully over the past several years (to 1999) at Reliable Software Technologies. Our approach is no magic bullet, but it offers a reasoned methodology that has proven to be useful in the trenches. Our methodology, like many useful things, is a mix of art and engineering. The idea is straightforward: design a system with security in mind, analyze the system in light of known and anticipated risks, rank the risks according to their severity, test to the risks, and cycle broken systems back through the design process. The process outlined above has one essential underlying goal: avoiding the unfortunately pervasive penetrate-and-patch approach to computer security-that is, avoiding the problem of desperately trying to come up with a fix to a problem that is being actively exploited by attackers. In simple economic terms, finding and removing bugs in a software system before its release is orders of magnitude cheaper and more effective than trying to fix systems after release