CrossTalk: The Journal of Defense Software Engineering. Volume 20, Number 3, March 2007; Journal

摘要

With all the current efforts to secure software, our nation still encounters attacks. It is estimated that 90 percent of reported security incidents result from exploits against defects in the software design or code. This is especially troubling because many of the vulnerabilities that enable these attacks can be prevented with the use of solid software engineering principles. Given that, why do we still have difficulty ensuring the integrity of software that is so key to protecting the infrastructure from threats and vulnerabilities, reducing overall risk to cyber attack. CrossTalk continues to be a forum for educating the software community on software security. We begin with Robert A. Martin's discussion of the Common Weaknesses dictionary in 'Being Explicit About Security Weaknesses.' Standards provide consolidated resources for the software community, especially developers, to glean specific techniques for developing secure software. We build on this with 'Secure Coding Standards' by James W. Moore and Robert C. Seacord and 'How a Variety of Information Assurance Methods Delivers Software Security in the United Kingdom' by Kevin Sloan and Mike Ormerod. Going beyond standards, we begin our discussion of actual practices with Idongesit Mkpong-Ruffin and Dr. David A. Umphress' article, 'High-Leverage Techniques for Software Security.' Next, 'Baking in Security During the Systems Development Life Cycle' by Kwok H. Cheng emphasizes the DHS philosophy that security must be part of the entire software development process. We conclude with Mel Crocker's insights on certifications and technological advances to enable information sharing across platforms in 'Cross-Domain Information Sharing in a Tactical Environment.'.