Abstract
The transfer of cybersecurity domain knowledge from security experts (‘Ethical Hackers’) to software engineers is discussed in terms of desirability and feasibility. Possible mechanisms for the transfer are critically examined. Software engineering methodologies do not make use of security domain knowledge in its form of vulnerability databases (e.g. CWE, CVE, Exploit DB), which are therefore not appropriate for this purpose. An approach based upon the improved use of pattern languages that encompasses security domain knowledge is proposed.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
McConnell, S.: Code Complete: A Practical Handbook of Software Construction. Microsoft, Redmond (1993)
Todorov, A.: User guide for open source project bug submissions (2015). http://opensource.com/business/13/10/user-guide-bugs-open-source-projects
Leveson, N.: A new accident model for engineering safer systems. Saf. Sci. 42, 237–270 (2004)
Cabinet Office: The cost of cybercrime (2011)
Bekrar, S., et al.: Finding software vulnerabilities by smart fuzzing, pp. 427–430 (2011)
Jorgensen, P.C.: Software Testing: A Craftsman’s Approach. CRC Press, Boca Raton (2013)
DHS: Cyber incident response at DHS (2017)
Aslam, T., Krsul, I., Spafford, E.H.: Use of a taxonomy of security faults (1996)
Howard, M., Lipner, S.: The security development lifecycle: a process for developing demonstrably more secure software (2006)
Busch, M., Koch, N., Wirsing, M.: Evaluation of engineering approaches in the secure software development life cycle. In: Heisel, M., Joosen, W., Lopez, J., Martinelli, F. (eds.) Engineering Secure Future Internet Services and Systems. LNCS, vol. 8431, pp. 234–265. Springer, Cham (2014). doi:10.1007/978-3-319-07452-8_10
Fernandez, E.B., Yoshioka, N., Washizaki, H.: A worm misuse pattern, No. 2 (2010)
Mansourov, D.N.: Software fault patterns: towards formal compliance points for CWE (2011)
Schumacher, M., et al.: Security Patterns: Integrating Security and Systems Engineering. Wiley, Hoboken (2013)
Bourque, P., Fairley, R.E.: Guide to the Software Engineering Body of Knowledge (SWEBOK (R)): Version 3.0. IEEE Computer Society Press, Washington, D.C. (2014)
Shiralkar, T., Grove B.: Guidelines for secure coding (2009)
Howard, M.: Security development lifecycle (SDL) banned function calls (2012)
Howard, M., Lipner, S.: The Security Development Lifecycle. Microsoft Press, Redmond (2006)
Brenner, J.: ISO 27001: Risk management and compliance. Risk Manage. 54, 24 (2007)
Halkidis, S., et al.: A qualitative analysis of software security patterns. Comput. Secur. 25, 379–392 (2006)
MITRE Corporation: Common weakness enumeration (2015). http://cwe.mitre.org/
Van Wyk, K.R., McGraw, G.: Bridging the gap between software development and information security. IEEE Secur. Privacy 3, 75–79 (2005)
Viega, J., McGraw, G.: Building Secure Software: How to Avoid Security Problems the Right Way Portable Documents. Pearson Education, Essex (2001)
Mansourov, N., et al.: Why hackers know more about our systems, pp. 1–21 (2011)
Bunke, M.: Software-security patterns: degree of maturity, p. 42 (2015)
Fernandez-Buglioni, E.: Security Patterns in Practice: Designing Secure Architectures Using Software Patterns. Wiley, Hoboken (2013)
Hui, Z., Huang, S., Ren, Z., Yao, Y.: Review of software security defects taxonomy. In: Yu, J., Greco, S., Lingras, P., Wang, G., Skowron, A. (eds.) RSKT 2010. LNCS, vol. 6401, pp. 310–321. Springer, Heidelberg (2010). doi:10.1007/978-3-642-16248-0_46
McGraw, G.: Software Security: Building Security In. Addison-Wesley Professional, Boston (2006)
Huang, C., Lin, F., Lin, F.Y., Sun, Y.S.: A novel approach to evaluate software vulnerability prioritization. J. Syst. Software 86, 2822–2840 (2013)
Ghani, H., et al.: Predictive vulnerability scoring in the context of insufficient information availability, pp. 1–8 (2013)
Yun-hua, G., Pei, L.: Design and research on vulnerability database (2010)
Fahl, S., et al.: Rethinking SSL development in an appified world, pp. 49–60 (2013)
Acar, Y., et al.: You get where you’re looking for: the impact of information sources on code security, pp. 289–305 (2016)
Borstad, O.G.: Finding security patterns to countermeasure software vulnerabilities (2008)
McGraw, G.: Software security. 36, 662–665 (2012)
Julisch, K.: Understanding and overcoming cyber security anti-patterns. Comput. Netw. 57, 2206–2211 (2013)
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Nafees, T., Coull, N., Ferguson, R.I., Sampson, A. (2017). Idea-Caution Before Exploitation: The Use of Cybersecurity Domain Knowledge to Educate Software Engineers Against Software Vulnerabilities. In: Bodden, E., Payer, M., Athanasopoulos, E. (eds) Engineering Secure Software and Systems. ESSoS 2017. Lecture Notes in Computer Science(), vol 10379. Springer, Cham. https://doi.org/10.1007/978-3-319-62105-0_9
Download citation
DOI: https://doi.org/10.1007/978-3-319-62105-0_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-62104-3
Online ISBN: 978-3-319-62105-0
eBook Packages: Computer ScienceComputer Science (R0)