Software needs security, and security needs software: a scientific overview

AdaCore Senior Software Engineer Yannick Moy provides a scientific overview of software security.

Software needs security. That's a consequence of using software to control critical systems. It's difficult because software is inherently a complex artifact, even when the code just consists of a single sequential program in a single programming language, with well-defined inputs and outputs. Of course, actual software rarely if ever has such a simple structure.

 

Security needs software. That's a consequence of the complexity just mentioned. No process can ensure security at scale unless it is automated by using software itself: programming languages, verification tools, software platforms.

 

Every provider of software security tools will readily present the superiority of its solution. Working for a software tool vendor, I do that routinely. But software security is only as strong as its weakest link, among the many links forming the final software chain, and there are often many technical and procedural angles of attack. So it's not surprising that the technical (see the Common Weakness Enumeration) and procedural (see the Building Security In Maturity Model) solutions are based on enumerations. And as enumerations do not help with prioritization, groups focused on security have come up with various lists of top 10 or top 20 things to do.
 

Software needs security. That's a consequence of using software to control critical systems. It's difficult because software is inherently a complex artifact, even when the code just consists of a single sequential program in a single programming language, with well-defined inputs and outputs. Of course, actual software rarely if ever has such a simple structure.    Security needs software. That's a consequence of the complexity just mentioned. No process can ensure security at scale unless it is automated by using software itself: programming languages, verification tools, software platforms.    Every provider of software security tools will readily present the superiority of its solution. Working for a software tool vendor, I do that routinely. But software security is only as strong as its weakest link, among the many links forming the final software chain, and there are often many technical and procedural angles of attack. So it's not surprising that the technical (see the Common Weakness Enumeration) and procedural (see the Building Security In Maturity Model) solutions are based on enumerations. And as enumerations do not help with prioritization, groups focused on security have come up with various lists of top 10 or top 20 things to do.     Stock Photos from Andrey Suslov / Shutterstock    While such approaches are good, they are insufficient to get confidence in the security of the software built. Lists of 10 or 20 things to do feel partial (they are), lists of hundreds of things-to-do feel insurmountable and paradoxically partial, too (having hundreds of things to do does not imply completeness). Such lists don't provide enough understanding of security, or to put it more formally like the Cyber Security Body Of Knowledge (CyBOK) does: "There is a long-recognised skills gap within the cyber security sector, an issue that experts agree is compounded by a fragmented and incoherent foundational knowledge for this relatively immature field."    Getting a better handle on security through better understanding is the goal of this initiative, launched in the U.K. in 2017, which has released so far four "Knowledge Areas" (KA) documents, including a Software Security KA 
Stock Photos from Andrey Suslov / Shutterstock

 

While such approaches are good, they are insufficient to get confidence in the security of the software built. Lists of 10 or 20 things to do feel partial (they are), lists of hundreds of things-to-do feel insurmountable and paradoxically partial, too (having hundreds of things to do does not imply completeness). Such lists don't provide enough understanding of security, or to put it more formally like the Cyber Security Body Of Knowledge (CyBOK) does: "There is a long-recognised skills gap within the cyber security sector, an issue that experts agree is compounded by a fragmented and incoherent foundational knowledge for this relatively immature field."

 

Getting a better handle on security through better understanding is the goal of this initiative, launched in the U.K. in 2017, which has released so far four "Knowledge Areas" (KA) documents, including Software Security KA

 

Read the full article "Software security, a scientific overview" in SAE International's Cybersecurity Knowledge Hub

 

 Learn more

  • Bookmark http://www.sae.org/news to keep pace with the latest aerospace technology news & information.

  • Learn about AeroPaks to access 8,000+ SAE aerospace standards, specifications, recommended practices, and resource documents available in SAE MOBILUS.

  • Subscribe to SAE MOBILUS for access to more than 200,000 resources, including aerospace standards, technical papers, eBooks, magazines, and video.

  • Visit  SAE International's Knowledge Hubs -- access points to the best industry resources, training, and current news -- designed to provide everything you need to know about emerging mobility technologies. 

Continue reading »
X