Software Needs Security, and Security Needs Software: A Scientific Overview

AdaCore Senior Software Engineer Yannick Moy provides a scientific overview of software security.

Software needs security. That's a consequence of using software to control critical systems. It's difficult because software is inherently a complex artifact, even when the code just consists of a single sequential program in a single programming language, with well-defined inputs and outputs. Of course, actual software rarely if ever has such a simple structure.

Security needs software. That's a consequence of the complexity just mentioned. No process can ensure security at scale unless it is automated by using software itself: programming languages, verification tools, software platforms.

Every provider of software security tools will readily present the superiority of its solution. Working for a software tool vendor, I do that routinely. But software security is only as strong as its weakest link, among the many links forming the final software chain, and there are often many technical and procedural angles of attack. So it's not surprising that the technical (see the Common Weakness Enumeration ) and procedural (see the Building Security In Maturity Model ) solutions are based on enumerations. And as enumerations do not help with prioritization, groups focused on security have come up with various lists of top 10 or top 20 things to do.

Software needs security. That's a consequence of using software to control critical systems. It's difficult because software is inherently a complex artifact, even when the code just consists of a single sequential program in a single programming language, with well-defined inputs and outputs. Of course, actual software rarely if ever has such a simple structure. Security needs software. That's a consequence of the complexity just mentioned. No process can ensure security at scale unless it is automated by using software itself: programming languages, verification tools, software platforms. Every provider of software security tools will readily present the superiority of its solution. Working for a software tool vendor, I do that routinely. But software security is only as strong as its weakest link, among the many links forming the final software chain, and there are often many technical and procedural angles of attack. So it's not surprising that the technical (see the Common Weakness Enumeration) and procedural (see the Building Security In Maturity Model) solutions are based on enumerations. And as enumerations do not help with prioritization, groups focused on security have come up with various lists of top 10 or top 20 things to do. Stock Photos from Andrey Suslov / Shutterstock While such approaches are good, they are insufficient to get confidence in the security of the software built. Lists of 10 or 20 things to do feel partial (they are), lists of hundreds of things-to-do feel insurmountable and paradoxically partial, too (having hundreds of things to do does not imply completeness). Such lists don't provide enough understanding of security, or to put it more formally like the Cyber Security Body Of Knowledge (CyBOK) does: "There is a long-recognised skills gap within the cyber security sector, an issue that experts agree is compounded by a fragmented and incoherent foundational knowledge for this relatively immature field." Getting a better handle on security through better understanding is the goal of this initiative, launched in the U.K. in 2017, which has released so far four "Knowledge Areas" (KA) documents, including a Software Security KA.

Stock Photos from Andrey Suslov / Shutterstock

While such approaches are good, they are insufficient to get confidence in the security of the software built. Lists of 10 or 20 things to do feel partial (they are), lists of hundreds of things-to-do feel insurmountable and paradoxically partial, too (having hundreds of things to do does not imply completeness). Such lists don't provide enough understanding of security, or to put it more formally like the Cyber Security Body Of Knowledge  (CyBOK) does: "There is a long-recognised skills gap within the cyber security sector, an issue that experts agree is compounded by a fragmented and incoherent foundational knowledge for this relatively immature field."

Getting a better handle on security through better understanding is the goal of this initiative, launched in the U.K. in 2017, which has released so far four "Knowledge Areas" (KA) documents, including Software Security KA.