Software Needs Security, and Security Needs Software: A Scientific Overview
AdaCore Senior Software Engineer Yannick Moy provides a scientific overview of software security.
Software needs security. That's a consequence of using software to control critical systems. It's difficult because software is inherently a complex artifact, even when the code just consists of a single sequential program in a single programming language, with well-defined inputs and outputs. Of course, actual software rarely if ever has such a simple structure.
Security needs software. That's a consequence of the complexity just mentioned. No process can ensure security at scale unless it is automated by using software itself: programming languages, verification tools, software platforms.
Every provider of software security tools will readily present the superiority of its solution. Working for a software tool vendor, I do that routinely. But software security is only as strong as its weakest link, among the many links forming the final software chain, and there are often many technical and procedural angles of attack. So it's not surprising that the technical (see the Common Weakness Enumeration ) and procedural (see the Building Security In Maturity Model ) solutions are based on enumerations. And as enumerations do not help with prioritization, groups focused on security have come up with various lists of top 10 or top 20 things to do.
Software needs security. That's a consequence of using software to control critical systems. It's difficult because software is inherently a complex artifact, even when the code just consists of a single sequential program in a single programming language, with well-defined inputs and outputs. Of course, actual software rarely if ever has such a simple structure. Security needs software. That's a consequence of the complexity just mentioned. No process can ensure security at scale unless it is automated by using software itself: programming languages, verification tools, software platforms. Every provider of software security tools will readily present the superiority of its solution. Working for a software tool vendor, I do that routinely. But software security is only as strong as its weakest link, among the many links forming the final software chain, and there are often many technical and procedural angles of attack. So it's not surprising that the technical (see the Common Weakness Enumeration) and procedural (see the Building Security In Maturity Model) solutions are based on enumerations. And as enumerations do not help with prioritization, groups focused on security have come up with various lists of top 10 or top 20 things to do. Stock Photos from Andrey Suslov / Shutterstock While such approaches are good, they are insufficient to get confidence in the security of the software built. Lists of 10 or 20 things to do feel partial (they are), lists of hundreds of things-to-do feel insurmountable and paradoxically partial, too (having hundreds of things to do does not imply completeness). Such lists don't provide enough understanding of security, or to put it more formally like the Cyber Security Body Of Knowledge (CyBOK) does: "There is a long-recognised skills gap within the cyber security sector, an issue that experts agree is compounded by a fragmented and incoherent foundational knowledge for this relatively immature field." Getting a better handle on security through better understanding is the goal of this initiative, launched in the U.K. in 2017, which has released so far four "Knowledge Areas" (KA) documents, including a Software Security KA.
While such approaches are good, they are insufficient to get confidence in the security of the software built. Lists of 10 or 20 things to do feel partial (they are), lists of hundreds of things-to-do feel insurmountable and paradoxically partial, too (having hundreds of things to do does not imply completeness). Such lists don't provide enough understanding of security, or to put it more formally like the Cyber Security Body Of Knowledge (CyBOK) does: "There is a long-recognised skills gap within the cyber security sector, an issue that experts agree is compounded by a fragmented and incoherent foundational knowledge for this relatively immature field."
Getting a better handle on security through better understanding is the goal of this initiative, launched in the U.K. in 2017, which has released so far four "Knowledge Areas" (KA) documents, including Software Security KA.
Top Stories
INSIDERManned Systems
Turkey's KAAN Combat Aircraft Completes First Flight - Mobility Engineering...
INSIDERMaterials
FAA Expands Boeing 737 Investigation to Manufacturing and Production Lines -...
INSIDERImaging
New Video Card Enables Supersonic Vision System for NASA's X-59 Demonstrator -...
INSIDERManned Systems
Stratolaunch Approaches Hypersonic Speed in First Powered TA-1 Test Flight -...
INSIDERUnmanned Systems
Army Ends Future Attack and Reconnaissance Helicopter Development Program -...
ArticlesEnergy
Can Solid-State Batteries Commercialize by 2030? - Mobility Engineering...
Webcasts
AR/AI
From Data to Decision: How AI Enhances Warfighter Readiness
Energy
April Battery & Electrification Summit
Manufacturing & Prototyping
Tech Update: 3D Printing for Transportation in 2024
Test & Measurement
Building an Automotive EMC Test Plan
Manufacturing & Prototyping
The Moon and Beyond from a Thermal Perspective
Software
Mastering Software Complexity in Automotive: Is Release Possible...