research-article

Guidelines for secure software development

Authors:

Rossouw von SolmsAuthors Info & Claims

SAICSIT '08: Proceedings of the 2008 annual research conference of the South African Institute of Computer Scientists and Information Technologists on IT research in developing countries: riding the wave of technology

Pages 56 - 65

https://doi.org/10.1145/1456659.1456667

Published: 06 October 2008 Publication History

Abstract

It is within highly integrated technology environments that information security is becoming a focal point for designing, developing and deploying software applications. Ensuring a high level of trust in the security and quality of these applications is crucial to their ultimate success. Information security has therefore become a core requirement for software applications, driven by the need to protect critical assets and the need to build and preserve widespread trust in computing. The aim of this paper is to provide guidance to software designers and developers by defining a set of guidelines for secure software development. The guidelines established are based on various internationally recognised standards and best practices and some of the processes developed by many key role players.

References

[1]

Jurjens, J. 2002. Using UMLSec and goal trees for secure systems development. Communications of the ACM, 48 (5), pp.1026--1030.

[2]

Killmeyer, J. 2006. Information security architecture: An integrated approach to security in the organisation. New York: United States of America: Auerbach Publications.

Digital Library

[3]

Peltier, T. R. 2005. Information security risk analysis. New York: United States of America: Auerbach Publications.

Digital Library

[4]

Jones, R. L. and Rastogi, A. 2004. Secure coding - building security into the software development life cycle. Application Program Security, pp.29--38.

[5]

ISO. 2005. ISO/IEC 27002: Information Technology - Code of Practice for Information Security Management.

[6]

ISO. 2004. ISO/IEC 13335-1: Information Technology - Security Techniques - Management of Information and Communications Technology Security. Part 1: Concepts and models for information and communications technology security management.

[7]

ISO. 1998. ISO/IEC TR 13335-3: Information Technology - Guidelines for the Management of IT Security. Part 3: Techniques for the management of IT security.

[8]

ISO. 2000. ISO/IEC TR 13335-4: Information Technology -- Guidelines for the Management of IT Security. Part 4: Selection of safeguards.

[9]

NIST. 1996. Generally Accepted Principles and Practices for Securing Information Technology systems. NIST SP 800-14. (http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf).

[10]

NIST. 2004. Security Considerations in the Information System Development Life Cycle. NIST Special Publication 800--64. (http://csrc.nist.gov/publications/nistpubs/800-64/NIST-SP800--64.pdf).

[11]

NIST. 2002. Risk Management Guide for Information Technology Systems. NIST Special Publication 800--30. Retrieved from http://csrc.nist.gov/publications/nistpubs/800-30/NIST-SP800-30.pdf on 20th June 2008.

[12]

Bertine, H., Chadwick, D., Euchner, M. And Harrop, M. 2004. Security in telecommunications and information technology (Technical Report). International Telecommunication Union.

[13]

ISO. 1989. ISO 7498-2: Information Processing Systems - Open System Interconnection - Basic Reference Model - Part 2: Security Architecture.

[14]

ISO. ISO/IEC 12207. 2004. Software Lifecycle Processes.

[15]

Peters, J. F. and Pedrycz, W. 2000. Software engineering: an engineering approach. Wiley.

Digital Library

[16]

Common Criteria. 2005. Common Criteria for Information Technology Security Evaluation. Part 1: Introduction and general model. Retrieved from http://commoncriteriaportal.org/thecc.html on 20th June 2008.

[17]

Davis, N. 2006. Secure Software Development Life Cycle Processes. Retrieved from https://buildsecurityin.uscert.gov/daisy/bsi/articles/knowledge/sdlc/326.BSI.ht ml.

[18]

IBM. Rational Unified Process Best Practices for Software Development Teams. Retrieved from http://www.128.ibm.com/developerworks/rational/library/253.html on 20^th June 2008.

[19]

Lipner, S. and Howard, M. 2005. The Trustworthy Computing Security Development Lifecycle. Retrieved from http://msdn.microsoft.com/enus/library/ms995349.aspx on 20th June 2008.

Digital Library

[20]

OWASP. CLASP Concepts. Retrieved from http://www.owasp.org/ on 20^th June 2008.

[21]

Davis, N. 2008. Developing Secure Software with TSP-Secure. Retrieved from https://buildsecurityin.uscert.gov/swa/downloads/TSP_Secure_Davis.pdf on 20^th June 2008.

[22]

Howard, M. and Leblanc, D. 2003. Writing secure code: Practical strategies and techniques for secure application coding in a networked world. Microsoft Press.

Digital Library

[23]

Dustin, E. 2006. The Secure Software Development Lifecycle. Retrieved from http://www.devsource.com/c/a/techniques/The-Secure-Software-Development-Lifecycle/ on 12^th June 2008.

[24]

Aprville, A. And Pourzandi, M. 2005. Secure Software Development by Example. IEEE Security and Privacy. Retrieved from http://www.computer.org/portal/site/security on 20th June 2008.

Digital Library

[25]

Rajlich, V. 2006, August. Changing the paradigm of software engineering. Communications of the ACM, 49 (8), pp.67--70.

Digital Library

[26]

Procaccino, J. D., Verner, J. M. and Lorenzet, S. J. 2006. Defining and contributing to software development success. Communications of the ACM, 49 (8), pp.79--83.

Digital Library

[27]

Breu, R., Burger, K., Hafner, M. and Popp, G. 2004. Towards a systematic development of secure systems. Systematic Development, pp.5--13.

Cited By

Granata DRak MSalzillo G(2022)MetaSEnD: A Security Enabled Development Life Cycle Meta-ModelProceedings of the 17th International Conference on Availability, Reliability and Security10.1145/3538969.3544463(1-10)Online publication date: 23-Aug-2022
https://dl.acm.org/doi/10.1145/3538969.3544463
SERDARASAN ŞERTEK E(2021)YAZILIM GELİŞTİRME SÜRECİNDE DEĞER ODAKLI İYİLEŞTİRMEVALUE ORIENTED IMPROVEMENT FOR SOFTWARE DEVELOPMENT PROCESSEndüstri Mühendisliği10.46465/endustrimuhendisligi.80943832:1(90-107)Online publication date: 30-Apr-2021
https://doi.org/10.46465/endustrimuhendisligi.809438
Ruggia ALosiouk EVerderame LConti MMerlo A(2021)Repack Me If You Can: An Anti-Repackaging Solution Based on Android VirtualizationProceedings of the 37th Annual Computer Security Applications Conference10.1145/3485832.3488021(970-981)Online publication date: 6-Dec-2021
https://dl.acm.org/doi/10.1145/3485832.3488021
Show More Cited By

Index Terms

Guidelines for secure software development
1. Security and privacy
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

Putting the Sec in DevSecOps: Using Social Practice Theory to Improve Secure Software Development
NSPW '20: Proceedings of the New Security Paradigms Workshop 2020

Practices such as open source development, agile, DevOps and DevSecOps mean that cyber security professionals need to find ways to blend cyber security with software development practices. One way of approaching this is as an awareness, education and ...
Costing Secure Software Development: A Systematic Mapping Study
ARES '19: Proceedings of the 14th International Conference on Availability, Reliability and Security

Building more secure software is a recent concern for software engineers due to increasing incidences of data breaches and other types of cyber attacks. However, software security, through the introduction of specialized practices in the software ...
Software security in agile software development: a literature review of challenges and solutions
XP '18: Proceedings of the 19th International Conference on Agile Software Development: Companion

There has been a surge in number of software security threats and vulnerabilities in recent times. At the same time, expectations towards software and data security are growing. Thus there is a need to ensure that security-related tasks are effectively ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

SAICSIT '08: Proceedings of the 2008 annual research conference of the South African Institute of Computer Scientists and Information Technologists on IT research in developing countries: riding the wave of technology

October 2008

304 pages

ISBN:9781605582863

DOI:10.1145/1456659

Program Chairs:
Reinhardt Botha
Nelson Mandela Metropolitan University, South Africa
,
Charmain Cilliers
Nelson Mandela Metropolitan University, South Africa

Copyright © 2008 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Microsoft: Microsoft

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 06 October 2008

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

SAICSIT '08

Sponsor:

Microsoft

SAICSIT '08: 2008 Annual Conference of the South African Institute of Computer Scientists and Information Technologists

October 6 - 8, 2008

Wilderness, South Africa

Acceptance Rates

Overall Acceptance Rate 187 of 439 submissions, 43%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

23
Total Citations
View Citations
2,907
Total Downloads

Downloads (Last 12 months)94
Downloads (Last 6 weeks)11

Reflects downloads up to 11 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Granata DRak MSalzillo G(2022)MetaSEnD: A Security Enabled Development Life Cycle Meta-ModelProceedings of the 17th International Conference on Availability, Reliability and Security10.1145/3538969.3544463(1-10)Online publication date: 23-Aug-2022
https://dl.acm.org/doi/10.1145/3538969.3544463
SERDARASAN ŞERTEK E(2021)YAZILIM GELİŞTİRME SÜRECİNDE DEĞER ODAKLI İYİLEŞTİRMEVALUE ORIENTED IMPROVEMENT FOR SOFTWARE DEVELOPMENT PROCESSEndüstri Mühendisliği10.46465/endustrimuhendisligi.80943832:1(90-107)Online publication date: 30-Apr-2021
https://doi.org/10.46465/endustrimuhendisligi.809438
Ruggia ALosiouk EVerderame LConti MMerlo A(2021)Repack Me If You Can: An Anti-Repackaging Solution Based on Android VirtualizationProceedings of the 37th Annual Computer Security Applications Conference10.1145/3485832.3488021(970-981)Online publication date: 6-Dec-2021
https://dl.acm.org/doi/10.1145/3485832.3488021
Altayaran SElmedany W(2021)Integrating Web Application Security Penetration Testing into the Software Development Life Cycle: A Systematic Literature Review2021 International Conference on Data Analytics for Business and Industry (ICDABI)10.1109/ICDABI53623.2021.9655950(671-676)Online publication date: 25-Oct-2021
https://doi.org/10.1109/ICDABI53623.2021.9655950
De Cremer PDesmet NMadou MDe Sutter B(2020)Sensei: Enforcing secure coding guidelines in the integrated development environmentSoftware: Practice and Experience10.1002/spe.284450:9(1682-1718)Online publication date: 4-Jun-2020
https://doi.org/10.1002/spe.2844
Grechko VBabenko TMyrutenko L(2019)SECURE SOFTWARE DEVELOPING RECOMMENDATIONSCybersecurity: Education, Science, Technique10.28925/2663-4023.2019.6.82932:6(82-93)Online publication date: 2019
https://doi.org/10.28925/2663-4023.2019.6.8293
Grechko VBabenko TMyrutenko L(2019)Secure Software Developing Recommendations2019 IEEE International Scientific-Practical Conference Problems of Infocommunications, Science and Technology (PIC S&T)10.1109/PICST47496.2019.9061529(45-50)Online publication date: Oct-2019
https://doi.org/10.1109/PICST47496.2019.9061529
Fujdiak RMlynek PMrnustik PBarabas MBlazek PBorcik FMisurec J(2019)Managing the Secure Software Development2019 10th IFIP International Conference on New Technologies, Mobility and Security (NTMS)10.1109/NTMS.2019.8763845(1-4)Online publication date: Jun-2019
https://doi.org/10.1109/NTMS.2019.8763845
Fujdiak RBlazek PMlynek PMisurec J(2019)Developing Battery of Vulnerability Tests for Industrial Control Systems2019 10th IFIP International Conference on New Technologies, Mobility and Security (NTMS)10.1109/NTMS.2019.8763810(1-5)Online publication date: Jun-2019
https://doi.org/10.1109/NTMS.2019.8763810
Gonzalez HLlamas-Contreras RMontano-Rivas O(2019)When Software Engineering meets Cybersecurity at the classroom2019 7th International Conference in Software Engineering Research and Innovation (CONISOFT)10.1109/CONISOFT.2019.00017(49-54)Online publication date: Oct-2019
https://doi.org/10.1109/CONISOFT.2019.00017
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten