Software security testing

Testing software security is a commonly misunderstood task. Done properly, it goes deeper than simple black-box probing on the presentation layer (the sort performed by so-called application security tools) - and even beyond the functional testing of security apparatus. Testers must use risk-based approaches, grounded in both the system's architectural reality and the attacker's mindset, to gauge software security adequately. By identifying risks in the system and creating tests driven by those risks, a software security tester can properly focus on areas of code in which an attack is likely to succeed. This approach provides a higher level of software security assurance than is possible with classical black-box testing.     

Software security varies greatly

Veracode has analyzed more than 9,000 applications over the past 18 months, across 40 different industry sectors. These applications are both internally developed enterprise applications and those purchased by enterprises from software vendors. We measured the security quality of third-party software from large and small software vendors and compared the security quality of soft-ware written different languages for different industry sectors. The paper will show that there are significant differences in the quantity and types of vulnerabilities in software due to differences in where the software was developed, the type of software it is, in what language it was developed, and for what type of business the software was developed for.     

Software assurance for security

The article discusses an approach to security analysis that we have applied successfully over the past several years (to 1999) at Reliable Software Technologies. Our approach is no magic bullet, but it offers a reasoned methodology that has proven to be useful in the trenches. Our methodology, like many useful things, is a mix of art and engineering. The idea is straightforward: design a system with security in mind, analyze the system in light of known and anticipated risks, rank the risks according to their severity, test to the risks, and cycle broken systems back through the design process. The process outlined above has one essential underlying goal: avoiding the unfortunately pervasive penetrate-and-patch approach to computer security-that is, avoiding the problem of desperately trying to come up with a fix to a problem that is being actively exploited by attackers. In simple economic terms, finding and removing bugs in a software system before its release is orders of magnitude cheaper and more effective than trying to fix systems after release     

Software security for open-source systems

Debate over whether open-source software development leads to more or less secure software has raged for years. Neither is intrinsically correct: open-source software gives both attackers and defenders greater power over system security. Fortunately, several security-enhancing technologies for open-source systems can help defenders improve their security.     

软件安全性测试方法与工具

软件的应用越来越广泛,规模和复杂度不断提高,软件中的安全缺陷与漏洞也在不断增多,软件安全性问题日益突出.软件安全性测试是保证软件安全性、降低软件安全风险的重要手段.论述了软件安全性测试的特点、内容,重点研究了国内外软件安全性测试的主要方法与工具,分析了各种方法的优缺点与适用范围,提出了一种安全性测试工具的分类方法,总结了当前研究工作并指出了未来软件安全性测试技术的研究重点与发展方向.     

基于哈希链的软件定义网络路径安全

针对软件定义网络中，控制器无法保证下发的网络策略能够在转发设备上得到正确执行的安全问题，提出一种新的转发路径监控安全方案。首先以控制器的全局视图能力为基础，设计了基于OpenFlow协议的路径凭据交互处理机制；然后采用哈希链和消息验证码作为生成和处理转发路径凭据信息的关键技术；最后在此基础上，对Ryu控制器和Open vSwitch开源交换机进行深度优化，添加相应处理流程，建立轻量级的路径安全机制。测试结果表明，该机制能够有效保证数据转发路径安全，吞吐量消耗比SDN数据层可信转发方案（SDNsec）降低20%以上，更适用于路径复杂的网络环境，但时延和CPU使用率的浮动超过15%，有待进一步优化。     

Software boot camps are in, and focused on security

Demand for software developers and an IT professional with up-to-date training is increasing. But with virtually every type of computer system now networked, there is almost as much, if not more, emphasis on training in all aspects of computer and network security.     

Software security in an Internet world: an executive summary

Businesses of all sizes use the Internet for sales, purchasing, and collaborations. They all need reliable systems. Faced with substantial numbers of reported security problems, Internet users must decide how much risk they are willing to take to participate in what the Internet world offers. After presenting the scope and origin of the Net's security problems, the authors outline three immediate steps we can take to help ensure software security. The third, examination and repair of existing systems, rivals the magnitude of the Y2K worldwide effort     

Software security and SOA: danger, Will Robinson!

The current buzzword of choice among the technical elite (at least those subject to marketing departments) is service-oriented architecture, or SOA (pronounced 'SO-uh'). As SOA moves from hype to practice, an opportunity exists to do security right, but a similar opportunity exists for disaster if security is done wrong. This article describes 13 snares that we must avoid to end up with SOA security that makes sense.     

基于信息熵和攻击面的软件安全度量

对软件实施安全度量是开发安全的软件产品和实施软件安全改进的关键基础。基于Manadhata等(MANADHATA P K, TAN K M C, MAXION R A, et al. An approach to measuring a system's attack surface, CMU-CS-07-146. Pittsburgh: Carnegie Mellon University, 2007; MANADHATA P K, WING J M. An attack surface metric. IEEE Transactions on Software Engineering, 2011, 37(3): 371-386)提出的攻击面方法,结合信息熵理论,提出结合信息熵和攻击面的软件安全度量方法,可以有效地利用信息熵的计算方法对软件攻击面的各项资源进行威胁评估,从而提供具有针对性的威胁指标量化权值。在此基础之上,通过计算软件攻击面各项资源的指标值可以实现软件的安全度量。最后,通过具体的实例分析说明结合信息熵和攻击面的方法可以有效地应用于软件的安全开发过程和软件安全改进过程,为软件的安全设计开发指明可能存在的安全威胁,帮助提早避免软件产品中可能存在的漏洞;而对于已经开发完成待实施安全改进的软件则可以指出明确的改进方向。     

浅谈网络安全体系下的软件安全开发人才培养

软件安全开发是近年来我国网信行业积极实践的网络安全保障措施,旨在软件系统开发过程中降低安全漏洞的存在。然而,软件安全开发人才匮乏是当前实践面临的关键问题。文章依据行业有关软件安全开发人员岗位和技能的典型要求,介绍在当前网络安全体系下培养软件安全开发人才的关键思路和核心内容,最后说明在软件安全开发人才培养方面获得的初步成效。     

Software randomness analysis and evaluation of lightweight ciphers: the prospective for IoT security

Multimedia Tools and Applications - In the past few years, various lightweight cryptographic algorithms have been proposed to balance the trade-offs between the requirements of resource constrained...     

Managing network security: Time-based security

Over the last few years, computing has changed to an almost purely networked environment, but the technical aspects of information protection have not kept up. As a result, the success of information security programmes has increasingly become a function of our ability to make prudent management decisions about organizational activities. This series of articles takes a management view of protection and seeks to reconcile the need for security with the limitations of technology.     

信息安全与网络安全关系辨析

随着科学技术和网络信息技术的飞速发展,越来越多的网络信息安全问题逐渐出现.本文主要研究了网络信息安全和网络安全之间的关系,并且对如何创造安全的网络环境提出了几点建议.