Software Security

It is imperative that students understand and appreciate the role of Software Security in the cybersecurity process. That is because software affects all areas of modern life. Software failures allow successful attacks on systems and data. Thus, developers must design and build functionally correct software systems, and system operators need to be able to identify flaws and propose mitigations that minimize weaknesses and vulnerabilities. In practice, Software Security is the development and enforcement of policies about proper development, operation, and maintenance practice. Therefore, a knowledge base that itemizes those practices and a defined curriculum for presenting them is a critical part of the general body of knowledge in cybersecurity. In this chapter, the reader learns about the fundamental design principles for Software Security as well as the importance of security requirements and the role they play in design. The reader will also see how the concept of open design and abstraction supports this. The reader will learn how to apply least privilege to the creation of software functionality and the ethical issues that apply to the development, testing, and vulnerability disclosures for software. Finally, implementation issues that can affect the security of software are explored including the similarities and differences of static and dynamic analysis and the effect that proper configuration and patching have on overall security of software. The CSEC2017 guideline leads this topic off with an extremely vital perception. That is, Software Security requirements must be derived based on business, mission, and other objectives. Performing a Software Security requirements analysis requires a good understanding of security principles and their applicability in the design specification. Student must be introduced to the point that once technical, operational, and administrative security requirements have been identified, they must be documented in a specification commonly referred to as a software requirements specification. CSEC2017 considers deployment, operations, and maintenance to be vital components to security curricula. A topic that tends to get little attention within Software Security curricula but is worth much more is the environment from which the software will operate. At the code of required security documentation for software development and use is the existence of an Organizational Security policy framework. Security policies are reall