PSSS - Process to Support Software Security

  • Francisco José Barreto Nunes UNIFOR
  • Arnaldo Dias Belchior UNIFOR

Resumo


Software security becomes very important to organizations that depend on or whose customers demand software products that assure information integrity, availability, and confidentiality. Unfortunately, despite the investments made in process improvement according to Software Engineering practices, there is still no guarantee that the developed software products are immune to attacks or do not present security problems. This paper presents a software security approach based on a specialized process to help develop more secure software products, entitled Process to Support Software Security (PSSS). In addition, this paper presents the results of the PSSS’s application in a software development project.

Referências

Alberts, C. et al. (2001) “OCTAVE The Operationally Critical Threat, Asset, and Vulnerability Evaluation”, Carnegie Mellon – Software Engineering Institute. Available at: http://www.cert.org/octave.

Anderson, R. (2001), Security Engineering: A Guide to Building Dependable Distributed Systems. John Wiley and Sons.

CERT. (2007), Coordination Center Statistics. Available at: http://www.cert.org/stats/cert_stats.html.

CLASP. (2006), Comprehensive, Lightweight Application Security Process. Version 1.2. Available at: http://www.owasp.org/index.php/owasp_clasp_project.

Common Criteria (2005), Version 2.3, August 2005. Available at: http://www.commoncriteriaportal.org.

Howard, M.; LeBlanc D. (2002), Writing Secure Code, 2nd edition. Microsoft Press.

ISO/IEC 15408-1. (2005a) Information technology – Security techniques – Evaluation criteria for IT security – Part 1: Introduction and general model.

ISO/IEC 15408-2. (2005b) Information technology – Security techniques – Evaluation criteria for IT security – Part 2: Security functional requirements.

ISO/IEC 15408-3. (2005c) Information technology – Security techniques – Evaluation criteria for IT security – Part 3: Security assurance requirements.

ISO/IEC 21827. (2002) Information technology Systems Security Engineering - Capability Maturity Model.

ISO/IEC 27002. Information technology – Security technical Code of practice for information security management. 2005.

McGraw, Gary (2004), Software Security, IEEE Security and Privacy, 2(2): 80-83, 2004.

OECD. (2002) Organisation for Economic Co-operation and Development. Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security, page 13, Principle 7, Security design and implementation. Available at: http://www.oecd.org.

Schumacher, M., and Roedig, U. (2001), “Security engineering with patterns”, In Proceedings of the PLoP conference on Pattern Languages of Programs (Illinois, The USA, September 11 – 15, 2001).

SSE-CMM. (2003) System Security Engineering – Capability Maturity Model, Version 3. Available at: http://www.sse-cmm.org.
Publicado
13/10/2008
NUNES, Francisco José Barreto; BELCHIOR, Arnaldo Dias. PSSS - Process to Support Software Security. In: SIMPÓSIO BRASILEIRO DE ENGENHARIA DE SOFTWARE (SBES), 22. , 2008, Campinas. Anais [...]. Porto Alegre: Sociedade Brasileira de Computação, 2008 . p. 268-282. DOI: https://doi.org/10.5753/sbes.2008.21337.