PASS: Processo de Apoio à Segurança de Software

Francisco José Barreto Nunes; Arnaldo Dias Belchior

doi:10.5753/sbqs.2008.15562

Francisco José Barreto Nunes UNIFOR
Arnaldo Dias Belchior

DOI: https://doi.org/10.5753/sbqs.2008.15562

Abstract

The need of developing software products with increased quality demanded the creation of standards and maturity models related to the quality of development process and software products. However, despite the investment made in software processes development, there is still no assurance that the developed systems are immune to attacks or do not present security problems. This paper proposes a formal process aimed at improving software security, the Process to Support Software Security (PSSS), which was based on the result of a research field and validated by a case study.

Keywords: Software Security, Software Development, Process Quality

References

Alberts, C. et al. (2001), “OCTAVE - The Operationally Critical Threat, Asset, and Vulnerability Evaluation”, Carnegie Mellon – Software Engineering Institute, Disponível em: www.cert.org/octave . Acesso em junho de 2006.

Alberts, C. et al. (2003), “OCTAVE-S Implementation Guide”. Carnegie Mellon – Software Engineering Institute. Version 0.9. August 2003. Disponível em: www.cert.org/octave . Acesso em Março de 2007.

Andrade, Jeann Marcell Silva. 2005, Avaliação de Processos de Software em Ambientes de Desenvolvimento de Software Orientados à Organização. Dissertação Mestrado em Ciências em Engenharia de Sistemas e Computação, Universidade Federal do Rio de Janeiro (UFRJ). Disponível em: http://www.cos.ufrj.br/~taba . Acesso em Maio de 2006.

CMMI, 2006, Capability Maturity Model Integration, Version 1.2. (CMMI-SE/SW, V1.2 – Continuous Representation), SEI Technical Report CMU/SEI-2006-TR-008.

Common Criteria (2005), Version 2.3, August 2005. Disponível em: http://www.commoncriteriaportal.org . Acesso em janeiro de 2007.

Howard, M.; LeBlanc D. (2002), Writing Secure Code, 2nd edition. Microsoft Press.

ISO/IEC 12207:1995, Amd 1:2002, (2002), Software engineering Information technology -- Software life cycle processes, ISO – International Organization for Standardization, Geneva, Switzerland.

ISO/IEC 15408-1. (2005a) Information technology – Security techniques – Evaluation criteria for IT security – Part 1: Introduction and general model.

ISO/IEC 15408-2. (2005b) Information technology – Security techniques – Evaluation criteria for IT security – Part 2: Security functional requirements.

ISO/IEC 15408-3. (2005c) Information technology – Security techniques – Evaluation criteria for IT security – Part 3: Security assurance requirements.

ISO/IEC 21827. (2002) Information technology - Systems Security Engineering - Capability Maturity Model.

ISO/IEC 27002. (2005) Information technology – Security techniques – Code of practice for information security management.

ISSEA. (2003), International Systems Security Engineering Association. www.issea.org. Acesso em agosto de 2003.

McGraw, G.; Viega, J., (1999), “Make your software behave”. Disponível em: http://www.ibm.com/developerworks/library/s-behave.html . Acesso em Março de 2006.

McGraw, G. (2004), Software Security, IEEE Security and Privacy, March/April 2004, páginas 32-35.

McGraw, G. (2006), Software security: building security in. Addison-Wesley. 1a Edição.

Paulk et al. (1993), Capability Maturity Model for Software. Version 1.1 (CMU/SEI-93-TR-024, ADA 263403). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 1993.

PMBOK Guide 2004 Edition. (2004) “A Guide to the Project Management Body of Knowledge”, Disponível em http://www.pmi.org . Acesso em dezembro 2006.

RUP. (2003) Rational Unified Process®. Rational Software Corporation. Copyright © 1987 - 2003

SSE-CMM. (2003) System Security Engineering – Capability Maturity Model, Version 3, Disponível em www.sse-cmm.org . Acesso em janeiro de 2006.

PASS: Software Security Support Process

Abstract

References