Carnegie Mellon University
Browse

3 Activities for Making Software Secure by Design

Download (116.35 kB)
online resource
posted on 2023-09-06, 15:17 authored by Carol WoodyCarol Woody, Robert SchielaRobert Schiela

Criminals and foreign state actors have increasingly targeted our personal data and critical infrastructure services. Their disruption is enabled through vulnerabilities in software whose design and build are inadequate for effective cybersecurity. Most software creators and vendors prioritize speed of release to capture customers quickly with new features and functions, then fall back on a never-ending cycle of post-release patches and “updates” to handle issues such as security. Meanwhile, our data, our homes, our economy, and our safety are increasingly left open to attacks. Automation and interconnection  among software systems make software risks hard to isolate, increasing  the value of each vulnerability to an attacker. Moreover, the sources of  vulnerabilities are increasingly complex and spreading due to an ever-growing supply chain of software components within any product.  After code originators are compelled to make a fix, it must trickle into the products that use their software for the security repairs to become effective, which is a time-consuming and frequently incomplete process.  Many vulnerabilities remain unrepaired, leaving risk exposure long after a fix is available. Users will not be aware of the risk unless they are closely monitoring their supply chains, but supply chain  information is rarely available to users. Commercial systems and software, including open source software, are becoming further interwoven into the systems that control and support our national defense, national security, and critical infrastructure. Their use and reuse reduces costs and speeds delivery, but their growing vulnerabilities are especially dangerous in these high-risk domains. To protect national security, critical infrastructure, and the way we live our lives, the software community must start producing software that is secure by design. To accomplish this shift, the creators, acquirers, and integrators of software and software systems need to change their mindset, education, training, and prioritization of software quality, reliability, and safety. In this blog post, we will look at some key secure-by-design principles, roadblocks, and accelerators.

History

Publisher Statement

This material is based upon work funded and supported by the Department of Defense under Contract No. FA8702-15-D-0002 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The view, opinions, and/or findings contained in this material are those of the author(s) and should not be construed as an official Government position, policy, or decision, unless designated by other documentation. References herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by Carnegie Mellon University or its Software Engineering Institute. This report was prepared for the SEI Administrative Agent AFLCMC/AZS 5 Eglin Street Hanscom AFB, MA 01731-2100. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. [DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution.

Copyright Statement

Copyright 2023 Carnegie Mellon University.

Usage metrics

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC