Abstract Need

Secure Software Tools and Methods

Objectives

• Learn about various software development tools in the production of secure software.
• Learn about secure software development methodologies.

Topics

Formal Methods; Semi-Formal Methods; Compilers; Development Tool Suites; Heavyweight Processes; Lightweight Processes; Improving Processes for Developing Secure Software.

OERs

• DHS. (2007). Software Assurance: A Curriculum Guide to the Common Body of Knowledge to Produce, Acquire, and Sustain Secure Software. Retrieved from: https://learn.umgc.edu/content/enforced/313879-M_022073-01-2185/Common_Body_of_Knowledge2007.pdf?_&d2lSessionVal=yHNXTIp6y56ZPEX8jKq29unVQ&ou=313879.
  • Chapter 9 Secure Software Tools and Methods 143 - 148
  • Chapter 10  Secure Software Processes Pages 149 - 156
• Microsoft. (n.d.). Security Development Lifecycle.  Retrieved from: https://www.microsoft.com/en-us/sdl/. 
• McGraw, G. (2009). Cigital. Software Security Touchpoint: Architectural Risk Analysis

Review Questions

• Explain how secure development processes improve development of software throughout SDLC.
• Explain how a software development process can become dependable through the use of tools.

(These questions are intended to be a self-test of your comprehension of this session's material; answers to these questions do not need to be turned in.)

Session Notes

Chapter 9 of CBK provides an overview of tool categories from formal methods to semi-formal methods (e.g., UML. model checker) to compilers, to static analysis to dynamic analysis to tool suites. Many of these we have discussed in earlier sessions. The focus of this session is automated tool, i.e., the use of development tool in assisting secure software development

Chapter 10 of CBK discusses various processes for developing more assured systems. We have explored CMMi processes that can work with any software development methodology to improve the production of quality software on time and on budget. 

There are also secure software development methodologies that incorporate security-enhancing activities (e.g., threat identification in requirements phase, fuzz testing in integration or product testing) to the software  development life cycle. Two such methodologies are Microsoft Secure Development Life Cycle and Cigital's Software SecurityTouchpoint: Architectural Risk Analysis. The OERs for these methodologies are given above. 

____________________________________________________________________________

© 2020 University of Maryland Global Campus.