Abstract Need

John_matt
Session7Notes.html
Home>Information Systems homework help>Abstract Need

Secure Software, Ethics, Law & Governance

Objectives

  • Learn basic software security principles.
  • Distinguish ethics, law & regulations as applied to software systems and software development.
  • Learn tools and techniques to produce requirements for software systems.

Topics

Basic Software System Security Principles; Ethics; Law; Regulatory Policy and Guidance; Requirement Analysis; Requirement Validation; Assurance Case

OERs

  • Chapter 3: Basic Software System Security Principles
  • Chapter 4 Ethics, Law and Governance 
  • Chapter 5  Security Software Requirements

Review Questions

  • What is meant by “complete mediation?” How can a developer or development team implement that principle in the code?
  • What is least privilege? What is separation pf privilege? Why are they important in information security?
  • How can open design contribute to better security?
  • Why is code of conduct needed for software/security professionals?
  • Why is software liability good for security?
  • How do regulatory policies such as policies governing personal information govern software development?
  • What are the tools and techniques for producing quality requirements and specifications?
  • What are the tools and techniques for producing security requirements for a system?

(These questions are intended to be a self-test of your comprehension of this session's material; answers to these questions do not need to be turned in.)

Session Notes

Application development continues to grow more complex, integrated, and embedded every day. See Complex Car Software Becomes the Weak Spot Under the Hood.

Sensitive information is passing through various software applications, network protocols, and hosting machines. The development and deployment environments and applications have become so vast that no one individual can possibly be responsible for securing every aspect of an application. Attackers can infiltrate software applications to steal and modify sensitive information in a variety of ways. These types of attacks can be mapped to the knowledge that is needed by the development team so that it can successfully safeguard the information. This knowledge base required from today’s developer is far more than just learning a computer language. The field of software development has quickly changed from relying on a few hotshot programmers to relying on a competent development team that can collaborate and communicate effectively.

The art and science of software development has changed along with the complexity of business computing needs.  The programming languages, coding practices, and the relationship between the computer and the developer have evolved to an overwhelming capacity of complex intricacies. Thanks to portal developments, Web services, and cross-platform protocols, such as SOAP, today’s applications are going to be very challenging to develop. A good development methodology is a means to manage complexity, and hence we must adopt a  methodology that is easily understood, consistent (repeatable), and reliable.

Software development methodologies help the human mind comprehend complex intricacies of software construction by proving a process that all team members can understand. There are no one-size-fits-all methodologies, as we said in earlier sessions, and what works in one project might not work in another.  Because all projects are different, there are different development methodologies. The team leads and/or project managers must be sure that the methodology chosen fits the team as well as the project’s needs.

As you will learn, a lot of these principles of secure code start with quality, but go beyond quality. The first step of creating secure code is to ensure that the software was created with a focus on quality; that is job number one. Quality principles include molecularity, and evolvability or changeability. (The essence of software is "soft," i.e., it is meant to change.) In order for software to be secure, there are security principles need to be followed that include complete mediation, separation of privilege, defense in depth, least privilege, fail securely, and secure the weakest link These principles and characteristics need to become embedded within the developer so the code he or she writes is inherently secure.

To further complicate matters ethical and legal  principles must be adhered to by every stakeholder regardless of what development methodology is being utilized. Differing methodologies cover ethics to varying degrees, making a practical understanding of ethical software development an absolute necessity.

Regulatory policies are constantly evolving. Development methodologies and stakeholder cultural norms have difficulty keeping up with the changes. Typically it takes several iterations of drafting and then testing amended methodologies before they can be trusted to adhere to the latest regulations. The mind's of business or user stakeholders are all too often focused primarily on what the system can do for them and run the risk of relegating, ethical and regulatory aspects of development to an afterthought. It therefore behooves software developers to maintain a strong working knowledge of the established legal and ethical principles of software development and provision of computing services particular to their relevant application set or industry domain. Furthermore, developing a relationship with the organization’s in-house legal counsel on these matters will help developers keep abreast of pertinent legal and ethical trends.

Often professionals such as engineers, lawyers, dentists, doctors, and accountants form their particular organization or join a relevant organization in order to support their profession.  Belonging to a professional organization can and does bring  influence in the marketplace and with government bodies.Professional organizations or societies hold an elevated position within society when it comes to trust. During their evolution most all, if not all, such organizations or societies have developed detailed codes of conduct addressing work ethics and codes of conduct.  Often the membership is guided by a set of rules by which to work within in order to carry out their jobs in a most professional manner.

The following URL’s are for various computer societies and other professional societies around the world.  They all have a code of ethics and code of conduct which are more or less framed around the same language and themes.

One can see that in the world of software engineering and related disciplines, we are relying on engineers and other associates to act according to the rule book.  That is the code of ethics and code of conduct.

One has to ask the unanswerable question.  What percentage of hackers belongs to a professional society like the ACM, IEEE-Computer Society, the British Computer Society, etc.  How many rogue programmers and system designers belong to a professional society?

 

List of URL of professional societies from around the world:

URL for the TEN COMMANDMENTS OF COMPUTER ETHICS:

https://en.wikipedia.org/wiki/Ten_Commandments_of_Computer_Ethics

URL Software Engineering Code of Ethics and Professional Practice: IEEE Software Engineering Code of Ethics

URL for Code of Ethics of the ACM, Association for Computing Machinery:

https://www.acm.org/about-acm/acm-code-of-ethics-and-professional-conduct

URL for Australian Computer Society code of ethics:

http://users.ece.utexas.edu/~perry/education/SE-Intro/ACS-COE.pdf

URL for British Computer Society code of conduct:

http://www.bcs.org/upload/pdf/conduct.pdf

URL for code of ethics of the Information Processing Society of Japan:

http://www.ipsj.or.jp/english/ipsjcode_e.html

URL for Singapore Infocomm and Digital Media Professional Society code of conduct:

https://www.scs.org.sg/membership/membership_code_of_conduct.php

Hong Kong Computer Society Code of Ethics:

http://www.hkcs.org.hk/code-ethics-professional-conduct/

____________________________________________________________________________

© 2020 University of Maryland Global Campus.