Software Security Engineering: Towards Unifying Software Engineering and Security Engineering

Abstract

The rapid development and expansion of network based applications have changed the computing world in the last decade. However, this overwhelming success has an Achilles’ heel: almost every software controlled system faces threats from potential adversaries both from internal and external users of the highly connected computing systems. These software systems must be engineered with reliable protection mechanisms, while still delivering the expected value of the software to their customers within the budgeted time and cost. The principal obstacle in achieving the above two different but interdependent objectives is that current software engineering processes do notprovide enough support for the software developers to achieve security goals. In this chapter, we reemphasize the principal objectives of both software engineering and security engineering, and strive to identify the major steps of a software security engineering process that will be useful for building secure software systems. Both software engineering and security engineering are ever evolving disciplines, and software security engineering is still in its infancy. This chapter proposes a unification of the process models of software engineering and security engineering in order to improve the steps of the software life cycle that would better address the underlying objectives of both engineering processes. This unification will facilitate the incorporation of the advancement of the features of one engineering process into the other. The chapter also provides a brief overview and survey of the current state of the art of software engineering and security engineering with respect to computer systems.