Secure Software Development

Secure software development is a basic need nowadays due to the increasing number of cybersecurity attacks that parallel the shift toward digital technologies (Brooks, 2022). In Unit 1, we were introduced to secure software development, where I realized the challenges of integrating security measures into different software development life cycles (SDLCs). I learned that various mitigations had been implemented, leading to the spiral approach of the waterfall model and other security-focused integrations like the TOGAF-SABSA (The Open Group, 2011).

Whether designing a complete system, or small incremental pieces of code, there should be an image of the software architecture that is easily communicated between different parties. In unit 2, I had the opportunity to revisit the unified modeling language (UML) that supports the development of secure software systems through planning. I now realize how modeling the system components leads to a greater appreciation of the possible attack surfaces, helping mitigate such attacks. For that purpose, I chose to model the causes of cryptographic failures as one of the weaknesses identified by OWASP (CWE, 2017) in the first Collaborative Discussion of this course.

In the same unit, I participated in a blog that I titled “ Internal Threats ” that discussed how internal threats are not less important than external threats and are often more harmful. In addition, I discussed the factors that lead to that and the proposed solutions.

In Units 3 and 4, we explored some programming language concepts, and I will present the most important ones. The first concept was regular expressions . Regular expressions can be leveraged in validating user inputs, creating firewall rules, and malware scanning (Li, 2020; Larson, 2016). However, I studied that they can be evil and used to perform ReDoS . The second interesting concept was recursion, where a function can call itself several times. I think it is a brilliant idea and leads to a neater code. But also comes with risks if the recursion depth is exceeded, leading to stack overflow, a type of buffer overflow that can be exploited too. The third concept I learned was the producer-consumer mechanism that ensures process synchronization to avoid buffer overflow.

In unit 5, we were introduced to software testing. A fascinating concept here is “Testability.” A testable software can be easily tested; it can display its bugs. I acknowledged the importance of designing a test plan by understanding attack surfaces. Also, we explored the factors that lead to errors in the code; an intuitive one is the complexity of the code that, fortunately, can be measured. One of the measures for that purpose is called cyclomatic complexity , which we explored in unit 6 with additional functions of linters .

By the end of unit 6, my team and I managed to submit a design document for our team project. The name of our team, which our tutor picked, was “Defense in Depth,” which I think was a brilliant idea from her that matched the topic of the assignment. Our project was about a proposed solution for the Dutch National Cybersecurity Center , where we managed to offer a practical and secure design with the help of Google Firebase products. The feedback we received from our tutor was constructive. We could have scored higher if we had managed to justify to a greater degree the tools we used for our project and changed the name to “Dutch Police Internet Forensics.”

In unit 7, we were introduced to operating systems. I learned that Operating systems provide interfaces to applications and hardware, computer resources management, abstraction and virtualization, services, and security. Hence, represent a massive attack surface. In this unit, I gained valuable knowledge about the eight security principles proposed by Saltzer & Schroder (n.d) for protecting information systems. Their brilliant work still holds nowadays, and I saw how those principles were cited in many references throughout my readings in the module.

Unit 8 was about cryptography. By studying this module, I learned that Cryptography is not only about ciphering text. It has many applications in user authentication and authorization, data integrity protection, and non-repudiation.

The last four units were very interesting because they were relevant to the status of computer systems. Computer systems can be monolithic; one complete system that does all the intended functionalities. However, this might not be the system of choice for all domains. Most large contemporary systems are distributed systems where components are located on different computers or servers, and those components have APIs to communicate which each other and the clients. One type is the microservices architecture. But which one is better, monolithic systems or microservices? This debate goes back to 1992 (DiBona & Ockman, 1999). It was one of the team activities that helped us understand this topic by developing a team’s stance on it.

By the end of unit 11, our team managed to submit the coding output along with all the required documentation of the code. This time we managed to get excellent feedback from our tutor. Thanks to all the handwork of my group, which focused on getting the job done with all the possible security layers applied.

In the last unit, we discussed future trends in secure software development. I came to know that computer systems are evolving in many aspects. There has been more focus on decentralization (e.g., blockchain, microservices), cloud computing, fog computing, IoT, and continuous integration and deployment. All those advancements also come with security challenges due to the heterogeneous and distributed nature of the communication. Also, we shouldn’t forget that no programming language is entirely secure yet !

My journey in this module was informative yet challenging and taught me essential computer science concepts. Time management was complex due to the nature of my job. However, I learned many concepts that I can directly relate to in my career, especially since I am involved in developing an electronic patient record system that needs information protection. Teamwork was a rewarding learning experience. Thanks to every member of the “Defense in Depth” team.

References

Brooks, C. (2022) Alarming Cyber Statistics For Mid-Year 2022 That You Need To Know. Available from: https://www.forbes.com/sites/chuckbrooks/2022/06/03/alarming-cyber-statistics-for-mid-year-2022-that-you-need-to-know/?sh=394fd8de7864 [Accessed 04 September 2022].

CWE (2017) CWE - CWE-1026: Weaknesses in OWASP Top Ten (2017) (4.0).cwe.mitre.org.

Dibona, C., Ockman, S. (1999) Open Sources.Available from:https://www.oreilly.com/openbook/opensources/book/appa.html [Accessed 27 August 2022].

Larson, E. (2016) Generating Evil Test Strings for Regular Expressions. Seattle University .

Li, V. (2020) Regular Expressions: A Quick Intro for Security Professionals - DZone Security . Available from: https://dzone.com/articles/regular-expressions-a-quick-intro-for-security-pro [Accessed 19 August 2022].

Saltzer, J. H. & Schroeder, M. D. (n.d) The protection of information in computer systems . Available from: http://web.mit.edu/Saltzer/www/publications/protection/ [Accessed 15 August 2022].

The Open Group (2011) TOGAF® and SABSA® Integration. Available from: https://publications.opengroup.org/w117 [Accessed 1 September 2022].