Education Level: Intermediate
ST04 - Measuring the Cybersecurity of Software
Monday, September 25
2:45 PM - 3:15 PM
Recent security breaches such as the ones at SWIFT, Target, and Anthem are entering the realm of nine-digit defects, where damages can exceed $100 million. Today, security of business applications a top boardroom issue. Advances in software analysis technology enable IT to detect weaknesses in the source code that can be exploited to gain unauthorized entry. Both the Software Engineering Institute and CAST have recently found that weaknesses causing reliability problems can in many cases be exploited for unauthorized entry, indicating that poor quality code is also insecure code.
The Consortium for IT Software Quality (CISQ) is chartered by its industry sponsors to create automatable measures of software size and quality. CISQ measures include standards recently approved by the Object Management Group for Automated Function Points, Reliability, Security. Performance Efficiency, and Maintainability. The four quality measures are based on definitions of these attributes in ISO 25010 and provide source code level measures that supplement the largely behavioral measures in ISO 25023. In particular, the Security measure is based on measuring 22 of the top Common Weakness Enumerations (i.e., CWE/SANS Institute Top 25 most dangerous software errors, OWASP Top 10) that can be detected through static analysis. These weaknesses include well-known culprits such as SQL injection, buffer overflows, and cross-site scripting. This measure provides an accurate estimate of the likelihood that an attacker can find an exploitable weakness in an application.
The continuing flow of breaches exploiting SQL injection, a weakness known since the late 1990s, suggests that IT needs a major undertaking similar to the Y2K endeavor to rid source code of the most easily exploited weaknesses. Executives both in and outside IT need to assess the cybersecurity risk of their systems using measures such the CISQ standards and enforce remedial actions based on them.
- What are the latest software security standards developed by the software assurance community
- How architecture should be used to help protect sensitive data from external and internal threats
- How standard metrics can be used to certify and scorecard the state of software security health in the enterprise