ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Guidelines for secure software development
Full text PdfPdf (310 KB)
Source ACM International Conference Proceeding Series; Vol. 338 archive
Proceedings of the 2008 annual research conference of the South African Institute of Computer Scientists and Information Technologists on IT research in developing countries: riding the wave of technology table of contents
Wilderness, South Africa
Pages 56-65  
Year of Publication: 2008
ISBN:978-1-60558-286-3
Authors
Lynn Futcher  Nelson Mandela Metropolitan University, Port Elizabeth, South Africa
Rossouw von Solms  Nelson Mandela Metropolitan University, Port Elizabeth, South Africa
Sponsor
Microsoft : Microsoft
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 82,   Downloads (12 Months): 553,   Citation Count: 0
Additional Information:

abstract   references   index terms   collaborative colleagues  

Tools and Actions: Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1456659.1456667
What is a DOI?

ABSTRACT

It is within highly integrated technology environments that information security is becoming a focal point for designing, developing and deploying software applications. Ensuring a high level of trust in the security and quality of these applications is crucial to their ultimate success. Information security has therefore become a core requirement for software applications, driven by the need to protect critical assets and the need to build and preserve widespread trust in computing. The aim of this paper is to provide guidance to software designers and developers by defining a set of guidelines for secure software development. The guidelines established are based on various internationally recognised standards and best practices and some of the processes developed by many key role players.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
Jurjens, J. 2002. Using UMLSec and goal trees for secure systems development. Communications of the ACM, 48 (5), pp.1026--1030.
 
2
Killmeyer, J. 2006. Information security architecture: An integrated approach to security in the organisation. New York: United States of America: Auerbach Publications.
 
3
Thomas R. Peltier, Information Security Risk Analysis, Auerbach Publications, Boston, MA, 2005
 
4
Jones, R. L. and Rastogi, A. 2004. Secure coding - building security into the software development life cycle. Application Program Security, pp.29--38.
 
5
ISO. 2005. ISO/IEC 27002: Information Technology - Code of Practice for Information Security Management.
 
6
ISO. 2004. ISO/IEC 13335-1: Information Technology - Security Techniques - Management of Information and Communications Technology Security. Part 1: Concepts and models for information and communications technology security management.
 
7
ISO. 1998. ISO/IEC TR 13335-3: Information Technology - Guidelines for the Management of IT Security. Part 3: Techniques for the management of IT security.
 
8
ISO. 2000. ISO/IEC TR 13335-4: Information Technology -- Guidelines for the Management of IT Security. Part 4: Selection of safeguards.
 
9
NIST. 1996. Generally Accepted Principles and Practices for Securing Information Technology systems. NIST SP 800-14. (http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf).
 
10
NIST. 2004. Security Considerations in the Information System Development Life Cycle. NIST Special Publication 800--64. (http://csrc.nist.gov/publications/nistpubs/800-64/NIST-SP800--64.pdf).
 
11
NIST. 2002. Risk Management Guide for Information Technology Systems. NIST Special Publication 800--30. Retrieved from http://csrc.nist.gov/publications/nistpubs/800-30/NIST-SP800-30.pdf on 20th June 2008.
 
12
Bertine, H., Chadwick, D., Euchner, M. And Harrop, M. 2004. Security in telecommunications and information technology (Technical Report). International Telecommunication Union.
 
13
ISO. 1989. ISO 7498-2: Information Processing Systems - Open System Interconnection - Basic Reference Model - Part 2: Security Architecture.
 
14
ISO. ISO/IEC 12207. 2004. Software Lifecycle Processes.
 
15
James F. Peters , Witold Pedrycz, Software Engineering: An Engineering Approach, John Wiley & Sons, Inc., New York, NY, 1998
 
16
Common Criteria. 2005. Common Criteria for Information Technology Security Evaluation. Part 1: Introduction and general model. Retrieved from http://commoncriteriaportal.org/thecc.html on 20th June 2008.
 
17
Davis, N. 2006. Secure Software Development Life Cycle Processes. Retrieved from https://buildsecurityin.uscert.gov/daisy/bsi/articles/knowledge/sdlc/326.BSI.ht ml.
 
18
IBM. Rational Unified Process Best Practices for Software Development Teams. Retrieved from http://www.128.ibm.com/developerworks/rational/library/253.html on 20th June 2008.
 
19
Lipner, S. and Howard, M. 2005. The Trustworthy Computing Security Development Lifecycle. Retrieved from http://msdn.microsoft.com/enus/library/ms995349.aspx on 20th June 2008.
 
20
OWASP. CLASP Concepts. Retrieved from http://www.owasp.org/ on 20th June 2008.
 
21
Davis, N. 2008. Developing Secure Software with TSP-Secure. Retrieved from https://buildsecurityin.uscert.gov/swa/downloads/TSP_Secure_Davis.pdf on 20th June 2008.
 
22
Howard, M. and Leblanc, D. 2003. Writing secure code: Practical strategies and techniques for secure application coding in a networked world. Microsoft Press.
 
23
Dustin, E. 2006. The Secure Software Development Lifecycle. Retrieved from http://www.devsource.com/c/a/techniques/The-Secure-Software-Development-Lifecycle/ on 12th June 2008.
 
24
Axelle Apvrille , Makan Pourzandi, Secure Software Development by Example, IEEE Security and Privacy, v.3 n.4, p.10-17, July 2005  [doi>10.1109/MSP.2005.103]
25
Vaclav Rajlich, Changing the paradigm of software engineering, Communications of the ACM, v.49 n.8, p.67-70, August 2006  [doi>10.1145/1145287.1145289]
26
J. Drew Procaccino , June M. Verner , Steven J. Lorenzet, Defining and contributing to software development success, Communications of the ACM, v.49 n.8, p.79-83, August 2006  [doi>10.1145/1145287.1145291]
 
27
Breu, R., Burger, K., Hafner, M. and Popp, G. 2004. Towards a systematic development of secure systems. Systematic Development, pp.5--13.

INDEX TERMS

Primary Classification:
  K. Computing Milieux
  K.6 MANAGEMENT OF COMPUTING AND INFORMATION SYSTEMS
      K.6.5 Security and Protection (D.4.6, K.4.2)
          Subjects: Authentication

Additional Classification:
  K. Computing Milieux
  K.6 MANAGEMENT OF COMPUTING AND INFORMATION SYSTEMS
      K.6.5 Security and Protection (D.4.6, K.4.2)
          Subjects: Invasive software (e.g., viruses, worms, Trojan horses); Unauthorized access (e.g., hacking, phreaking)


General Terms:
Design, Security


Keywords:
secure software development, security standards and best practices, software development lifecycle (SDLC)

Collaborative Colleagues:
Lynn Futcher: colleagues
Rossouw von Solms: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player