Get documents about "An Approach be Operational Security in 3 and 4 Phases of Developing Software Systems
W
Shared by: ijcsiseditor
Categories
Tags
IJCSIS, call for paper, journal, computer science, research, google scholar, IEEE, Scirus, download, ArXiV, library, information security, internet, peer review, scribd, docstoc, cornell university, archive, Journal of Computing, DOAJ, Open Access, July 2012, Volume 10, No. 7, Impact Factor, engineering, international, proQuest, computing, computer, technology
-
Stats
- views:
- 151
- posted:
- 8/19/2012
- language:
- English
- pages:
- 7
Document Sample
.
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 10, No. 7, July 2012
An Approach be Operational Security in 3 and 4 Phases of
Developing Software Systems
Saman Aleshi Nasser Modiri Hossein Fruzi
Dept. Department of Electrical and Computer Dept. Department of Electrical and Computer Dept. Department of Electrical and Computer
Islamic Azad University, Zanjan Branch Islamic Azad University, Zanjan Branch Islamic Azad University, Zanjan Branch
Zanjan, Iran Zanjan, Iran Zanjan, Iran
SamanAleshi@gmail.com NasserModiri@Yahoo.com hforouzi@gmail.com
Abstract Security in today's software applications because raw The U.S Department of Defense announced that the number of
data acquisition system at the lowest level, the position is very computers with security gaps 88% and 96% of these
important however, part of the development application under computers however are not aware of this defect
consideration is the security and therefore also delirium costs have [18].consequently IT will play a major role inhuman life if its
to using and user. Security is essential in software development
security is provided. Failures in IT security result not only in
because the resource is protected to the integrity, availability and
privacy of data guarantee. There are different models and destroying its enormous benefits but also in changing into a
standards for information security. PSSS is one of those models life threatening factor [10].
specialized for providing security tasks in PSSS, as an efficient IT is made up of various sectors such as human resource,
software security model, in order to map in along with other hardware, software, data, equipment and communication
security models and standard for 3 and 4 phases of software protocols, electronic and electric devices and so on. Dealing
development, ensuring safety of task performance in the phases. with all of the sectors is beyond the scope of this paper. We
will focus on application software.
Keywords - IT (Information Technology), IT security, Security Security like reliability or efficiency is one of the non-
Models and Standards and their limitations. functional properties of the system. IT defines one of the
I. INTRODUCTION attributes of the system which reflects its capability to protect
itself against intentional a or unintentional external attacks,
Information which can be in various forms is the great asset an hide the nature of information or resources, Prevent
organization or business owns and is of vital importance, like
unauthorized access to disclose private information; and data
other assets. Because it is shared among the parts of an
and resource reliability [7].
organization or business, it causes great concern. Therefore, it
Security is defined as the situation in which a person is
needs ways for protection. In particular, in environments
where business interactions are growing and data are shared it proceed from risks, threats and damages coming from social
assumes great importance. Thus, the increased information life. Security is a fundamental, relative and stable need which
dissemination subjects the information to a variety of threats according to different view, can be to different extent and
and damages [20]. degree. In principle it is hard to identify, evaluate and
Progresses in the field of IT and communications and implement security in a system [20]. According to Devanbu
innovations resulting from it have increased productivity and security, like beauty, is in the eye of the beholder [11].
lead to emergence of new types of services. With the Information security is the protection of information against
improved ever increasing power, capacity and price of micro a wide range of threats in order to ensure continuity of
electronic equipment which have led to the about 30 percent business, minimize business risks and investment
make it possible for all people to take advantage of this opportunities. Information security is achieved by
technology. Today we live in a communication costs are implementing a set of effective controls including policies,
falling. processes, procedures, organizational structures and software
And, the world people increasingly exchanging and and hardware functions [1].
information and communication systems, attacks and threats Security has access to data at the lowest level and shares
against such systems have increased as well. Security is them among user in various sectors. Sharing information,
considered as one of the key issues raised while developing however, causes excessive concern in organizations because
the systems [2]. The number of these attacks are so high that, security and protection are the key elements of sharing data.
over the past years, more than 3500 annual damages have been Applications can have a lot of gaps in different sectors [13].
reported to Computer Emergency Readiness Team/ Less experienced programmers, software at the risk of abuse,
Coordination Center (CERT/CC) also, around 140000 security
unskilled individuals lacking necessary skills or resources for
events were presented to the center. The events happened were
testing software are some of the reasons that have increased
so great that CERT stopped publishing the statistics in 2004.
the number of gaps [12]. That s why security, especially for
5 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
.
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 10, No. 7, July 2012
large organizations and corporations with data of critical providing a comprehensive framework for evaluating security
importance has caused concern. On the other hand, software engineering activities to concentrate requirement for
users and developers are mostly businessmen, not implementing of IT security. Different models and standards
professionals. Therefore information security is not of concern such as GMITS, NIST HANDBOOK, and BS7799 are derived
to them and they overlook it [3]. from this model [14].
Secure software is software that cannot be forced to perform ISO/IEC 27002: this standard provides guidelines and
unwanted tasks. Security at software can be considered from general principles of starting, running, maintaining and
two perspectives. First perspective relates to development of improving information security management in an
the software and creation of a safe environment to keep it. The organization. Control objectives and controls considered in
second perspective is about the development of software itself this standard to meet the needs identified in risk to developing
in a safe manner. Therefore, security is considered at different organizational security standards and to effective security
management practices in order to make inter-organizational
phases of software development [17].
activities reliable [1].
Software development is composed of the following phases
Operationally Critical Threat, Asset, and Vulnerability
[22]:
Evaluation (OCTAVE) Model: this model focuses on the
Initial Phase: during this phase, all the necessary risk analysis of information technology assets and practical
requirements for design or purchase of the system are solutions for reducing risk factors through overcoming
determined and fully understood. discovered security flaws. OCTAVE is designed for
organizations that want identify what their information needs
Development/Acquisition Phase: In this phase, functional to be secure [19].
and technical needs are mapped into information system ISO/IEC 15408: this standard having considered the
programs. results of security assessment, this standards permit
comparison. To do so it prepares a set of requirements for
Implementation/Assessment Phases: In this stage, all security function of IT products and system. And its standard
tasks performed in analysis and design phases are mapped into ensures their use according to security assessment.[16]
readable codes for computer by developers and programmers. Team Software Process-security (TSP-Security) Model:
This is one of the specialized models focusing on software
Operation/Maintenance Phases; this stage, involves all security. Software Engineering Institute (SEI) and Team
activities required to keep the system functions in good Software Process (TSP) are a set of operational process for use
condition; these activities include wpkeeping the hardware and by software development teams. TSP is a set of processes t
reducing application faults. help develop software. It also shows how to do things step by
step and how to assess the completed task. To create security
Disposal phase: In this stage, the system is replaced by while developing software, SEI has added issues related to the
another one or its feature is not needed any more. security of software development cycle to TSP [9].
There are several models used to create information or Process to Support Software Security (PSSS) Models:
software security. In this paper we aim to map one of these Process to Support Software Security (PSSS), as a perspective
models specialized in creating security for software and giving on security engineering is associated with software
better results in comparison with other models and standards- development. This relation aims to improve the efficiency of
into software development phase; accordingly the software security projects by means of a set of activities in
safety would be acceptable after it is created. aforementioned models and standards; accordingly developing
The activities that will be done in this paper are as follows: and organizing behaviors at time of software development, it
section II deals with measures taken in the field of software deals with common problems and limitations of information
and information security and limitation of those measures. In security model [21].
the III section considering the current models and standards PSSS has two important parts: Security Engineering and
Security Auditing. Based on the goals followed by software
the reason for which the issue of security is reconsidered is
development, security engineering is to establish contact with
presented. The proposed framework is presented in section IV.
business plans and strategies, to monitor project in order to
The tasks that need to be perfumed in the third and fourth
archive security goals. Security audit is responsible for
phases of software development are given in sections V and ensuring whether software development is in compliance with
VI results and conclusion of the study will be give in section PSSS or not.
VII and the references in the last section. This individual verity the impact of PSSS programs. For
II. COMPLETED TASKS example, they state the results of activities and achievements in
certain circumstances. A series of activities that should be done
Tasks performed to create security for software and in PSSS are as follows:
information will be summarized below. Planning security
Security System Engineering Capability Maturity Assessing Security Vulnerability
Model (SSE-CMM): a reference model is a process of Security risk model
6 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
.
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 10, No. 7, July 2012
The impact of risk assessment A. Software Security needs a serious consideration
Identifying security risks The losses suffered by countries, companies and
Specifying security needs organization for software intrusion and damage are too
Providing security information costly. For one thing, the additional costs for U.S.
Verifying and validating security government potential attacks on critical infrastructure
Managing security remain a serious concern. New automatic attack requires
Monitoring security behavior no human action to deliver4 destructive play loads, causing
Ensuring security major concerns. In 2004 over 140000 attacks were reported
Other standards can be added to these models and standards in to CERT which is due to holes in software and networks
the field of information security. In addition to models and from 1999 to 2003(see figure 1).
standards used in the field of information security, there are
other pieces of software such as firewall, Intrusion Detection 6000
Protect (IDS) or other applications like them that protected
software data after it is created. Simply put, they enhance 4000
software security [15].
But it still isn t easy to use these models and standards for the 2000
following reasons [21]:
The limitation of SSE-CMM: it is a complicated model 0
because it does not perform all tasks the system needs.
Furthermore it does not explain how to perform the processes 1999 2000 2001 2002 2003
in the areas mentioned. Thus, it is hard to apply and Figure 1: Holes reported by CERT CC
implement this model.
The limitation of ISO/IEC 27002: it includes a large security holes, if any, can have adverse effects on software,
number of security controls executed in different processes of e.g. , negative effect on the reliability
various organizations. Also, it does not demonstrate how to
execute security control in the best way, not specifying a
standard. B. To develop security software is complex
The limitation of OCTAVE: It tasks a self-directed Computer science is very extensive. For instance when you
approach. Simply put, an individual from the organization combine two or more parts of a software to each has
assumes responsibility for setting up, implementing and certain security characteristics the combined results should
controlling security. not demonstrate security characteristics. To do so you need
The limitation of ISO/IEC 15408: Due to its complex careful analyses.
relationship which entails specialized knowledge, it is costly
and time consuming. Moreover, it focuses only on certain When developing software with high quality, you need
software products and overlooks the interrelationship educated and experienced personnel.
between other software products.
C. It s hard to define secure software in general
The limitation of TSP-Security: First of all, its use
requires investment in training and software developers The first necessity for software to be safe is defining
should have necessary training for using this model. necessary specifications and properties. Security, it is
Accordingly, the TSP use demands senior and project necessary to implement the specifications accurately.
manager s support. Besides, for most organization, effective What kind of security and privacy are required, what are its
TSP use requires that the management and technical culture costs and risk? These questions are hard to answer;
and character be able to perform technical tasks carefully and technical judgment does not help. Because it requires you
consistently, the leadership be sustained, be a driving force to view it from management and marketing perspective. In
behind making TSP team self-directed. particular, when customers don t have great interest in it or
The limitation of PSSS: Identification and understanding they have to pay for it, such view can be helpful.
software property, lack of specialized knowledge for Finally, developing software with the qualities of privacy,
functionality in all activities associated with threat model and integration and appropriate accessibility which entails the
need for more resources necessary for effective PSSS above-mentioned problems has made defining a security
function. software challenging.
III. CRUCIAL IMPORTANCE OF SECURITY D. Why are not the existing approaches in wide use?
In addition to limitation and problems that were described Cost and needs are among the greatest hurdles in the way
above for the models and standards, here, we will discuss the of an organization which cause concerns when creating
problems demanding that security be considered all the time, security software, though there exits other reasons such as
though there are models and standards for this purpose. users comfort, quick supply, more functionality and so on.
7 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
.
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 10, No. 7, July 2012
After the customers and users awareness increased, phase will be impossible. According, after the software
security was in great demand. But it s not paying the costs development phases have been completed, the product will be
of security. secure software.
According to Microsoft reports, 20% of the security faults In this paper, security tasks mentioned id [21] along with other
are due to its design. To avoid such issues specialized skill security issues associated security models and standards are
and knowledge for security and design are required. divided into groups. Phases of software development are show
in [22]. Grouped tasks are so that tasks of each group are
consistent with one of the phases of software development. In
IV. PROPOSED FRAMEWORK fact, each group contains a set of security tasks that should be
In comparison with the methods and standards for software done in a phase of software development. Each of these along
products security, as PSSS focuses on security in a specialized with a set of tasks necessary for software development is
manner, it has particular importance. And because it has described and continued. Finally, after the end of each phase,
produced satisfactory results, in parts put into use PSSS has the product is compared against security standards. If security
attracted importance. Other methods and have rudimentary is acceptable, we will enter the next phase. This procedure is
conceptual foundation and don t put much emphasis on followed in the other phases. On the other hand, if the product
designing and analyzing phases, not producing the same isn t security measures will be tightened.
results as PSSS. However, PSSS has its own disadvantages
Besides the things that to establish security in software are
that were mentioned above [5].
described, Output that each task security must have, Work
Software development cycle has phases which the input of
independently parallel to the security task, And work-related
each phase is the output of previous phase. So, if we can deal
security tasks that must be done to increase security in this
with security issues in each phase besides software
article is also shown. Figure 2 is as a schematic of tasks that to
development, it is possible to produce secure software. In each
be done, show in this paper
phase, there are criteria and parameters associated with
security which should be met; otherwise transition to next
Topics related to software development
First of Phases Activities for software development
Completion of software development
Topics related to security
tasks
No
Yes
End of phase and go to next phase
Figure2. The Proposal Framework
Output: the result of activities done are demonstrated which
This paper describes activities to tighten software security- creates a situation to elicit proposals and comments on the
besides; the output of these activities, activities dependent on past and future activities.
and independent from these security activities are also Synchronization: activities that should be performed at the
included in the paper. same time with those to tighten security are necessary.
The initial phase: at this stage in the project, how to Interdependence: key interdependence besides other
initiate the activities are demonstrated necessary tasks is identified to make sure that
Software development activities: activities and tasks coordinating security activities have no negative effect on
performed to develop software. other processes of IT.
Description: activities and tasks to tighten security are In phase safe?: The situation is reviewed to see whether
identifies and described. the software has lived up to the expectations or not.
8 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
.
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 10, No. 7, July 2012
End of the phase and going into next phase: at this stage, Issues arising during the installation should be
the software is developed safely and it can enter into the evaluated for inclusion into contingency plans based on the
next phase. potential for reoccurrence.
In next section, we present the tasks should be performed in During the system installation ISSO should make sure
the first, second, third, fourth and fifth phase according to that controls are located in place and configured properly
framework offered in the present section. Accordingly when and deliver the verified list to the system owner and AO.
we complete a phase, it can enter into the next phase safely. d. Interdependence
Changes to the core security documents should be updated.
V. THIRD PHASE OF SOFTWARE DEVELOPMENT,
IMPLEMENTATION/ASSESSMENT PHASE C. Assessment of system security
Necessary tasks of the phase are as follows: a. Description
System development or changes in hardware, software, or
how they interact must be validated before evaluation. The
A. Creating a detailed plan for C&A purpose of security assessment processes is to validate that
a. Description the system is consistent with functional and security
AO is responsible for risks to the system. There is a requirements and it has an acceptable level of security risk.
relation between risks and final operation of the system. If Security controls should be done. Before the initial
there are undetected risks to the system, they can cost an operation, security endorsement should be issued to the
arm and leg to the system later. There for, AO is required extent controls are implemented, operations are confidence.
until the risks are fully identified. Combining changes Finally, the desired results are achieved and evaluated. Also,
needed during the planning stage as required, risk periodic testing and assessment of security controls in
identification makes it easy a simple to select resource. information ensure efficiency of security controls, security
AO and development team should cooperate in: solving validation may discover and describe gaps in the
problems relating to test results and data in the system; how information system. With efficiency of security controls and
the changes should be made; how these changes should be information system gaps made clear, we have essential
reflected in the environment; and how a secure working information for authorities to issue permits necessary to fill
group working that can include people such as users, the gaps.
managers, plan supporting , administrational including b. Output
A&C, and system analyzer- can be formed. Security assessment packs include reports for security
b. Output assessment, POA&M and updating system security plans.
Initial work plan: planned documents identify key roles, c. Synchronization
project limitations, main parts scope of the test, and a degree Results of validation packs are issued in written form for
of accuracy. owners of the system, ISSO and system administrators and
c. Synchronization assessment results are shared among them.
Informing AO about the things, ISSO system owner s d. Interdependence
complete and present documents required C&A initiation All previous steps are followed.
and conduct.
d. Interdependence
D. Authorizing information systems
Planning for assessment of security controls extracts
necessary information from documents or scheduled a. Description
meeting. To process, save and transfer information security
authorization of security systems are required, these
permissions issued by security authorities are to state that
B. Integration of security into the system or established security controls are checked. Decision on security
environment certificates is risky and it is heavily dependent on testing
a. Description results and security assessment produced during processes of
Operation integration tasks place at the operational site security control verification licenses are as allows:
when information systems are expanded for an operation. To complete system security plans
After information systems are delivered and installed, The results of testing and security assessment
integration and acceptance testing occur. When security POA&M
controls are included in the developer s instructions, b. Output
guidelines will be available for implementing security, Authorized security decisions will be documented and
offering documented security specifications. transferred from authorizing officials to system owner
b. Output and ISSO.
Verification of a list of operations of security controls. Final security authorization package
Completion of system documents. c. Synchronization
c. Synchronization
9 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
.
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 10, No. 7, July 2012
Statistics for inventory and reports of the system should Updated security documentation (System security plan
be updated to reflect a valid condition. and POA&M)
If the system is valid, CPIC activities will be reflected Security assessment of documentation changed in the
d. Interdependence system.
Security documentation and budget are updated c. Synchronization
according to the results. Security documentation should be updated at least once
The structure of information systems is validated. year become of the marked changes.
CM documentation should provide continuous
monitoring plan for the system.
VI. FOURTH PHASE OF SOFTWARE DEVELOPMENT,
d. Interdependence
OPERATION/MAINTENANCE PHASE
Security architecture should provide key details of security
services to components which is used as a criterion for
Tasks necessary for tightening security in this phase will be
effective evaluation of planned changes
presented below:
C. Monitoring the results continuously
A. Review of operational readiness
a. Description
a. Description The ultimate goal is continuous monitoring. It guarantees
In many cases that systems are transferred to production
effective monitoring when there are inevitable cases needing
environment, unplanned changes are drastic, security controls
security control. Good management and design of continuous
are modified or integrated although these steps may not be
monitoring processes can lead to reduction of risks
always required, they can reduce risks, if any.
effectively by meeting all of the requirement. Monitoring the
b. Output efficiency of security controls continuously can be done
If there are changes in the system, the implications for
using various methods such as security check, self-
security are examined.
assessment, configuration management and security
c. Synchronization assessment and testing
System administrator and ISSO and the owner of system
b. Output
confirm that system operations are consistent with security Results of documented continuous monitoring
needs. Changes observe at the last moment are dangerous for Review of POA&M
the system and should be verified by the system owner. Security review, metrics, assessments, security analysis
d. Interdependence trend.
Review of operational readiness which is complement to
Updating security documentation and decision on
C&A processes ensures that the changes already made validation.
will eliminate potential risks.
c. Synchronization
Any changes in security controls should be reflected in
Continuous monitoring should be regulated so that the risk
security documentation.
level may become lower significantly. Therefore, security
controls are changed, increased or discontinued.
B. Control and management of the configuration performed d. Interdependence
a. Description Continuous monitoring enables system owners to update
Efficiency of management control of the organizations reports of security assessment; they use a right tool for
configuration and reflected methods are necessary in order to monitoring the products continuously which is based on the
take security impact into due consideration with regard to security plans of information systems.
changes in information systems or their surrounding
environment. Management and configuration control VII. RESULT AND CONCLUSION
methods provide initial baseline for hardware, software or
programs which are always in the memory. This baseline is Activities stated in this paper were done to design, implement
essential to information systems. Subsequent changes in the and execute software for management of a three-star HOTEL .
system will be controlled and maintained. Results achieved for implementing the software and using the
Documentation of changes in information systems and tasks suggested in the paper are summarized below:
assessment will have a major effect on maintenance of the Raising awareness of importance of security in software
validation. When important and essential inputs are combined development, using a self-oriented process, based on well-
with be followed effectively. According, the ability of an known security methods.
organization to identify considerable changes facilitates the It has been defined as a factor of the assessment and
control of system security and the impact of security. This evaluation of vulnerability, threat, impact and security risk in
helps to make sure of assessment and testing. each phase of software development based on security
b. Output measures.
Decisions of Change Control Board (CCB)
10 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
.
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 10, No. 7, July 2012
Showing the importance and necessary of the assessment [16] Zeinab Moghbel, Nasser Modiri, , A Framework for Identifying Software
Vulnerabilities within SDLC Phases , (IJCSIS) International Journal of
necessary to security , based on vulnerability, threat, the Computer Science and Information Security, 2010, vol 9
impact on and security risk to information; [17] James E. Purcell, Defining and Understanding Security in the Software
Emphasize on importance of security tests, as a criterion Development Life Cycle , 2007
for assessment and approval of security, is a permanent and [18] www.sse-cmm.org/ last visit: September 2011
[19]www.cert.org/octave/ last visit: September 2011
continuous activity which depends on verification of security .[20] Gilbert, Chris, 2003 11, Guidelines for an Information Sharing Policy,
requirements. SANS Institute - USA, version 1
It states a need for formal definition of processes to [21] Francisco José Barreto Nunes1, Arnaldo Dias Belchior, PSSS - Process to
ensure that the established security acceptable. Support Software Security , XXII Simpósio Brasileiro de Engenharia de
Software. Oct 2008, 4th.
In the end, we want to review what have been done in this
paper. In first section, the reasons for the interest in the security
were offered. What have been done in this regard and the
limitations were stated in second section. In third section, we
stated that considering available models and standards, security
should be given more attention. In fourth section, we suggested
a framework that we want to map PSSS into phases of software
development with this framework. PSSS is specialized in
development secure software. Section V and VI presented the
tasks that should be performed within the proposed framework
for 5phase software development. The results of action within
this framework to produce the software for the management of
3-star hotel are presented in section 10.
REFERENCE
[1] Iranian national institute for industrial research, 2007, IT-security
techniques- Information security management Function, Tehran, iran, 1st
volume
[2] extension of RUP for development of secure system, Hamidreza baghi,
Puya Jaferian, gholnaz sadeghian, computer engineering and IT school, Amir
kabir technical university, annual conference of Iranian computer sociery 2004.
[3] security measures for non-agent defence in IT environment, MA thesis,
higher Education school, Tehran jonob Azad university 2009.
[4] a framework assessment of detect and gaps in software application, Esmat
Ali Mohammad, MA thesis, higher Education school, Tehran shomal Aazad
university, 2009
[5] Security software architecture engineering, Nasser Modiri, mehreghan-e-
Ghalam publication, Tehran, Iran, 1st volume
[6] Noopur Davis, Michael Howard, Watts Humphrey, 2004, Processes to
Produce Secure Software , National Cyber Security, Volume 1
[7] Al Azzazi Ahmad, El Sheikh Asim, Security Software Engineering: Do it
the right way , Conf. on Software Engineering, Parallel and Distributed
Systems, 2007, 6th, 5.
[8] Joint endeavor by Information Assurance Technology Analysis Center
(IATAC) with Data and Analysis Center for Software (DACS), 2007, Software
Security Assurance State-of-the-Art Report (SOAR), Woodland Park Road,
First Publication.
[9] Watts S. Humphrey, November 2000, the Team Software Process (TSP),
Carnegie Mellon University USA, 1
[10]A.Kumar,K.Negrat,A.M. Negrat,and A.Almarimi, A Robust
Watermarking using Blind Source Separation , Proceedings of world academy
of science, engineering and technology ,vol.28,April 2008.
[11] Barnum, S.; McGraw, G., Knowledge for software security , Security &
Privacy IEEE, March-April 2005, Volume: 3, Issue: 2,
[12] Gilliam, D.P, Security Risks: Management and Mitigation in the Software
life cycle , IEEE International Workshops on Enabling Technologies:
Infrastructure for Collaborative Enterprises (WETICE'04), 2005, 13th, 6
[13] Yasar, A.-U.-H.; Preuveneers, D.; Berbers, Y.; Bhatti, G.; Reported
flaws in Common Vulnerabilities and Exposures Database , Multitopic
Conference, 2008. INMIC 2008. IEEE International, Dec 2008, 11,
[14] Hopkinson John P. the Relationship between the SSE-CMM and IT
Security Guidance Documentation , Principal Engineer, Security Architect
EWA, 1999, 18
[15] David Gilliam, John Powell, Eric Haugh, Matt Bishop, Addressing
Software Security and Mitigation in the Life Cycle Software Engineering
Workshop, 2003. Proceedings. 28th Annual NASA, 8494821, Page 201 206
11 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
Related docs
Other docs by ijcsiseditor
Digital Images Encryption in Spatial Domain Based on Singular Value Decomposition and Cellular Automata
Views: 0 | Downloads: 0
Agent Behavior in Multiagent Systems: Issues and Challenges in Design, Development and Implementation
Views: 1 | Downloads: 0
Optimizing Cost, Delay, Packet Loss and Network Load in AODV Routing Protocols
Views: 2 | Downloads: 0
