Information Security Implementation for Software Engineering

  • CERT Admin
  • Tue Sep 01 2020
  • Cyber Guardian Blog


Cyber-security was not part of the university study curriculum they adopted.IT experts with IT degrees from universities and colleges are developing the growing ICT infrastructure worldwide, but sadly many IT experts also have an inadequate understanding of security and skills. That is an intolerable condition.

For example, teaching construction, architects, and structural engineering without giving them the proper information about fire safety would be reckless and perhaps impossible because the houses we work in and live in will be full of fire traps. Likewise, it is unethical to sell IT programs in the field of information security at universities without compulsory courses. Unfortunately, many IT graduates are already leaving university Today and joining a business with little information technology competencies. Despite their excellent programming and IT design abilities, these IT graduates will inevitably create fragile IT applications without security expertise. Digitizing business processes and resources means tremendous savings and increased productivity. At the same time, this creation must introduce Significant security vulnerabilities to be sustainable, but sadly, it sometimes does. When business operations move entirely or partly to online networks, the exposed surface to hackers and other disruptive actors rises by many magnitude orders. This global exposure to security threats makes it appropriate to use cyber-security to secure properties (information, devices, and business processes) linked to the Internet directly or indirectly. For a global economy to sustain a balanced risk profile, comprehensive cyber protection at all levels is required.

Having a stable ICT infrastructure demands that it be planned, installed, and managed by individuals who understand the risks, know the protection criteria, and have the expertise to build and run reliable networks effectively. Security vulnerability flaws are usually triggered by programmers or teams with insufficient competencies in safe application production. Unfortunately, thousands of IT programmers and specialists across the globe neglect protection expertise, specifically since this paper explores ways to improve cyber-security, not by engaging in more advanced intrusion detection and malware filtering techniques, but by ensuring that the very core of the ICT system is planned and constructed for high protection and robustness.

This can only be accomplished by providing that safe device architecture becomes a common feature in all construction projects and by promoting, motivating, and even pressuring technical colleges and universities to incorporate obligatory security modules into their IT education curricula.

Why is software security important?

As we know that a small mistake can cause over a million of losses. Even large companies are not risks free. The most common malicious attacks like SQL injection, command injection, buffer overflow, will destroy any known companies’ reputation.

For instance, in 2011, Sony Pictures was hit by a minor SQL injection attack by LulzSec (the hacking group), which released about 1 million user accounts, including sensitive information like passwords, home addresses, email addresses, birthdays, etc., which violated the privacy policy of their service.

It is challenging to estimate exactly what causes damage to information systems in software development. IT specialists should be doubtful of any statistics about information security. The developers will not take it seriously until the data is hacked. Software applications that are developing may not add here to best practices such as authentication and confidentiality. Information security implementation is essential in today’s software development process, which means the developer needs to improve their cyber-security field skills.

Poor security policies, poor training, low-security awareness, inadequate management, improper usage of security technology and poor maintenance of operating system software and security software are fundamental issues that security professionals see in this field.

Many security professionals focus on the significant improvement of information security implementation through Basic protection mechanisms such as,

✻ Policy Management
✻ Encryption mechanism
✻ Authentication mechanism
✻ Audit trail
✻ Training and awareness etc.

Critical evaluation of the topic

Information Security for software engineering has always been handled by network protections such as firewalls, intrusion detection systems, anti-virus, mostly in the development stages. Security was then deemed as a non-functional requirement with time and the improvement of threats. With the emerging threats, the software must be security-conscious to defend itself from security attacks. This ensures protection should be incorporated inside the apps. This is done by the Security-aware Software Development Life Cycle (SaSDLC), part of Secure Software Engineering.

In the Security-aware Software Development Life Cycle model, the functional and non-functional requirements are gathered using eight steps.

✻ Functional Requirements
✻ Identification of Assets
✻ Security Requirements
✻ Threat & Attack Tree
✻ Rating the risks
✻ Decision
✻ Non-functional and Functional requirement
✻ Repeat

One of the most critical steps in secure software production is checking the applications and the hosting system for possible security vulnerabilities that hackers could exploit.

Conclusion and Recommendations

Computing and networking are becoming an integral aspect of life, and appropriate security steps must be taken to secure government, business, trade, and consumers' information systems. Several countries have data security legislation that includes compliance with established principles and best practices to ensure their information systems' transparency, fairness, and availability. Many organizations understand their ability to build a more stable, trustworthy atmosphere by introducing and executing an internal collection of best practices and compliance with the regulations.

But this can only be done if creators of applications are qualified in security issues. They need to understand that security features alone do not improve product efficiency and protection when they do need to be appropriately applied. This can only be accomplished if security needs are identified early on in the life cycle of growth, resulting in selecting applicable security facilities and introducing adequate security controls and mechanisms. Security criteria should be preferred to meet the safety targets set due to the preliminary risk evaluation. Then a complete mapping of security specifications can be made to address the various software security threats.

✻ Patch software applications and keep them up to date.
✻ Train and Educate end-users.
✻ Integrate security into the Software Development Life Cycle.
✻ Exploitable faults and other weaknesses should be eliminated from the end product.
✻ The software should be attack resistant and tolerant.
✻ Make use of Static Code Analysis to assure Security in Software Development.
✻ First focus on the Secure Software Requirements.



Kaviru Samarasekera

Kaviru is an undergraduate of Sri Lanka Institute of Information Technology, Faculty of Computing who is currently following Bachelor of Science Honors in Information Technology Specializing in Cyber Security, currently, he is working as an Intern - Information Security Engineer at Sri Lanka CERT|CC

Last updated: Tue Sep 01 2020