Deriving Software Security Measures from Information Security Standards of Practice

JULIA ALLEN, CHRISTOPHER ALBERTS, ROBERT STODDARD | April 26, 2016

article image
This white paper describes an approach for deriving measures of software security from well established and commonly used standard practices for information security. This work was performed as part of the Software Engineering Institute’s Software Security Measurement and Analysis (SSMA) project. It is an initial demonstration of how SSMA-defined software security drivers (refer to Risk-Based Measurement and Analysis: Application to Software Security) can be used in concert with practices and standards to derive meaningful measures of software security [Alberts 2012]. Drivers are critical factors that have a strong influence on the outcome or the result, in this case, the security of software. Measures that have been derived based on software security drivers can then be used within the Integrated Measurement and Analysis Framework (IMAF) for Software Security to determine the extent to which specific practices contribute to the development and acquisition of more secure software.

Spotlight

Daisy Group

"Daisy Group Ltd. is the largest independent provider of end-to-end technology and communications solutions and services to the UK business community. Established in 2001, Daisy has grown its capabilities in line with the converging business communications and IT services markets. Our comprehensive product and service portfolio includes lines and calls, data connectivity, security, mobile, LAN and WiFi, hybrid cloud, IT managed services and business continuity. Daisy serves small, mid-market and enterprise businesses both directly and indirectly and it does this through its specialist business units – Daisy Retail, Daisy Wholesale, Daisy Distribution, Daisy Corporate Services and Daisy Partner Services."

OTHER ARTICLES

Coronavirus malware roundup: watch out for these scams

Article | March 18, 2020

With so many of us hunting out the latest Covid-19 info, it hasn’t taken long for hackers to take advantage. So first off, a basic hygiene reminder: Don’t download anything or click on any links from unfamiliar sources. This includes coronavirus-related maps, guides and apps. Here’s a closer look at some of the specific threats that have emerged over the last week or so. The DomainTools security research team has uncovered at least one example of a coronavirus-related fake app .The Android app in question was discovered on a newly created domain, (coronavirusapp[.]site). The site prompts users to download an Android App to get access to a coronavirus app tracker, statistical information and heatmap visuals. The app actually contains a previously unseen ransomware application, dubbed CovidLock. On download, the device screen is locked, and the user is hit with a demand for $100 in bitcoin to avoid content erasure.

Read More

Malicious coronavirus map hides AZORult info-stealing malware

Article | March 11, 2020

Cyberattackers continue to seize on the dire need for information surrounding the novel coronavirus. In one of the latest examples, adversaries have created a weaponized coronavirus map app that infects victims with a variant of the information-stealing AZORult malware. The malicious online map, found at www.Corona-Virus-Map[.]com, appears very polished and convincing, showing an image of the world that depicts viral outbreaks with red dots of various sizes, depending on the number of infections. The map appears to offer a tally of confirmed cases, total deaths and total recoveries, by country, and cites Johns Hopkins University’s Center for Systems Science and Engineering as its supposed data source. Malwarebytes issued a warning about the map last week, and Reason Cybersecurity this week has followed up with its own blog post, reporting additional details on the scam, gathered by Reason Labs researcher Shai Alfasi.

Read More

Cybersecurity Must Be Embedded in Every Aspect of Government Technology

Article | March 17, 2020

Cybersecurity has never been more important for every level of our government. The hacking attempts at major federal agencies have raised the profile of nefarious actors who use their highly advanced cyber skills to exploit both security and the vulnerabilities created by human error. Just last month, the Department of Defense confirmed that computer systems controlled by the Defense Information Systems Agency had been hacked, exposing the personal data of about 200,000 people. Additionally, the Department of Justice recently charged four members of the Chinese military for their roles in the 2017 Equifax breach that exposed the information of 145 million Americans. The hackers were accused of exploiting software vulnerability to gain access to Equifax’s computers. They are charged with obtaining log-in credentials that they used to navigate databases and review records.

Read More

Best Cybersecurity Tips for Remote Workers

Article | June 21, 2021

Remote working and cybersecurity risks, unfortunately, go hand in hand. As the COVID-19 pandemic appears to be far from over, cyber threats to individuals and businesses continue to loom large. The only solution at the moment is to invest in robust technology solutions that protect your network and to train employees in cybersecurity so that they develop healthy remote working practices. If you allow a bulk of your employees to work remotely, it is important to adopt a few basic habits to protect your devices and your business network from cyber criminals. Here’s a quick look at a few basic tips for remote workers that can go a long way in enhancing the overall security posture of your organisation. Passwords provide the first line of defense against unauthorized access to your devices and personal information. By creating a strong, unique password, you increase protection levels tremendously. You make it more challenging for cybercriminals to gain access and disrupt your systems networks. Rule number two is never to ignore those little pop-up windows that tell you that software updates are available for your device. Once you get such a notification, be sure to install the latest software as soon as possible. Timely software updates (including antivirus updates) help patch security flaws and safeguard the computer system. Are you busy with your work and don’t like to be distracted by such notifications? We highly suggest you encourage your employees to select auto-update for software on both mobile devices and computers. It will help you and your staff to prevent problems caused by delayed system updates.

Read More

Spotlight

Daisy Group

"Daisy Group Ltd. is the largest independent provider of end-to-end technology and communications solutions and services to the UK business community. Established in 2001, Daisy has grown its capabilities in line with the converging business communications and IT services markets. Our comprehensive product and service portfolio includes lines and calls, data connectivity, security, mobile, LAN and WiFi, hybrid cloud, IT managed services and business continuity. Daisy serves small, mid-market and enterprise businesses both directly and indirectly and it does this through its specialist business units – Daisy Retail, Daisy Wholesale, Daisy Distribution, Daisy Corporate Services and Daisy Partner Services."

Events