Researchers develop security flaw scanner for use during Development

By asekine at 4:27 pm on March 13, 2009Comments Off on Researchers develop security flaw scanner for use during Development

http://www.sciencedaily.com/releases/2009/02/090224133010.htm

Summary

Researchers have proposed and started testing a new system for helping to identify potential bugs and security flaws during the development cycle of software development.  It works to help the development team identify and prioritize potential targets and weaknesses, and encourage a wider breadth of understanding for each member of the team.

Assets / Security goals:

  • The goal of this method is to help developers to explore the potential vulnerabilities in a proposed system/feature. This encourages keeping security a priority for the project from the beginning, during the design phase
  • To ensure that all people working on the project understand the potential risks associated with the features that they will be working on, and to ensure the diversity of people’s knowledge is taken advantage of.

Potential adversaries / threats

  • Any adversary that wants to take advantage of this system would have an interest in observing/subverting this process being undergone.
  • Unscrupulous employees could bias the results of this process by drawing attention away from real issues

potential weaknesses

  • this method relies on the knowledge of those involved in the design process. It’s quite possible for these people to lack knowledge of attack methods that could be used against the product being designed, as it’s unlikely for any single team to contain experts in every possible attack method.
  • This method only outlines the potential security threats posed by the features during the design phase. During actual development/implementation, the actual threats and vulnerabilities may change, and these aren’t addressed using this method.

Potential Defenses

  • This procedure should be used in conjunction with other risk and security analysis tools to ensure the broadest range of coverage
  • Evaluations such as this should be repeated at regular intervals with a changing group of participants. The variability would encourage new ideas and provide newly discovered vulnerabilities to be discussed at length.

Given the difficulty of quantifying risks and potential security threats of any new product, this method is a good way to encourage the security mindset from the get go. The effectiveness of this method is entirely dependent on those who participate, but it does encourage the kind of thought necessary to protect systems from attackers.

Filed under: Miscellaneous,Security ReviewsComments Off on Researchers develop security flaw scanner for use during Development

Comments are closed.