Investigate how developers and managers view security design in software
- URL: http://arxiv.org/abs/2310.14433v1
- Date: Sun, 22 Oct 2023 22:44:02 GMT
- Title: Investigate how developers and managers view security design in software
- Authors: Asif Imran
- Abstract summary: We interviewed a team of 7 developers and 2 managers, who worked in two teams to build a real-life software product that was recently compromised by a cyber-attack.
We obtained their views on the reasons for the successful attack by the malware and took their recommendations on the important aspects to consider regarding security.
- Score: 0.0
- License: http://creativecommons.org/licenses/by/4.0/
- Abstract: Software security requirements have been traditionally considered as a
non-functional attribute of the software. However, as more software started to
provide services online, existing mechanisms of using firewalls and other
hardware to secure software have lost their applicability. At the same time,
under the current world circumstances, the increase of cyber-attacks on
software is ever increasing. As a result, it is important to consider the
security requirements of software during its design. To design security in the
software, it is important to obtain the views of the developers and managers of
the software. Also, it is important to evaluate if their viewpoints match or
differ regarding the security. Conducting this communication through a specific
model will enable the developers and managers to eliminate any doubts on
security design and adopt an effective strategy to build security into the
software. In this paper, we analyzed the viewpoints of developers and managers
regarding their views on security design. We interviewed a team of 7 developers
and 2 managers, who worked in two teams to build a real-life software product
that was recently compromised by a cyber-attack. We obtained their views on the
reasons for the successful attack by the malware and took their recommendations
on the important aspects to consider regarding security. Based on their
feedback, we coded their open-ended responses into 4 codes, which we
recommended using for other real-life software as well.
Related papers
- Defining and Evaluating Physical Safety for Large Language Models [62.4971588282174]
Large Language Models (LLMs) are increasingly used to control robotic systems such as drones.
Their risks of causing physical threats and harm in real-world applications remain unexplored.
We classify the physical safety risks of drones into four categories: (1) human-targeted threats, (2) object-targeted threats, (3) infrastructure attacks, and (4) regulatory violations.
arXiv Detail & Related papers (2024-11-04T17:41:25Z) - Countering Autonomous Cyber Threats [40.00865970939829]
Foundation Models present dual-use concerns broadly and within the cyber domain specifically.
Recent research has shown the potential for these advanced models to inform or independently execute offensive cyberspace operations.
This work evaluates several state-of-the-art FMs on their ability to compromise machines in an isolated network and investigates defensive mechanisms to defeat such AI-powered attacks.
arXiv Detail & Related papers (2024-10-23T22:46:44Z) - An Industry Interview Study of Software Signing for Supply Chain Security [5.433194344896805]
Many cybersecurity frameworks, standards, and regulations recommend the use of software signing.
Recent surveys have found that the adoption rate and quality of software signatures are low.
We interviewed 18 high-ranking industry practitioners across 13 organizations.
arXiv Detail & Related papers (2024-06-12T13:30:53Z) - SoK: A Defense-Oriented Evaluation of Software Supply Chain Security [3.165193382160046]
We argue that the next stage of software supply chain security research and development will benefit greatly from a defense-oriented approach.
This paper introduces the AStRA model, a framework for representing fundamental software supply chain elements and their causal relationships.
arXiv Detail & Related papers (2024-05-23T18:53:48Z) - Purple Llama CyberSecEval: A Secure Coding Benchmark for Language Models [41.068780235482514]
This paper presents CyberSecEval, a comprehensive benchmark developed to help bolster the cybersecurity of Large Language Models (LLMs) employed as coding assistants.
CyberSecEval provides a thorough evaluation of LLMs in two crucial security domains: their propensity to generate insecure code and their level of compliance when asked to assist in cyberattacks.
arXiv Detail & Related papers (2023-12-07T22:07:54Z) - Software Repositories and Machine Learning Research in Cyber Security [0.0]
The integration of robust cyber security defenses has become essential across all phases of software development.
Attempts have been made to leverage topic modeling and machine learning for the detection of these early-stage vulnerabilities in the software requirements process.
arXiv Detail & Related papers (2023-11-01T17:46:07Z) - Embedded Software Development with Digital Twins: Specific Requirements
for Small and Medium-Sized Enterprises [55.57032418885258]
Digital twins have the potential for cost-effective software development and maintenance strategies.
We interviewed SMEs about their current development processes.
First results show that real-time requirements prevent, to date, a Software-in-the-Loop development approach.
arXiv Detail & Related papers (2023-09-17T08:56:36Z) - A Novel Approach to Identify Security Controls in Source Code [4.598579706242066]
This paper enumerates a comprehensive list of commonly used security controls and creates a dataset for each one of them.
It uses the state-of-the-art NLP technique Bidirectional Representations from Transformers (BERT) and the Tactic Detector from our prior work to show that security controls could be identified with high confidence.
arXiv Detail & Related papers (2023-07-10T21:14:39Z) - Security for Machine Learning-based Software Systems: a survey of
threats, practices and challenges [0.76146285961466]
How to securely develop the machine learning-based modern software systems (MLBSS) remains a big challenge.
latent vulnerabilities and privacy issues exposed to external users and attackers will be largely neglected and hard to be identified.
We consider that security for machine learning-based software systems may arise from inherent system defects or external adversarial attacks.
arXiv Detail & Related papers (2022-01-12T23:20:25Z) - Empowered and Embedded: Ethics and Agile Processes [60.63670249088117]
We argue that ethical considerations need to be embedded into the (agile) software development process.
We put emphasis on the possibility to implement ethical deliberations in already existing and well established agile software development processes.
arXiv Detail & Related papers (2021-07-15T11:14:03Z) - Dos and Don'ts of Machine Learning in Computer Security [74.1816306998445]
Despite great potential, machine learning in security is prone to subtle pitfalls that undermine its performance.
We identify common pitfalls in the design, implementation, and evaluation of learning-based security systems.
We propose actionable recommendations to support researchers in avoiding or mitigating the pitfalls where possible.
arXiv Detail & Related papers (2020-10-19T13:09:31Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.