Tag Archives: secure by design

ITNow – Secure Software

The following introduction was originally published in the Information Security section of the BCS ITNow Magazine, December 2011 issue (Volume 53, Issue 6), which was on the topic of Secure Software:

Welcome to Information Security Now (ISNOW) in its new home in ITNOW. Since security and IT are often inseparable neither should be ignored, says Gareth Niblett chair of BCS ISSG.

Some consider secure software an oxymoron, and history has many incidents that seem to support this position, writes Gareth Niblett, Chair of the ISSG.

Most of us depend on software in our work and lives, although we sometimes may not realise it, and secure, dependable and resilient software is required for many of the things we take for granted.

All too frequently we hear of major IT project failures, online services being unavailable, systems being configured incorrectly, crashing and so on. Sometimes it is simply an inconvenience; sometimes there are serious consequences. Loss of Facebook is (or should be) less disastrous than an incorrect radiation dosage.

With hundreds of thousands of apps out in the mobile marketplace, along with all the software (and malware) that can be installed on personal computers, what assurances do end users, and the organisations they might work in, have that the software is secure, respects their privacy and is available when needed?

Tier 1 risk
In 2010, the UK National Security Strategy identified 15 priority risks, including a Tier 1 risk of hostile attacks upon UK cyber space, potential shortcomings in the UK’s cyber infrastructure and the actions of cyber terrorists and criminals: reduction of this risk is inherently linked to improving software security, dependability and resilience.

The Software Security, Dependability and Resilience Initiative (SSDRI – http://www.ssdri.org.uk/), which is a UK public-private platform for making software better, may be one initiative that can help in this area.

The SSDRI evolved from a Technology Strategy Board and Centre for the Protection of National Infrastructure-sponsored Secure Software Development Partnership.

Secure software is a BCS Security Community of Expertise (SCoE) hot topic.

A PDF version of the magazine is available online to BCS members at:


ISNow – Software Security

The following introduction was originally published in the BCS Information Security Now Magazine, Spring 2009 issue (Volume 3, Issue 3), which was on the topic of Software Security:

“Secure, stable and reliable software is a rare commodity, and one that most can’t actually buy. Although we may feel that those who profit from selling us software not up to the task should be held liable and sued, doing so could also expose open source developers to unacceptable risks when giving us their software.

Unreliable and insecure software is due to a variety of factors; from the lack of academic focus within software engineering and computer science courses, to the development approach that our IT professionals are expected to adopt when programming in-house systems or commercial applications.

Even the formal accreditation of systems, e.g. Common Criteria, may not detect or prevent software vulnerabilities from arising; it can even compound the issue by forcing a decision to be made between operating a vulnerable but accredited system and an upgraded but unaccredited system.

SANS and CWE have listed the Top 25 Most Dangerous Programming Errors (http://www.sans.org/top25errors/), which covers the actual programming errors made by developers that lead to the vulnerabilities that software may be susceptible to, and provides useful and authoritative information on mitigation.

Security software even provides ready examples of how to not do it and the formal methods of safety critical systems may be overkill for most commercial offerings. Something needs to be done to improve the security, stability and reliability of software where more features are delivered ever more rapidly.

We need a ‘secure by design’ approach, where we seek to minimise the existence and impact of vulnerabilities and other bugs. Secure applications can only come from a top-down design and development ethos, integrated with a robust software development life cycle (SDLC) that includes structured testing.”

A PDF version of the magazine is available online at: