Introduction to software security

Security is a non-functional requirement of software engineering. Creating inherently secure applications is a fundamental, yet often unknown, skill for a good developer or software engineer.

A vulnerability is software is an unmet security specification. Bug-free software does not exist and not all bugs lead to vulnerabilities.

Even if a vulnerability exists, there may not be an exploit for it.

The key issues in secure designs are:

Reduce privileged parts to a minimum Keep it simple Discard privileges definitively as soon as possible Open design: not rely on obscurity Take care of concurrency and race conditions Fail-safe and default deny. Filter the input and the output. Use trusted libraries Use trusted entropy sources such as /dev/urandom