What procedures or audits should be used to assess the security of a software system?

Question

Are there any standardised security procedures or auditing techniques that can be used to assess the security of a piece of software? I'm specifically interested in auditing software written in Java, but other tips for other languages as well as general practices would be useful to know about as. A list of frequent identified security vulnerabilities would be helpful, as well.

I'm looking for things that are specific to software engineering practices, rather than, for example system administrators.

Answer 1

If you are looking for general software security information, I would recommend looking at the US Department of Homeland Security National Cyber Security Division's Build Security In website. Among other things, they provide a number of articles broken down by various best practices for different phases or activities, knowledge areas, and tools. They also provide a number of links to external resources that are relevant.

The MITRE Corporation provides the Common Weakness Enumeration. This is a tool to identify and discuss potential vunerabilities and tools to identify and correct these problems in your software. Coming out of this is a list of the Top 25 Most Dangerous Software Errors. Not all of these apply to every piece of software, but it can be used to analyze your software systems and determine the most riskiest for you.

CERT at the Software Engineering Institute at Carnegie-Mellon University provides resources for secure coding in Java, C, and C++. You can purchase books, or you can view some information online (Java, C, C++). CERT also enumerates 10, fairly straightforward, secure coding standards.

I would also recommend reading the work of Gary McGraw. He was (is?) the editor of a series of articles in IEEE Security & Privacy, which are provided through the Build Security In site. McGraw also wrote or co-wrote three books that are highly relevant - Building Secure Software: How to Avoid Security Problems the Right Way (the White Hat Book), Exploiting Software: How to Break Code (the Black Hat Book), and Software Security: Building Security In (the Ying-Yang Book).

As far as things that you can do now, realize that security is something that needs to be considered throughout the SDLC, from requirements through maintenance tasks. Keeping security in mind throughout the entire process is necessary. Although some of the resources I've linked to discuss general security concerns, it's important to identify the most likely and highest impact security issues for a project and focus on those. Once identified, the use of checklists during reviews, an emphasis on these characteristics during development, and the use of tools that integrate well into your process are essential. There's no one-size-fits-all technique - you need to balance time, cost, and effort to reduce risks.