The development and evolution of secure open architecture systems has received insufficient consideration. Such systems are composed of both open source and closed software software components subject to different security requirements in an architecture in which evolution can occur by evolving existing components, replacing them, or refactoring their interfaces, interconnections and configurat...

Many security problems only become apparent after software is deployed, and in many cases a failure has occurred prior to the awareness of the problem. Although many would argue that the simpler solution to the problem would be to test the software before deploying it. Although we support this argument, we understand that it is not necessarily applicable in a modern development environment. Sof...

Software engineering concerns with wide use of engineering principles to achieve cost-effective software with potentiality to function on real machines. Requirement engineering in software development is more crucial. Everyone agrees that security is difficult. The requirements engineering principles are framed based on an idea that would engage the community overcoming complex problems. Securi...

Software vendors are increasingly concerned about mitigating the security risk of their software. Code quality improvement is a traditional approach to mitigate security risk; measuring and reducing the attack surface of software is a complementary approach. In this paper, we apply a method for measuring attack surfaces to enterprise software written in Java. We implement a tool as an Eclipse p...

Security plays a large role in software development; simply without its existence the software would be vulnerable to many different types of attacks. Software security prevents leaks of data, alternation of data, and unauthorized access to data. Building a secure software involves a number of different processes but security awareness and implementation are the most important ones among them. ...

In recent years, concentration on software design phase for evaluating security into the developing software increased where the cost of fixing errors in design level is several times less than the cost of fixing errors in the coding or implementation levels. One of the main challenges in facing current models that evaluate security into the software design phase refers to the need for existenc...

Retrofitting security implementations to a released software-intensive system or to a system under development may require significant architectural or coding changes. These late changes can be difficult and more costly than if performed early in the software process. We have created regular expression-based attack patterns that show the sequential events that occur during an attack. By perform...

Addressing security in the software development lifecycle is an ever-present concern for software engineers and organizations. From a management and monitoring perspective, it is difficult to measure 1) the amount of effort being focused on security concerns during active development and 2) the success of security related design and development efforts. Such data is simply not recorded. If reli...

Multiple software products often exist on the same server and therefore vulnerability in one product might compromise the entire system. It is imperative to perform a security risk assessment during the selection of the candidate software products that become part of a larger system. Having a quantitative security risk assessment model provides an objective criterion for such assessment and com...

We present the security requirements & design approach SecReq developed in joint work over the last few years. As a core feature, this approach supports reusing security engineering experience gained during the development of security-critical software and feeding it back into the development process through the HeRA Heuristic Requirements Assistant. Based on this information a modelbased secur...