Chapter 1. Defining a Discipline | Software Security: Building Security In

The most important thing is to find out what is the most important thing.

Shunryu Suzuki

Software securitythe idea of engineering software so that it continues to function correctly under malicious attackis not really new, but it has received renewed interest over the last several years as reactive network-based security approaches such as firewalls have proven to be ineffective. Unfortunately, today's software is riddled with both design flaws and implementation bugs, resulting in unacceptable security risk. As Cheswick and Bellovin put it, "any program, no matter how innocuous it seems, can harbor security holes" [Cheswick and Bellovin 1994]. The notion of software security risk has become common knowledge, yet developers, architects, and computer scientists have only recently begun to systematically study how to build secure software.

The network security market weighs in at around $45 billion.^[1] However, the 532% increase in CERT incidents reported (20002003)^[2] and the fact that 43% of 500 companies responding to a popular e-crime survey reported an increase in cybercrime^[3] show that whatever we're doing is clearly not working. Basically, the dollars spent on network security and other perimeter solutions are not solving the security problem. We must build better software.

^[1] Network security total market value as reported by the analyst firm IDC in February 2003, Worldwide Security Market <http://www.idc.com/getdoc.jsp?containerId=32391>.

^[2] According to data from Carnegie Mellon University's (CMU) Software Engineering Institute's (SEI) CERT Coordination Center (shown in Figure 1-1) <http://www.cert.org>.

^[3] E-Crime Watch Survey, 2004. Sponsored by CSO Magazine, United States Secret Service, and CMU SEI CERT Coordination Center <http://www.csoonline.com/releases/ecrimewatch04.pdf>.

A body of software security literature has begun to emerge in the research community, but in practical terms the practice of software security remains in its infancy.^[4] The first books on software security and security engineering, for example, were published as recently as 2001 [Anderson 2001; Viega and McGraw 2001; Howard and LeBlanc 2002]. Today, a number of references do a good job of providing a philosophical underpinning for software security and discussion of particular technical issues, but much remains to be done to put software security into practice. This book is designed to help.

^[4] See Chapter 13 for annotated pointers into the software security literature.