- COMP.SEC.100
- 18. Secure Software Lifecycle
- 18.2 Adaptations of the secure software development model
Adaptations of the secure software development model¶
Mobile systems¶
Mobile systems differ from computer systems in several key ways, such as local storage systems, inter-application communication, the use of cryptographic APIs, and secure network connections.
OWASP provides dedicated guides for mobile systems, which can be applied in software development. Each of these takes the characteristics of mobile systems into account.
- OWASP Mobile Application Security Verification Standard (MASVS)
- Mobile Security Testing Guide (MSTG)
- Mobile App Security Checklist.
- Mobile Threat Model.
Cloud environments¶
SAFECode has created the guide ‘Practices for Secure Development of Cloud Applications’. The guide describes characteristics specific to cloud environments that must be taken into account in the software development process.
- Multitenancy. By isolating resources, multiple users can be supported, but such isolation requires particular care in implementation.
- Handling confidential information. Naturally, data encryption and compliance with legislation must be ensured. In practice, tokens are used to label data, enabling access rights and data classification to be managed. The amount of confidential information should be minimised to only what is genuinely required.
- Trusted computing resources. In this context, computing resources refer to the components that enable the cloud service to be provided. These may be logical or physical, but they must be trustworthy. It is therefore necessary to ensure that the required security mechanisms are in place and can be verified. There may also be legal requirements. For example, an organisation’s privacy notice may, under the GDPR, require that data not be transferred outside the EU. In such cases, it must be ensured that computing resources are physically located within the EU and that data is not subsequently disclosed further.
- Data encryption and key management.
- Authentication and identity management. When using PaaS solutions (Platform as a Service), software developers must take into account that the software itself and its users must be authenticated to the service. Developers should consider implementing single sign-on.
Internet of Things¶
The Internet of Things (IoT) has become a continuously growing part of daily life. It includes personal devices (e.g. televisions, lighting systems, household appliances, alarm and surveillance systems) and building technology (e.g. water meters, electricity meters, heating systems, and access control systems). An important area within the Internet of Things is industry, for which the term Industrial Internet of Things (IIoT) is used.
Traditionally, the security of IoT devices has been poor. Devices have lacked encryption or implemented it inadequately, used default passwords or no passwords at all, relied on the insecure Telnet protocol for device management, making device compromise relatively easy, had no update mechanism or one that was difficult to use, and contained insecure default settings. Fortunately, these shortcomings have improved over time, but when selecting IoT devices it is still necessary to examine basic security weaknesses carefully.
In software development and when designing IoT systems, the following areas should be considered in particular:
- Can RFID tags be attached to IoT devices? They can be used to identify devices even if they have been attacked and their identifiers changed.
- The use of default passwords should not be allowed in IoT devices. Passwords should either be unique and randomly generated for each device, or the user should be forced to change them during installation.
- Network traffic from an IoT device should be restricted to what is necessary for the application. If a Manufacturer Usage Description (MUD) is available from the device manufacturer, this should be possible.
- Secure updating requires that the IoT device authenticates the update server. How long will updates remain available?
Electronic commerce and payment cards¶
Payment cards are an attractive target for attackers because of the direct financial gain involved. In response, the payment card industry established the Payment Card Industry Security Standards Council, which in turn defined the PCI DSS standard (Payment Card Industry Data Security Standard). Compliance with PCI DSS is required for all organisations that process card payments. The standard contains the following 12 requirements:
- Install and maintain firewalls and firewall configurations to protect cardholder data.
- Do not use default passwords or other default settings.
- Protect stored cardholder data.
- Encrypt cardholder data transmitted over public networks.
- Use anti-virus software and keep it continuously updated.
- Develop and maintain secure systems and applications, including vulnerability identification and impact mitigation.
- Restrict access to cardholder data to those who have a business need to know.
- Assign a unique identifier to each user of the information system.
- Restrict physical access to cardholder data.
- Track and monitor all access to cardholder data.
- Regularly test security systems and processes.
- Maintain an information security policy.
Artificial intelligence and its impact on secure software development¶
Artificial intelligence can be used throughout the software development process, starting from requirements specification. Typically, AI-based software development relies on professional paid tools, AI agents, and MCP (Model Context Protocol). MCP connects AI to various tools and data sources. An example of a tool is Jira issue tracking, and an example of a data source is information on the latest vulnerabilities.
An AI agent is an autonomous software system that receives a goal, makes decisions, and performs complex tasks from start to finish without continuous human guidance. With the help of AI agents, software can be developed from start to finish. An AI agent can independently search for errors in code, correct them, and test the result.
Although AI accelerates production and professional tools aim to generate code that is as secure as possible, responsibility cannot be transferred to AI. For this reason, code reviews are still needed. Their importance is even greater because code is produced more rapidly than before. People are still needed who understand code and, in particular, the errors it may contain and how to fix them.
AI also makes it easier for attackers to find vulnerabilities and exploit them. Therefore, it is important to use tools similar to those available to attackers so that vulnerabilities can be fixed before they are exploited. The importance of AI-based penetration testing is increasing.
Conclusion¶
The University of Tampere offers a wide range of courses in software engineering. For example, course materials on software testing can provide an understanding of how many different factors can and should be taken into account. In practical software development, and especially in software business, there are still many practices that reduce the opportunities for achieving strong security. The “find and patch” cycle is one such practice. Attempts have also been made to find positive aspects in it by motivating people to discover and report vulnerabilities through rewards (so-called bug bounty programmes). The Secure Programming course has been one of the standard courses in Computing Sciences since 2008.