Information security in software is important for all software applications, including those whose primary function is not security. For software developers challenged with coding and maintaining software, there is an overwhelming amount of security-related information, a variety of tools, and numerous identified and unidentified security risks, weaknesses and vulnerabilities that are frequently updated and whose status and level of risk is constantly changing. Software analysts, developers, and testers are often not trained on integrating security features into their code and potential software breaches are too often brought to the attention of developers during emergency situations and/or during quality review and audit. With the ever-changing electronic security landscape, software requires constant updating with relevant security to reduce security risks and prevent breaches. Prevention of security breaches is often more economical than remediation, however keeping abreast of requirements, fixes and breaches can be onerous during the software development and maintenance lifecycle. Software analysts, developers, and testers can therefore be overwhelmed with the amount of available information and variety of tools they can employ, and be required to consider long lists of security requirements, guidelines, and standards, and to provide tangible and auditable evidence that software products comply with security guidelines. Security guidance documents are also often static and not updated when new technologies and vulnerabilities come to light, becoming outdated within a short period of time.
Software Development Life Cycle (SDLC) is a process of developing information systems through investigation, analysis, design, implementation and maintenance. Commonly reported attacks and known vulnerabilities are often public, though generally subject to a time delay, and accessible for practitioners through web-based portals such as the National Vulnerability Database (NVD), Common Weakness Enumeration (CWE), and Open Web Application Security Project (OWASP). However, despite known software vulnerabilities being public knowledge to both developers and hackers, software developers often lack relevant, timely, and context specific tools and guidance to help them build and maintain secure software. Many security tools focus only on detecting particular vulnerabilities in the source code of a piece of software and are designed to analyze source code and/or compiled versions of code to help find security flaws. However fixing a vulnerability after coding is costly and often difficult. Furthermore, requirements analysts are often not security experts, and therefore often miss opportunities to build security into the earliest part of the software development lifecycle. In addition, large repositories of security and regulatory information can be difficult to navigate, are not tailored to a specific application environment, and are often not subject to commercial grade quality controls. Further, having multiple large and evolving repositories of requirements requires developers not only to select any and all requirements pertaining to a particular application, but also to keep up to date with new information and requirements.
Some efforts have attempted to provide general accountability of security activities or have provided a knowledge base of security advice. U.S. Pat. No. 8,091,065 to Mir et al. teaches systems and methods for generating a threat analysis and modelling tool by performing risk management using a threat analysis model based on elements comprising components, roles, external dependencies, and data. An application task list is generated from a common task list for the application and countermeasures for known attacks to the software application in the application task list. A threat modeler is used to perform a threat analysis of external challenges to the software and modeling involves identifying one or more threats.
Other tools have attempted to solve software security problems by providing detective's tools such as software static analysis and run-time testing applications. United States patent application 2012/0254829 to Bhalla et al. describes a method of providing security guidance in writing software applications including activating a guidance application linked to a computer and a database of security features, the guidance application being operable to present a user with suggestive security content in writing software applications.
There remains a need for a system and method to build security into the requirements, design, development, testing, deployment and maintenance of a software lifecycle by providing more comprehensive security risk identification in a secure software lifecycle.
This background information is provided for the purpose of making known information believed by the applicant to be of possible relevance to the present invention. No admission is necessarily intended, nor should be construed, that any of the preceding information constitutes prior art against the present invention.