Security for the software engineering, like safety for the civil engineer, is the most important part of the job. Although the software team and hardware team are the implementers of secure projects, the software engineer with their overall vision has to be the driver for insuring that the discipline of security is observed.
To get up to speed with security, these webcasts are excellent resources, they were selected for general information about system level considerations down to software security issues such as the buffer overflow:
- Security360 with Mike Nash: Managing Privacy in Your Organization[i]
- Tips and Tricks for More Secure Communication with Outlook 2003[ii]
- Defending the Database: Making the Right Design Choices[iii]
- Using Secure Coding Best Practices[iv]
- Security Best Practices: Finding and Fixing Buffer Overflows[v]
To do this software engineers need to have some hands on training in security, there are many books and websites that describe how to do security, but getting experience can be difficult. These virtual hands on labs are great ways to better understand the process of securing software:
- Writing Secure Native Code with Visual C++ and Visual Studio Team System Virtual Lab[vi]
- Writing Secure Managed Code with Visual Studio Team System Virtual Lab[vii]
- Web Services Enhancements (WSE) 2.0 - Security and Policy in C# Virtual Lab[viii]
- Web Services Enhancements (WSE) 2.0 - Security and Policy in VB Virtual Lab[ix]
Securing software and hardware projects is difficult. This section is short on word, in hopes that you will use the webcasts, which are about one hour in length, and work through the hands-on-labs which take about 90 minutes each. Once you have a general idea of what security is, mainly by viewing the webcasts and virtual hands-on-labs, you will need to create a security plan.
The Security Plan describes how the solution will be brought to acceptable security levels in order to operate successfully. This plan describes what security threats will exist and how implementing security standards will mitigate those.
The Security Plan will identify development, test, and deployment activities that will design, build, and implement a secure solution. Those activities will be incorporated into the teams’ plans and increase customer confidence that the solution will meet with security expectations. The process of developing the Security Plan produces a series of security standards intended to reduce the security risks to an acceptable level. Before these security standards can be implemented, the customer should decide whether the implementation costs of the measures aligns with risk reduction, and whether the risks are reduced to an acceptable level.
[x] Security Plan.doc; MSF Process Template for CMMI Process Improvement - v4.1; http://www.microsoft.com/downloads/details.aspx?FamilyId=12A8D806-BB98-4EB4-BF6B-FB5B266171EB&displaylang=en; 8/2007