The document discusses secure software development methodology and provides an example of its application to the development of a messaging application called PICO. The methodology involves performing security analysis, design, and testing at each stage of the software development life cycle. For PICO, security threats are modeled and addressed through techniques like user authentication, encryption of messages, and preventing vulnerabilities like buffer overflows. Testing is an important but difficult part of the process, focusing on both expected and unexpected system behaviors.

1. Secure Software Development by Example An Article By: AXELLE APVRILLE MAKAN POURZANDI Nabin R. Shakya

2. Building secure software is always complex task for developers. Methodical approach can help developers tackle security issues and split complexity to smaller and easier to handle concerns. To illustrate methodology a practical issue of development of PICO (presence and instant communication) is taken.

3. Secure software development life cycle Iterative process of analysis, design, implementation, testing and maintenance. Security concerns is inserted in each step of life cycle

4. Security Analysis It Consists of several steps; Define projects environment and objectives. Context in which the software is expected to evolve. Threat models List of possible threats that can occurs in given security environment Security Policy Prioritize security requirements according to the information’s sensitivity Risk Evaluation Results from security policy can be used for evaluation

5. Client-server based message exchange over internet, information about messages and users is exposed to malicious modifications. Security objective are integrity of exchanged message and client authentication Security environment and objectives in PICO

6. Threat Model for PICO

7. Designing Security Security is designed on the basis of security requirements and threat model. Security design need to express security concerns such as critical data, communication security etc. PICO application consists of three different services: to handle initial registration of users to keep list of online users to forward user’s instant message Many security threat not handled in PICO are Can kick another user off by impersonating log off messages Can read all messages between users Prevents user to log in by stealing login challenge.

8. Implementing security Programming Language Serious research has highlighted that all languages aren’t equivalent in terms of bug rate, and, hence, security Implementing cryptography Sometimes applications use experienced cryptographic algorithms, may also introduce major security holes. Coding error and misunderstanding or misuse of algorithms may be reason. PICO uses HMAC-SHA1 and relies on well known SSH, but it is not guarantee it is totally secure. Buffer Overflows PICO handle it by making all input goes through chokepoint function that insure no more fixed value of characters are read and that the resulting string includes trailing ‘\0’ Application has no call to str* or gets(). Format strings Explicitly specifies format strings for outputs and limits use of format functions to output only.

9. Testing Security It is difficult task as it doesn’t have any standard rules that generally applies. Attackers always focus on the weakest part of the system.

10. Testing steps Peer review is a heavy burden, but it usually gives excellent results. An initial bug rate of 1 per 55 lines falls to 1 per 2,000 lines after a skilled peer review. Unit testing Some security test can be added in unit testing. Tools like jUnit help to test without changing source code. System testing should focus not only on expected but also on unwanted system features.