Data Science roadmap: An insight to achieve secure software engineering

Kurzfassung

The research in software engineering towards security is getting rich attention. New security breaches are reported by media on an almost daily basis. According to a research survey tailored by SEI, more than 9 out of 10 security vulnerabilities are occurring by exploiting known software defects. The analysis of 45 e-business applications showed that 7 out of 10 security defects were caused by poor software design. We, at the German Aerospace Center (DLR), are involved in various research activities across space, aeronautics, transportation, and energy that involve software development by domain scientists. Missing any security training and having little knowledge in software engineering, these scientists introduce defects unknowingly. As a result, scientific software provides attack vectors that can be exploited by internal and external penetrators. We believe that a lot of security issues could be avoided by following a security-centered development process. With our newly formed Secure Software Engineering group we want to tackle this problem by supporting the scientists during development. Therefore we want to capture software engineering processes, evaluate the security of software produced by those processes, and finally provide inputs on how to improve software engineering practices with respect to security. We want to follow a data driven approach that combines various current techniques covering different aspects of IT security and software engineering. The development process as well as the quality of the resulting software is captured by combining different state of the art approaches. For evaluation of the software quality with respect to security there are several static and dynamic analysis tools available. On the dynamic side our approach focuses on fuzzing and application of exploitation frameworks like Metasploit. For static analysis we use rule based syntax tree matching and intermediate language evaluation. This should be combined with manual audits and evaluated in a common, comparable scoring system. To capture characteristics of the software engineering process we aim at recording full artifact provenance using specialized IDE extensions. To get started we are also mining our repositories for historic information about pro cesses and gather information from developers using surveys.