A short guide on security techniques used in software engineering

Choosing a software security technique is crucial, and deciding which training option to upskill on security #hardening for software engineering can be a headache. The important thing is that avoiding security bugs in software is feasible.

To help you make a better decision, we have written a short guide about the most known software security practices, their advantages and disadvantages. Finally, we cover a design technique based on mathematical models and formal methods that allows your team to reinforce software security powerfully in a few simple steps.

Before starting, we will explain the background of the most current software security strategies and their associated biases.

Software security background

Security bugs are one of the most worrying matters in current software engineering. Misleading information has led some developers to believe, erroneously, that it is not possible to develop completely secure software. However, it is. The lack of scientific knowledge access, the fear of committing mistakes and the absence of adequate training have resulted in anchoring and bandwagon biases: too many software developers are convinced that they are not able to avoid 100% of the security risks, so software security is delegated to third parties: frameworks, libraries, and even on cloud services and servers.

Of course, there are many managed servers and VPS with highly proficient security conditions. However, it does not matter how hardened the server security is when the software security is not invulnerable. So, a software development team cannot delegate security and should responsibly face the problem. That is the main reason to think seriously about security.

Known security techniques for software development and their disadvantages

• Penetration testing: penetration testing is a technique approach with no scientific base. It aims to find well-known vulnerabilities once the software has already been developed. Penetration testing is a quick way to find a particular vulnerability when reverse engineering of the source code is not feasible. However, penetration tests are not capable of identifying design errors, not-yet discovered vulnerabilities, nor helping your team to design better software, secure by design.
• Unit testing: unit tests are one of the best practices your team can implement in the development phase. It allows for avoiding most bugs and ensures the software does what it must do, even when obtained results are not as expected. This programming technique does not present a problem itself. Still, it could be a bit misleading if it is not used with a mathematical model as a basis. If the unit tests do not have a proper design, it is possible to obtain fake results. For that reason, learning to design optimal tests is essential.
• Code-injection prevention techniques: most of these techniques are good ones. However, they are not necessary in most cases, and they usually obfuscate the source code. If you assume that every non-alphanumeric character could be prejudicial, a mathematical model will be sufficient to avoid injection. Since the mathematical models are based on hypothetical syllogisms, only two rules may apply to prevent vulnerabilities.
• Using frameworks to trust them with software security: there is no scientific evidence that using frameworks or software libraries can produce more secure software. Testing software that uses a framework and comparing it with another that does not use one may yield fake results because it is not possible to demonstrate a cause beyond the casual correlation. A better approach to building secure software is designing software secure by default by using the methods produced with scientific knowledge. Learning to develop software by using logical algorithms focused on security and software quality is a better option, sustainable over time.

Mathematical models based on hypothetical syllogisms: software security by design in a few simple steps

Security by design (sometimes referred to as a model or technique) is the name given by the software industry to bearing security questions in mind during the designing time. Security by design is not a design model or technique itself but a concept. It is more of a “think of security when designing the software” strategy. Similarly, we can find the notion of “security by default”, which means “deliver the software with the best security configuration possible”. Both can be said to be “strategies”.

The software industry has tried to do it as best as possible. However, no standard model has been proposed. Beyond that, it is possible to find research papers that suggest different architectural structures to achieve software security by design. It may be a good exercise to look for them on the internet.

Nevertheless, many years ago, science gave us a method that could be applied to all scientific disciplines. This method is called the hypothetico-deductive method and is based on hypothetical and categorical syllogisms, among other logic and scientific concepts.

When a software development team is presented for the first time with the idea of using logic and formal methods to secure software and information, first impressions can be negative and even a bit chaotic. That is because of the negative connotations of logic and mathematics in the modern era of software development. However, this method is accessible even to a junior software developer.

Based on hypotheses (suppositions with consequences), a formal model (or mathematical model) consists of two steps. For each software component:

1. Define a component
2. Write a function to validate such a component

The function uses an “if not” statement to return false when a variable does not coincide with the component definition. It is a basic function that any software developer could write. The complexity is in the component definition.

You can read a brief introduction about hypothetical syllogisms to secure information for free on The IT Writers? website.

What does your development team need to start using formal models to secure the software components and information?

Only two topics are needed:

1. Basic logic knowledge, such as categorical and hypothetical statements, and syllogisms and their rules
2. Formalisation methods and mathematical models

Resources to learn for your developer team

• The first chapter of the Spanish book Fundamentals of Computer Sciences is a good option for learning logic. You can also find this book on Amazon, Google Books, Casa del Libro, Walmart, Waterstone and The Book Depository, among other online bookshops.
• If you prefer a dedicated training course, you can find a course on logic for software engineering and mathematical models to secure information at Oubeeker? (both courses are available in Spanish by following the links, and in English).

For getting these training courses in English, please get in touch.