Generating Software Security Knowledge Through Empirical Methods

Abstract

This chapter exemplifies the use of experimental techniques, borrowed from software engineering, to create validated knowledge in the Security field. Systematic approaches for secure software development, specifically those implying some sort of process aligned with the software development life cycle (SDLC), are called security methodologies. There are a number of security methodologies in the literature, of which the most flexible and most satisfactory from an industry adoption viewpoint are methodologies that encapsulate their security solutions in some fashion, such as via the use of security patterns, security tactics security tactics, or security vulnerabilities. Security tactics security tactics are proven reusable architectural building blocks that encapsulate design decision knowledge to support the achievement of the security attributes. Security patterns are encapsulated solutions to recurrent security design problems that cover all software life cycle stages, including handling threats and fixing vulnerabilities in software systems. Both tactics and patterns describe design decisions to mitigate specific security threats, and both are organized in catalogs.