The impact of risk assessment
Identifying security risks
Specifying security needs
Providing security information
Verifying and validating security
Monitoring security behavior
Other standards can be added to these models and standards inthe field of information security. In addition to models andstandards used in the field of information security, there areother pieces of software such as firewall, Intrusion DetectionProtect (IDS) or other applications like them that protectedsoftware data after it is created. Simply put, they enhance
software security .
But it still isnt easy to use these models and standards for the
following reasons :
The limitation of SSE-
: it is a complicated modelbecause it does not perform all tasks the system needs.
Furthermore it does not explain how to perform the processes
in the areas mentioned. Thus, it is hard to apply and
implement this model.
The limitation of ISO/IEC 27002
: it includes a large
number of security controls executed in different processes of
various organizations. Also, it does not demonstrate how toexecute security control in the best way, not specifying a
The limitation of OCTAVE
: It tasks a self-
approach. Simply put, an individual from the organizationassumes responsibility for setting up, implementing and
The limitation of ISO/IEC 15408
: Due to its complexrelationship which entails specialized knowledge, it is costlyand time consuming. Moreover, it focuses only on certainsoftware products and overlooks the interrelationship
between other software products.
limitation of TSP-
: First of all, its userequires investment in training and software developersshould have necessary training for using this
Accordingly, the TSP use demands senior and projectmanagers support. Besides, for most organization, effectiveTSP use requires that the management and technical cultureand character be able to perform technical tasks carefully and
the leadership be sustained, be a driving force
behind making TSP team self
The limitation of PSSS
: Identification and understandingsoftware property, lack of specialized knowledge forfunctionality in all activities associated with threat model
need for more resources necessary for effective PSSS
RUCIAL IMPORTANCE OF
In addition to limitation and problems that were describedabove for the models and standards, here, we will discuss theproblems demanding that security be considered all the time,
though there are models and standards for this purpose.
Software Security needs a serious consideration
The losses suffered by countries, companies andorganization for software intrusion and damage are toocostly. For one thing, the additional costs for U.S.government potential attacks on critical infrastructureremain a serious concern. New automatic attack requires
no human action to deliver4 destructive play loads, causingmajor concerns. In 2004 over 140000 attacks were repor
to CERT which is due to holes in software and networks
from 1999 to 2003(see figure 1).
2000400060001999 2000 2001 2002 2003
security holes, if any, can have adverse effects on software,
e.g. , negative effect on the relia
To develop security software is complex
Computer science is very extensive. For instance when you
combine two or more parts of a software to each hascertain security characteristics the combined results shouldnot demonstrate security characteristics. To do so you need
When developing software with high quality, you need
educated and experienced personnel.
It s hard to define secure software in general
The first necessity for software to be safe is definingnecessary specifications and properties. Security, it is
necessary to implement the specifications accurately.
What kind of security and privacy are required, what are its
costs and risk? These questions are hard to answer;technical judgment does not help. Because it requires yo
to view it from management and marketing perspective. Inparticular, when customers dont have great interest in it or
they have to pay for it, such view can be helpful.
Finally, developing software with the qualities of privacy,integration and appropriate accessibility which entails the
-mentioned problems has made defining a security
Why are not the existing approaches in wide use?
Cost and needs are among the greatest hurdles in the wayof an organization which cause concerns when creatingsecurity software, though there exits other reasons such as
users comfort, quick supply, more functionality and so on.
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 10, No. 7, July 20127http://sites.google.com/site/ijcsis/ISSN 1947-5500