Professional Documents
Culture Documents
software security
1. Everything is mobile
With the advent of using mobile payment technologies and e-wallets to transfer money, the
focus is shifting from traditional money management.
The storage of payment information on mobile devices has long been a driving force for
cyber criminals and, as more and more people conduct financial transactions online, the
attack surface grows.
We also have to worry about mobile malware. Apple and Google app stores have both been
hit by mobile malware.
For example, XcodeGhost malware is able to obtain sensitive data such as user credentials.
We can expect to see more attacks like this in the future.
2. Smarter automobiles
At a basic level, virtualization partitions a physical layer (say a server) into different
virtual layers (virtual machines).
It helps a cloud environment provide software, data, or any computing resources
efficiently, and comes in the form of a software-defined network.
Virtualization leads to a complex structure of layers in which each layer has to be
secured.
With the advancement of virtualization within cloud environments, we are seeing an
increase in software security defects being reported, and this technology trend is
sure to continue.
4. Zero-day vulnerabilities
A zero-day (also known as 0-day) vulnerability is a software security flaw that is not
known or not disclosed to the vendor.
With a zero-day exploit, an attacker could cause serious damage ranging from planting a
malware to gaining unauthorized system access.
Infrastructures are building components that are interconnected.
This increases the attack-surface and gives attackers more room to exploit.
Internet of Things (IoT) is emerging at a rapid rate. We have more devices embedded with
network connectivity that are collecting and exchanging data.
Wearable devices, including medical devices, are vulnerable to being hacked.
They might collect sensitive information such as GPS coordinates. We’ve seen quite a few
cases related to ransomware.
The technology trend is sure to continue as we connect more wearable and smart gadgets to
the internet.
It is scary to imagine an attacker holding a patient ransom by controlling their pacemaker.
We need to perform rigorous security tests before making such devices available to the
public.
6. Internal security training
Different Methodologies
BSIMM (Building Security In – Maturity Model)
The Building Security In Maturity Model is a study of existing
software security initiatives.
By quantifying the practices of many different organizations, we can
describe the common ground shared by many as well as the
variations that make each unique.
BSIMM is not a how-to guide, nor is it a one-size-fits-all prescription.
Instead, it is a reflection of software security.
By providing actual measurement data from the field, the BSIMM
makes it possible to build a long-term plan for a software security
initiative and track progress against that plan.
Microsoft Security Development Lifecycle
The Microsoft SDL introduces security and privacy considerations
throughout all phases of the development process, helping developers
build highly secure software, address security compliance requirements,
and reduce development costs.
The guidance, best practices, tools, and processes in the Microsoft SDL
are practices we use internally to build more secure products and
services.
Since first shared in 2008, we’ve updated the practices as a result of our
growing experience with new scenarios, like the cloud, Internet of
Things (IoT), and artificial intelligence (AI).