Testing for security during development: why we should scrap penetrate-and-patch

1 April 1998

journal article
Published by Institute of Electrical and Electronics Engineers (IEEE) in IEEE Aerospace and Electronic Systems Magazine

Vol. 13 (4), 13-15
https://doi.org/10.1109/62.666831

Abstract

In the commercial sector, security analysis has tradi- tionally been applied at the network system level, after release, using tiger team approaches. After a successful tiger team penetration, specific system vulnerabilities are patched. I make a case for applying software engineering analysis techniques that have proven successful in the soft- ware safety arena to security-critical software code. This work is based on the generally held belief that a large pro- portion of security violations result from errors introduced during software development.

Keywords

This publication has 1 reference indexed in Scilit:

Predicting how badly "good" software can behave
IEEE Software, 1997

Cited by 17 articles