The SAFECode reference document defines it as: "Trust that software, hardware, and services are free of intentional or unintentional vulnerabilities and that they function as specified and desired" (SafeCode, 2011).
The U.S. Department of Defense (DoD) defines it as "The level of confidence that software works as intended and is free of vulnerabilities, whether intentional or unintentional, designed or embedded within the framework of its development lifecycle."
In this sense, based on the above definition and the previous paragraphs, the security of the software can be defined as: "The set of design principles and best practices to be implemented in the SDLC, to detect, prevent and correct security flaws in the development and acquisition of applications, so that you obtain reliable and robust software against malicious attacks, that performs only the functions for which it was designed, that is free of vulnerabilities , whether intentionally designed or accidentally inserted during their life cycle and ensuring their integrity, availability and confidentiality."
Until the beginning of the previous decade, most applications were developed without regard to specific security requirements and tests. Software developers were unaware of the vulnerabilities that can be created by programming and neglected security aspects, giving primacy to compliance with functional specifications, regardless of cases where the software was maliciously attacked. This software development process offers, apart from unintentional errors when coding, opportunities to insert malicious code into the software at source.
As mentioned above, network security technologies can help alleviate attacks, but they do not solve the real security problem, since once the cyber attacker manages to overcome those defenses, by social engineering for example, through social engineering, and compromise a machine inside, through it you can attack others in the network (pivoting) starting with the most vulnerable. This is the case of Advanced Persistent Threats (APT) one of the most dangerous and harmful cyberattacks of today. It is therefore necessary to have secure software that works in an aggressive and malicious environment.
APT: Sophisticated type of organized, fast-progressing, long-term cyberattack, specifically designed to access and obtain information from the target organization's systems.
Un aspecto importante de la seguridad del software es la confianza y garantía de funcionamiento conforme a su especificación y diseño y de que es lo suficientemente robusto para soportar las amenazas que puedan comprometer su funcionamiento esperado en su entorno de operación.
Para conseguir lo anterior y minimizar al máximo los ataques en la capa de aplicación y, por tanto, en número de vulnerabilidades explotables, es necesario el incluir la seguridad desde principio en el ciclo de vida de desarrollo del software (SDLC), incluyendo requisitos, casos de abuso, análisis de riesgo, análisis de código, pruebas de penetración dinámicas, etc. En este sentido es importante el aprovechamiento de las buenas prácticas de ingeniería de software ya existentes.
In the report of Klocwork (2004), it is included in turn a figure in the cost that has the correction of code or vulnerabilities after the publication of a version is even 100 times greater. They are based on ratios developed by Barry Boehm of the University of Southern California.
_4.10.45_p. m..png)
Figura 3. Efectos de la detección de defecto tardía. Fuente: Klocwork Inc. (2004).