Software Security

Ongoing projects

• FAST - FZI Assessment Toolkit: research on the use of FAST tools for building secure software is currently running.

Teaching

• To Be Announced

Publications

• Pierre Parrend

Assocations of interest

• ISSECO - International Secure Software Engineering Forum
• Ka-IT-SI - Karlsruhe IT Sicherheitsinitiative

Meetings

• Forschungsgruppe Security 2009/10/29

Students

• C. Pilder, Meta-Models for Static Analysis of OO-Component Code. DA.

Available books

Our books

• Gary McGraw. Software Security - Building Security In. Pearson Education, London, January 2006. ISBN-13: 978-0321356703.

Personal books

• Michael Howard and David LeBlanc. Writing Secure Code, Second Edition. Microsoft Press, Redmond, WA, 2002. ISBN-13: 978-0735617223. (pierre)
• Greg Hoglund and Gary McGraw. Exploiting Software - How to Break Code. Addison-Wesley, Peason Education Inc., 2004. ISBN-13:978-0201786958. (pierre)

Info Bib

• Markus Schumacher. Security Engineering With Patterns: Origins, Theoretical Models, and New Applications. LNCS. September 2003. ISBN-13: 978-3540407317.

Litterature

• Ken Thompson. Reflection on trusting trust. Communication of the ACM, 27(8):761–763, August 1984 (Turing Award Lecture).
• Gary McGraw. Software security. IEEE Security & Privacy Magazine, 2(2):80–83, March-April 2004.
• Algirdas Avizienis, Jean-Claude Laprie, Brian Randell, and Carl Landwehr. Basic concepts and taxonomy of dependable and secure computing. IEEE Transactions on Dependable and Secure Computing, 01(1):11–33, 2004.
• Jerome H. Saltzer and Michael D. Schroeder. The protection of information in computer systems. In Fourth ACM Symposium on Operating System Principles, October 1973.
• Katrina Tsipenyuk, Brian Chess, and Gary McGraw. Seven pernicious kingdoms: A taxonomy of software security errors. IEEE Security & Privacy, 3(6):81–84, November/December 2005.
• Paul E. Black. Software assurance metrics and tool evaluation. In International Conference on Software Engineering Research and Practice (SERP’05), June 2005.
• Frederick P. Brooks. No silver bullet: Essence and accidents of software engineering. Computer, 20(4):10–19, April 1987.
• Glenn Brunette. Toward systemically secure IT architectures. Sun BluePrints OnLine, February 2006. Sun Microsystems, Inc.
• Steven M. Christey. Open letter on the interpretation of "vulnerability statistics". Bugtraq, Full-Disclosure Mailing list, January 2006.
• Karen M. Goertzel, Thoedore Winograd, Holly L. McKinley, Lyndon Oh, Michael Colon, Thomas Mcibbon, Elaine Fedchak, and Robert Vienneau. Software Security Assurance: a State-of-The-Art Report (SOAR). Information Assurance Technology Analysis Center (IATAC) and Data and Analysis Center for Software (DACS), July 2007.
• Michael Howard. A process for performing security code reviews. IEEE Security and Privacy, 4(4):74 – 79, July 2006.
• David Hovemeyer and William Pugh. Finding bugs is easy. In ACM SIGPLAN Notices, volume 39, pages 92 – 106, 2004. COLUMN: OOPSLA onward.
• Steve Lipner and Michael Howard. The trustworthy computing security development lifecycle. Microsoft Corporation Whitepaper, March 2005. Security Engineering and Communications, Security Business and Technology Unit, Microsoft Corporation.
• Ulf Lindqvist and Erland Jonsson. How to systematically classify computer security intrusions. In IEEE Symposium on Security and Privacy, pages 154–163, May 1997.
• OWASP Foundation. Owasp testing guide - V 2, 2007. Creative Commons Attribution-ShareAlike 2.5 License.
• OWASP Foundation. Owasp code review guide - RC 2, 2008. Creative Commons Attribution-ShareAlike 2.5 License.
• Software Assurance Forum for Excellence in Code (SAFECode). Software assurance: An overview of current industry best practices. SAFECode Whitepaper, February 2008.
• John Viega and Gary McGraw. Building Secure Software - How to Avoid Security Problems the Righ Way. Number 528 in Professional Computing Series. Addison-Wesley Professional, 2001. ISBN-13: 978-0201721522.
• Ivan Victor Krsul. Software Vulnerability Analysis. PhD thesis, Purdue University, May 1998.
• Joshua Bloch and Neal Gafter. Java Puzzlers - Traps, Pitfalls and CornerCases. Pearson Education, June 2005. ISBN-13: 978-0321336781.
• Li Gong, Gary Ellison, and Mary Dadgeforde. Inside Java 2 Platform Security - Architecture, API Design, and Implementation, Second Edition. Addison-Wesley, 2003. ISBN-13: 978-0201787917.
• Fred Long. Software vulnerabilities in Java. Technical Report CMU/SEI-2005-TN-044, Carnegie Mellon University, October 2005.
• Sun Microsystems Inc. Secure coding guidelines for the Java programming language, version 2.0. Sun Whitepaper, 2007. http://java.sun.com/security/seccodeguide.html.
• Pierre Parrend and Stephane Frenot. Classification of component vulnerabilities in Java service oriented programming (SOP) platforms. In Conference on Component-based Software Engineering (CBSE’2008), volume 5282/2008 of LNCS, Karlsruhe, Germany, October 2008. Springer Berlin / Heidelberg.