TO: Prof. Ellis
FROM: Jennifer Martinez
DATE: 03/03/2021
SUBJECT: 500- Word Summary of Article About the Adoption of a Secure Software Development Methodology.
The following is a 500-word summary of a peer-reviewed article about adopting a Secure Software Development Methodology to Secure Engineering Designs. The authors discuss an approach of how to implement security in the Engineering design through the normal Systems Development Life Cycle (SDLC) by first creating a baseline on the students’ knowledge on security and then they designed a guideline to help students implement the Security software development methodology (SecSDM) into their projects. According to the authors, “Traditionally the information technology (IT) professionals were considered…responsible for cybersecurity,…However, as engineering and control systems became more integrated with the IT infrastructure, securing these systems cannot remain the sole responsibility of IT professionals” (Von Solms & Futcher, 2020, p. 125630). Therefore it would be ideal for engineers to learn how to protect their designs. First, the authors created an analysis to determine how much knowledge engineering students had on software security. The Capstone is a final year project used for the analysis and consisted of focusing specifically on hardware, software design, and testing. The results illustrated the dissociation the engineer students had between software and security due to it not being a requirement. A survey was given to the students after the project to determine if they understood the terminology and implementation of security. The survey confirmed that students understood the importance of security but lack the knowledge and training. Following the baseline, the authors design a guideline for the students to secure their projects by integrating security into the system development life cycle (SDLC) through the SecSDM. First, in the exploration phase, the engineer must explore the technology readiness, conduct a risk analysis, and follow the SecSDM suggestion to define the security requirements by the ISO/IEC TR. Based on the pre-evaluation, the engineer must then recommend possible solutions, define the systems requirements and products specification, as well as follow the SecSDM suggestion to identify the security services that satisfied the requirements. The goal of the design and development phase for engineers is not only to design the system architecture and allocate systems requirements to subsystems but to map the security to the specific security mechanisms, as well as follow the SecSDM recommendation to use the “ISO 7498-2 standard’s security mechanisms” (Von Solms & Futcher, 2020, p. 125635). In the production and implementation phase involves the construction of subsystems, systems integration, and testing, as well as the engineer, should use the appropriate security controls based on the SecSDM recommendations. During the utilization and support phase, the engineer is responsible for the product to operate based on the user’s need plus is responsible for the continuous monitoring of the software and firmware to ensure that the product is secure and used correctly. Finally, the SecSDM doesn’t have specific requirements for the retirement phase other than the engineer must teach the user how to dispose of the data and product properly. Although this paper motivated various people to write proposals on the integration of secure software practices into engineering design, there’s still no practical approach on how to do so.
Reference
Von Solms, S., & Futcher, L.A., (2020). Adaption of a secure software development methodology for secure engineering design. IEEE Access, 8, 125630-125637. https://doi.org/10.1109/ACCESS.2020.3007355
