Idea-caution before exploitation

the use of cybersecurity domain knowledge to educate software engineers against software vulnerabilities

Research output: Chapter in Book/Report/Conference proceedingConference contribution

24 Downloads (Pure)

Abstract

The transfer of cybersecurity domain knowledge from security experts (‘Ethical Hackers’) to software engineers is discussed in terms of desirability and feasibility. Possible mechanisms for the transfer are critically examined. Software engineering methodologies do not make use of security domain knowledge in its form of vulnerability databases (e.g. CWE, CVE, Exploit DB), which are therefore not appropriate for this purpose. An approach based upon the improved use of pattern languages that encompasses security domain knowledge is proposed.
Original languageEnglish
Title of host publicationEngineering secure software and systems
Subtitle of host publication9th Internatinal symposium, ESSoS 2017 Bonn, Germany, July 3-5, 2017: proceedings
EditorsEric Bodden, Mathias Paye, Elias Athanasopoulos
Place of PublicationChambray
PublisherSpringer
Pages133-142
Number of pages10
Edition1
ISBN (Electronic)9783319621050
ISBN (Print)9783319621043
DOIs
Publication statusPublished - 5 Jul 2017
Event9th International Symposium on Engineering Secure Software and Systems - University of Bonn, Bonn, Germany
Duration: 3 Jul 20175 Jul 2017

Publication series

NameLecture Notes in Computer Science
PublisherSpringer
Volume10379
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

Conference9th International Symposium on Engineering Secure Software and Systems
Abbreviated titleESSoS 2017
CountryGermany
CityBonn
Period3/07/175/07/17

Fingerprint

Software engineering
Engineers

Cite this

Nafees, T., Coull, N., Ferguson, R. I., & Sampson, A. (2017). Idea-caution before exploitation: the use of cybersecurity domain knowledge to educate software engineers against software vulnerabilities. In E. Bodden, M. Paye, & E. Athanasopoulos (Eds.), Engineering secure software and systems: 9th Internatinal symposium, ESSoS 2017 Bonn, Germany, July 3-5, 2017: proceedings (1 ed., pp. 133-142). (Lecture Notes in Computer Science; Vol. 10379). Chambray: Springer. https://doi.org/10.1007/978-3-319-62105-0_9
Nafees, Tayyaba ; Coull, Natalie ; Ferguson, Robert Ian ; Sampson, Adam. / Idea-caution before exploitation : the use of cybersecurity domain knowledge to educate software engineers against software vulnerabilities. Engineering secure software and systems: 9th Internatinal symposium, ESSoS 2017 Bonn, Germany, July 3-5, 2017: proceedings. editor / Eric Bodden ; Mathias Paye ; Elias Athanasopoulos. 1. ed. Chambray : Springer, 2017. pp. 133-142 (Lecture Notes in Computer Science).
@inproceedings{877e922a7df24a9fb8132217b1918866,
title = "Idea-caution before exploitation: the use of cybersecurity domain knowledge to educate software engineers against software vulnerabilities",
abstract = "The transfer of cybersecurity domain knowledge from security experts (‘Ethical Hackers’) to software engineers is discussed in terms of desirability and feasibility. Possible mechanisms for the transfer are critically examined. Software engineering methodologies do not make use of security domain knowledge in its form of vulnerability databases (e.g. CWE, CVE, Exploit DB), which are therefore not appropriate for this purpose. An approach based upon the improved use of pattern languages that encompasses security domain knowledge is proposed.",
author = "Tayyaba Nafees and Natalie Coull and Ferguson, {Robert Ian} and Adam Sampson",
year = "2017",
month = "7",
day = "5",
doi = "10.1007/978-3-319-62105-0_9",
language = "English",
isbn = "9783319621043",
series = "Lecture Notes in Computer Science",
publisher = "Springer",
pages = "133--142",
editor = "Bodden, {Eric } and { Paye}, Mathias and Elias Athanasopoulos",
booktitle = "Engineering secure software and systems",
edition = "1",

}

Nafees, T, Coull, N, Ferguson, RI & Sampson, A 2017, Idea-caution before exploitation: the use of cybersecurity domain knowledge to educate software engineers against software vulnerabilities. in E Bodden, M Paye & E Athanasopoulos (eds), Engineering secure software and systems: 9th Internatinal symposium, ESSoS 2017 Bonn, Germany, July 3-5, 2017: proceedings. 1 edn, Lecture Notes in Computer Science, vol. 10379, Springer, Chambray, pp. 133-142, 9th International Symposium on Engineering Secure Software and Systems, Bonn, Germany, 3/07/17. https://doi.org/10.1007/978-3-319-62105-0_9

Idea-caution before exploitation : the use of cybersecurity domain knowledge to educate software engineers against software vulnerabilities. / Nafees, Tayyaba; Coull, Natalie; Ferguson, Robert Ian; Sampson, Adam.

Engineering secure software and systems: 9th Internatinal symposium, ESSoS 2017 Bonn, Germany, July 3-5, 2017: proceedings. ed. / Eric Bodden; Mathias Paye; Elias Athanasopoulos. 1. ed. Chambray : Springer, 2017. p. 133-142 (Lecture Notes in Computer Science; Vol. 10379).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

TY - GEN

T1 - Idea-caution before exploitation

T2 - the use of cybersecurity domain knowledge to educate software engineers against software vulnerabilities

AU - Nafees, Tayyaba

AU - Coull, Natalie

AU - Ferguson, Robert Ian

AU - Sampson, Adam

PY - 2017/7/5

Y1 - 2017/7/5

N2 - The transfer of cybersecurity domain knowledge from security experts (‘Ethical Hackers’) to software engineers is discussed in terms of desirability and feasibility. Possible mechanisms for the transfer are critically examined. Software engineering methodologies do not make use of security domain knowledge in its form of vulnerability databases (e.g. CWE, CVE, Exploit DB), which are therefore not appropriate for this purpose. An approach based upon the improved use of pattern languages that encompasses security domain knowledge is proposed.

AB - The transfer of cybersecurity domain knowledge from security experts (‘Ethical Hackers’) to software engineers is discussed in terms of desirability and feasibility. Possible mechanisms for the transfer are critically examined. Software engineering methodologies do not make use of security domain knowledge in its form of vulnerability databases (e.g. CWE, CVE, Exploit DB), which are therefore not appropriate for this purpose. An approach based upon the improved use of pattern languages that encompasses security domain knowledge is proposed.

U2 - 10.1007/978-3-319-62105-0_9

DO - 10.1007/978-3-319-62105-0_9

M3 - Conference contribution

SN - 9783319621043

T3 - Lecture Notes in Computer Science

SP - 133

EP - 142

BT - Engineering secure software and systems

A2 - Bodden, Eric

A2 - Paye, Mathias

A2 - Athanasopoulos, Elias

PB - Springer

CY - Chambray

ER -

Nafees T, Coull N, Ferguson RI, Sampson A. Idea-caution before exploitation: the use of cybersecurity domain knowledge to educate software engineers against software vulnerabilities. In Bodden E, Paye M, Athanasopoulos E, editors, Engineering secure software and systems: 9th Internatinal symposium, ESSoS 2017 Bonn, Germany, July 3-5, 2017: proceedings. 1 ed. Chambray: Springer. 2017. p. 133-142. (Lecture Notes in Computer Science). https://doi.org/10.1007/978-3-319-62105-0_9