Idea-caution before exploitation: the use of cybersecurity domain knowledge to educate software engineers against software vulnerabilities

Tayyaba Nafees; Natalie Coull; Robert Ian Ferguson; Adam Sampson

doi:10.1007/978-3-319-62105-0_9

Idea-caution before exploitation: the use of cybersecurity domain knowledge to educate software engineers against software vulnerabilities

Tayyaba Nafees, Natalie Coull, Robert Ian Ferguson, Adam Sampson

Division of Games and Arts

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

4 Citations (Scopus)

210 Downloads (Pure)

Abstract

The transfer of cybersecurity domain knowledge from security experts (‘Ethical Hackers’) to software engineers is discussed in terms of desirability and feasibility. Possible mechanisms for the transfer are critically examined. Software engineering methodologies do not make use of security domain knowledge in its form of vulnerability databases (e.g. CWE, CVE, Exploit DB), which are therefore not appropriate for this purpose. An approach based upon the improved use of pattern languages that encompasses security domain knowledge is proposed.

Original language	English
Title of host publication	Engineering secure software and systems
Subtitle of host publication	9th Internatinal symposium, ESSoS 2017 Bonn, Germany, July 3-5, 2017: proceedings
Editors	Eric Bodden, Mathias Paye, Elias Athanasopoulos
Place of Publication	Chambray
Publisher	Springer
Pages	133-142
Number of pages	10
Edition	1
ISBN (Electronic)	9783319621050
ISBN (Print)	9783319621043
DOIs	https://doi.org/10.1007/978-3-319-62105-0_9
Publication status	Published - 5 Jul 2017
Event	9th International Symposium on Engineering Secure Software and Systems - University of Bonn, Bonn, Germany Duration: 3 Jul 2017 → 5 Jul 2017

Publication series

Name	Lecture Notes in Computer Science
Publisher	Springer
Volume	10379
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	9th International Symposium on Engineering Secure Software and Systems
Abbreviated title	ESSoS 2017
Country/Territory	Germany
City	Bonn
Period	3/07/17 → 5/07/17

Keywords

Software development lifecycle (SDLC)
Security pattern (SP)
Software fault pattern (SFP)
Attack pattern (AP)
Vulnerability database (VDB)

Access to Document

10.1007/978-3-319-62105-0_9

Nafees_Idea-Caution_Accepted_2017Accepted author manuscript, 317 KB

Addressing the knowledge transfer problem in secure software development through anti-patterns
Author: Nafees, T., 20 Mar 2019
Supervisor: Coull, N. (Supervisor) & Ferguson, I. (Supervisor)
Student thesis: Doctoral Thesis

File

Cite this

Nafees, T., Coull, N., Ferguson, R. I., & Sampson, A. (2017). Idea-caution before exploitation: the use of cybersecurity domain knowledge to educate software engineers against software vulnerabilities. In E. Bodden, M. Paye, & E. Athanasopoulos (Eds.), Engineering secure software and systems: 9th Internatinal symposium, ESSoS 2017 Bonn, Germany, July 3-5, 2017: proceedings (1 ed., pp. 133-142). (Lecture Notes in Computer Science; Vol. 10379). Springer. https://doi.org/10.1007/978-3-319-62105-0_9

Nafees, Tayyaba ; Coull, Natalie ; Ferguson, Robert Ian et al. / Idea-caution before exploitation : the use of cybersecurity domain knowledge to educate software engineers against software vulnerabilities. Engineering secure software and systems: 9th Internatinal symposium, ESSoS 2017 Bonn, Germany, July 3-5, 2017: proceedings. editor / Eric Bodden ; Mathias Paye ; Elias Athanasopoulos. 1. ed. Chambray : Springer, 2017. pp. 133-142 (Lecture Notes in Computer Science).

@inproceedings{877e922a7df24a9fb8132217b1918866,

title = "Idea-caution before exploitation: the use of cybersecurity domain knowledge to educate software engineers against software vulnerabilities",

abstract = "The transfer of cybersecurity domain knowledge from security experts ({\textquoteleft}Ethical Hackers{\textquoteright}) to software engineers is discussed in terms of desirability and feasibility. Possible mechanisms for the transfer are critically examined. Software engineering methodologies do not make use of security domain knowledge in its form of vulnerability databases (e.g. CWE, CVE, Exploit DB), which are therefore not appropriate for this purpose. An approach based upon the improved use of pattern languages that encompasses security domain knowledge is proposed.",

author = "Tayyaba Nafees and Natalie Coull and Ferguson, {Robert Ian} and Adam Sampson",

year = "2017",

month = jul,

day = "5",

doi = "10.1007/978-3-319-62105-0_9",

language = "English",

isbn = "9783319621043",

series = "Lecture Notes in Computer Science",

publisher = "Springer",

pages = "133--142",

editor = "Bodden, {Eric } and { Paye}, Mathias and Elias Athanasopoulos",

booktitle = "Engineering secure software and systems",

edition = "1",

note = "9th International Symposium on Engineering Secure Software and Systems, ESSoS 2017 ; Conference date: 03-07-2017 Through 05-07-2017",

}

Nafees, T, Coull, N , Ferguson, RI & Sampson, A 2017, Idea-caution before exploitation: the use of cybersecurity domain knowledge to educate software engineers against software vulnerabilities. in E Bodden, M Paye & E Athanasopoulos (eds), Engineering secure software and systems: 9th Internatinal symposium, ESSoS 2017 Bonn, Germany, July 3-5, 2017: proceedings. 1 edn, Lecture Notes in Computer Science, vol. 10379, Springer, Chambray, pp. 133-142, 9th International Symposium on Engineering Secure Software and Systems, Bonn, Germany, 3/07/17. https://doi.org/10.1007/978-3-319-62105-0_9

Idea-caution before exploitation: the use of cybersecurity domain knowledge to educate software engineers against software vulnerabilities. / Nafees, Tayyaba; Coull, Natalie ; Ferguson, Robert Ian et al.
Engineering secure software and systems: 9th Internatinal symposium, ESSoS 2017 Bonn, Germany, July 3-5, 2017: proceedings. ed. / Eric Bodden; Mathias Paye; Elias Athanasopoulos. 1. ed. Chambray: Springer, 2017. p. 133-142 (Lecture Notes in Computer Science; Vol. 10379).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Idea-caution before exploitation

T2 - 9th International Symposium on Engineering Secure Software and Systems

AU - Nafees, Tayyaba

AU - Coull, Natalie

AU - Ferguson, Robert Ian

AU - Sampson, Adam

PY - 2017/7/5

Y1 - 2017/7/5

N2 - The transfer of cybersecurity domain knowledge from security experts (‘Ethical Hackers’) to software engineers is discussed in terms of desirability and feasibility. Possible mechanisms for the transfer are critically examined. Software engineering methodologies do not make use of security domain knowledge in its form of vulnerability databases (e.g. CWE, CVE, Exploit DB), which are therefore not appropriate for this purpose. An approach based upon the improved use of pattern languages that encompasses security domain knowledge is proposed.

AB - The transfer of cybersecurity domain knowledge from security experts (‘Ethical Hackers’) to software engineers is discussed in terms of desirability and feasibility. Possible mechanisms for the transfer are critically examined. Software engineering methodologies do not make use of security domain knowledge in its form of vulnerability databases (e.g. CWE, CVE, Exploit DB), which are therefore not appropriate for this purpose. An approach based upon the improved use of pattern languages that encompasses security domain knowledge is proposed.

U2 - 10.1007/978-3-319-62105-0_9

DO - 10.1007/978-3-319-62105-0_9

M3 - Conference contribution

SN - 9783319621043

T3 - Lecture Notes in Computer Science

SP - 133

EP - 142

BT - Engineering secure software and systems

A2 - Bodden, Eric

A2 - Paye, Mathias

A2 - Athanasopoulos, Elias

PB - Springer

CY - Chambray

Y2 - 3 July 2017 through 5 July 2017

ER -

Nafees T, Coull N , Ferguson RI, Sampson A. Idea-caution before exploitation: the use of cybersecurity domain knowledge to educate software engineers against software vulnerabilities. In Bodden E, Paye M, Athanasopoulos E, editors, Engineering secure software and systems: 9th Internatinal symposium, ESSoS 2017 Bonn, Germany, July 3-5, 2017: proceedings. 1 ed. Chambray: Springer. 2017. p. 133-142. (Lecture Notes in Computer Science). Epub 2017 Jun 24. doi: 10.1007/978-3-319-62105-0_9

Idea-caution before exploitation: the use of cybersecurity domain knowledge to educate software engineers against software vulnerabilities

Abstract

Publication series

Conference

Keywords

Access to Document

Fingerprint

Student theses

Addressing the knowledge transfer problem in secure software development through anti-patterns

Cite this