Académique Documents
Professionnel Documents
Culture Documents
software
development
1. INTRODUCTION
The touchpoints methodology are one of the main pillars
of software security that mention by McGraw which are : Risk
Management Framework, Software Security Touchpoints(best
practices ), and Knowledge Catalogs. Each of them is a
necessity for software security. Software security is not
security software. acquiring software security means applying
a number of simple best practices throughout the software
development lifecycle more than it means the application of
security characteristic like cryptography .This methodology
allow software development team to build the emergent
property of security while building the software . In addition ,
you don't have to apply all seven touchpoints to begin to apply
security features in (though doing so is highly
recommended).actually the touchpoints are designed to close
the gap between the state of the art and the state of the practice
[1] - something that can be done only through the common
adoption of touchpoints activities. Touchpoints are
destructive and constructive activities. Destructive activities
are about all negatives activities that may effect on the
software availability , integrity and confidentiality such as
attacks, exploits, and breaking software. These kinds of
attacks and exploits are represented by the black hat .
Constructive activities are about all how to deal with a
software in positive side such as design, defense, and
functionality.[1]
2. WHAT IS TOUCHPOINTS
Touchpoint are activities that the development team needs
to do during a particular phase of the software development
life cycle .This methodology strictly focuses on security
designs, principles and features if a software application rather
than the functionality of this software .For example, instead
of focusing on what the software requirement is assumed to
do, the touchpoint method will focus on how that software
requirement can make the application vulnerable to security
risk if implemented (which is abuse case).
And because the Touchpoints method focus strictly on
security issues, it can blend right in with any other software
methodology used for quality measure and functionality. This
methodology for software security can be applied during each
phase of a standard software development life cycle process.
Using the touchpoint method provides security activities in
every phase and forces security to be worked into the software
package from concept to implementation .So putting software
security into practice requires making some changes to the
way organizations build software.
The below figure show the software security touchpoints and
shows how software practitioners can apply them to the
different software artifacts produced during software
development. Although in this figure artifacts are developed
according to a traditional waterfall methodology, most
organizations follow an iterative model today, which means
that best practices will be iterate through more than once as
the software evolves.
Abuse cases are tool that will help you to figure out how the
attacker contemplating to attack the system or to know how
the system behavior will be under attack ,so building an abuse
case (sometimes called misuse cases as well ) allows thinking
beyond the normative features and functions and also
contemplating negative or unexpected events, software
security professionals come to better understand how to create
secure and reliable software. by asking some questions
like(What might some bad person cause to go wrong here? )
or better yet, "What might some bad person cause to go wrong
here?" software development team are more likely to uncover
exceptional cases and frequently overlooked security
requirements.
Building abuse cases is a great way to get into the mind of the
attacker. it's the same of building use cases, but abuse cases
describe the system's behavior under attack; building abuse
cases requires explicit coverage of what the parts should be
secure and protected , from whom (target ), and for how long
(determine the time if possible).
Artifact: Requirements
Example of risks found: No explicit description of data
protection needs.
3.7 Security Operations
4. CONCLUSION
Most of Methodology to software security are way too bulky
for most project to be followed by any company or team . By
reducing the touchpoints to seven best practices, McGraw hope
to make effective best practices easier to adopt while still
making a huge impact on software security. The touchpoints
are not only changeable to whatever process you already
follow to make software but also simple and easy to use. If you
apply the seven terrific touchpoints outlined here, your
software will be much more secure.
5. REFERENCES
[1] McGraw,G.Software
Wesley,2006.
Build
Security
In,Addison-
[2] http://cwe.mitre.org/data/definitions/251.html
[3]
http://www.drdobbs.com/the-7-touchpoints-of-securesoftware/184415391