Relating Software Engineering and Information Security

Aug 27, 2003

Abstract

There are many connections between software engineering and
information security. Some are obvious, such as the process of
detecting software faults, and some are more subtle, such as
definition and capture of privacy requirements. In both infosec and
SE there are complex challenges of how best to balance cost, design,
technology, and time to market: Too often, good practices are skipped
because of cost or time. Meanwhile, failures in both areas can lead
to everything from minor inconvenience to catastrophic failures and
compromises.

In this talk, I intend to explain some of the connections I see
between software engineering and information security. In
particular, I hope to illustrate how some of the challenges -- and
advances -- in infosec have a basis in software engineering. Some
of these suggest high-leverage areas of research, while others
provide insight about why we will continue to experience security
problems in widely-deployed software. For instance, is there truth
to the contention that open source software is more secure than
proprietary source? Along the way, I will connect Las Vegas, the
PDP-11, Roman chariots, and a common security flaw as one
illustration of how unintended consequences shape both security and
software development.