Idea-Caution Before Exploitation: The Use of Cybersecurity Domain Knowledge to Educate Software Engineers Against Software Vulnerabilities

Tayyaba Nafees; Natalie Coull; Robert Ian Ferguson; Adam Sampson

doi:10.1007/978-3-319-62105-0_9

Idea-Caution Before Exploitation: The Use of Cybersecurity Domain Knowledge to Educate Software Engineers Against Software Vulnerabilities

Tayyaba Nafees^*, Natalie Coull, Robert Ian Ferguson, Adam Sampson

^*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

6 Citations (Scopus)

Abstract

The transfer of cybersecurity domain knowledge from security experts (‘Ethical Hackers’) to software engineers is discussed in terms of desirability and feasibility. Possible mechanisms for the transfer are critically examined. Software engineering methodologies do not make use of security domain knowledge in its form of vulnerability databases (e.g. CWE, CVE, Exploit DB), which are therefore not appropriate for this purpose. An approach based upon the improved use of pattern languages that encompasses security domain knowledge is proposed.

Original language	English
Title of host publication	Engineering Secure Software and Systems - 9th International Symposium, ESSoS 2017, Proceedings
Subtitle of host publication	9th International Symposium, ESSoS 2017, Bonn, Germany, July 3-5, 2017, Proceedings
Editors	Elias Athanasopoulos, Eric Bodden, Mathias Payer
Publisher	Springer Verlag
Pages	133-142
Number of pages	10
ISBN (Electronic)	9783319621050
ISBN (Print)	9783319621043
DOIs	https://doi.org/10.1007/978-3-319-62105-0_9
Publication status	Published - 26 Jun 2017
Event	9th International Symposium on Engineering Secure Software and Systems 2017 - Bonn, Germany Duration: 3 Jul 2017 → 5 Jul 2017 https://downloads.distrinet-research.be/events/essos/2017/index.html

Publication series

Name	Lecture Notes in Computer Science: Security and Cryptology
Publisher	Springer
Volume	10379
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	9th International Symposium on Engineering Secure Software and Systems 2017
Abbreviated title	ESSoS 2017
Country/Territory	Germany
City	Bonn
Period	3/07/17 → 5/07/17
Internet address	https://downloads.distrinet-research.be/events/essos/2017/index.html

Keywords

Attack Pattern (AP)
Security Pattern (SP)
Software Development Lifecycle (SDLC)
Software Fault Pattern (SFP)
Vulnerability DataBase (VDB)

ASJC Scopus subject areas

Theoretical Computer Science
General Computer Science

Access to Document

10.1007/978-3-319-62105-0_9

Cite this

Nafees, T., Coull, N., Ferguson, R. I., & Sampson, A. (2017). Idea-Caution Before Exploitation: The Use of Cybersecurity Domain Knowledge to Educate Software Engineers Against Software Vulnerabilities. In E. Athanasopoulos, E. Bodden, & M. Payer (Eds.), Engineering Secure Software and Systems - 9th International Symposium, ESSoS 2017, Proceedings: 9th International Symposium, ESSoS 2017, Bonn, Germany, July 3-5, 2017, Proceedings (pp. 133-142). (Lecture Notes in Computer Science: Security and Cryptology; Vol. 10379). Springer Verlag. https://doi.org/10.1007/978-3-319-62105-0_9

Nafees, Tayyaba ; Coull, Natalie ; Ferguson, Robert Ian et al. / Idea-Caution Before Exploitation: The Use of Cybersecurity Domain Knowledge to Educate Software Engineers Against Software Vulnerabilities. Engineering Secure Software and Systems - 9th International Symposium, ESSoS 2017, Proceedings: 9th International Symposium, ESSoS 2017, Bonn, Germany, July 3-5, 2017, Proceedings. editor / Elias Athanasopoulos ; Eric Bodden ; Mathias Payer. Springer Verlag, 2017. pp. 133-142 (Lecture Notes in Computer Science: Security and Cryptology).

@inproceedings{3d2e649eab524092a254e6f7f9b18da2,

title = "Idea-Caution Before Exploitation: The Use of Cybersecurity Domain Knowledge to Educate Software Engineers Against Software Vulnerabilities",

abstract = "The transfer of cybersecurity domain knowledge from security experts ({\textquoteleft}Ethical Hackers{\textquoteright}) to software engineers is discussed in terms of desirability and feasibility. Possible mechanisms for the transfer are critically examined. Software engineering methodologies do not make use of security domain knowledge in its form of vulnerability databases (e.g. CWE, CVE, Exploit DB), which are therefore not appropriate for this purpose. An approach based upon the improved use of pattern languages that encompasses security domain knowledge is proposed.",

keywords = "Attack Pattern (AP), Security Pattern (SP), Software Development Lifecycle (SDLC), Software Fault Pattern (SFP), Vulnerability DataBase (VDB)",

author = "Tayyaba Nafees and Natalie Coull and Ferguson, \{Robert Ian\} and Adam Sampson",

note = "Publisher Copyright: {\textcopyright} Springer International Publishing AG 2017.; 9th International Symposium on Engineering Secure Software and Systems 2017, ESSoS 2017 ; Conference date: 03-07-2017 Through 05-07-2017",

year = "2017",

month = jun,

day = "26",

doi = "10.1007/978-3-319-62105-0\_9",

language = "English",

isbn = "9783319621043",

series = "Lecture Notes in Computer Science: Security and Cryptology",

publisher = "Springer Verlag",

pages = "133--142",

editor = "Elias Athanasopoulos and Eric Bodden and Mathias Payer",

booktitle = "Engineering Secure Software and Systems - 9th International Symposium, ESSoS 2017, Proceedings",

address = "Germany",

url = "https://downloads.distrinet-research.be/events/essos/2017/index.html",

}

Nafees, T, Coull, N, Ferguson, RI & Sampson, A 2017, Idea-Caution Before Exploitation: The Use of Cybersecurity Domain Knowledge to Educate Software Engineers Against Software Vulnerabilities. in E Athanasopoulos, E Bodden & M Payer (eds), Engineering Secure Software and Systems - 9th International Symposium, ESSoS 2017, Proceedings: 9th International Symposium, ESSoS 2017, Bonn, Germany, July 3-5, 2017, Proceedings. Lecture Notes in Computer Science: Security and Cryptology, vol. 10379, Springer Verlag, pp. 133-142, 9th International Symposium on Engineering Secure Software and Systems 2017, Bonn, Germany, 3/07/17. https://doi.org/10.1007/978-3-319-62105-0_9

Idea-Caution Before Exploitation: The Use of Cybersecurity Domain Knowledge to Educate Software Engineers Against Software Vulnerabilities. / Nafees, Tayyaba; Coull, Natalie; Ferguson, Robert Ian et al.
Engineering Secure Software and Systems - 9th International Symposium, ESSoS 2017, Proceedings: 9th International Symposium, ESSoS 2017, Bonn, Germany, July 3-5, 2017, Proceedings. ed. / Elias Athanasopoulos; Eric Bodden; Mathias Payer. Springer Verlag, 2017. p. 133-142 (Lecture Notes in Computer Science: Security and Cryptology; Vol. 10379).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Idea-Caution Before Exploitation: The Use of Cybersecurity Domain Knowledge to Educate Software Engineers Against Software Vulnerabilities

AU - Nafees, Tayyaba

AU - Coull, Natalie

AU - Ferguson, Robert Ian

AU - Sampson, Adam

N1 - Publisher Copyright: © Springer International Publishing AG 2017.

PY - 2017/6/26

Y1 - 2017/6/26

N2 - The transfer of cybersecurity domain knowledge from security experts (‘Ethical Hackers’) to software engineers is discussed in terms of desirability and feasibility. Possible mechanisms for the transfer are critically examined. Software engineering methodologies do not make use of security domain knowledge in its form of vulnerability databases (e.g. CWE, CVE, Exploit DB), which are therefore not appropriate for this purpose. An approach based upon the improved use of pattern languages that encompasses security domain knowledge is proposed.

AB - The transfer of cybersecurity domain knowledge from security experts (‘Ethical Hackers’) to software engineers is discussed in terms of desirability and feasibility. Possible mechanisms for the transfer are critically examined. Software engineering methodologies do not make use of security domain knowledge in its form of vulnerability databases (e.g. CWE, CVE, Exploit DB), which are therefore not appropriate for this purpose. An approach based upon the improved use of pattern languages that encompasses security domain knowledge is proposed.

KW - Attack Pattern (AP)

KW - Security Pattern (SP)

KW - Software Development Lifecycle (SDLC)

KW - Software Fault Pattern (SFP)

KW - Vulnerability DataBase (VDB)

UR - https://www.scopus.com/pages/publications/85022324116

U2 - 10.1007/978-3-319-62105-0_9

DO - 10.1007/978-3-319-62105-0_9

M3 - Conference contribution

AN - SCOPUS:85022324116

SN - 9783319621043

T3 - Lecture Notes in Computer Science: Security and Cryptology

SP - 133

EP - 142

BT - Engineering Secure Software and Systems - 9th International Symposium, ESSoS 2017, Proceedings

A2 - Athanasopoulos, Elias

A2 - Bodden, Eric

A2 - Payer, Mathias

PB - Springer Verlag

T2 - 9th International Symposium on Engineering Secure Software and Systems 2017

Y2 - 3 July 2017 through 5 July 2017

ER -

Nafees T, Coull N, Ferguson RI, Sampson A. Idea-Caution Before Exploitation: The Use of Cybersecurity Domain Knowledge to Educate Software Engineers Against Software Vulnerabilities. In Athanasopoulos E, Bodden E, Payer M, editors, Engineering Secure Software and Systems - 9th International Symposium, ESSoS 2017, Proceedings: 9th International Symposium, ESSoS 2017, Bonn, Germany, July 3-5, 2017, Proceedings. Springer Verlag. 2017. p. 133-142. (Lecture Notes in Computer Science: Security and Cryptology). doi: 10.1007/978-3-319-62105-0_9

Idea-Caution Before Exploitation: The Use of Cybersecurity Domain Knowledge to Educate Software Engineers Against Software Vulnerabilities

Abstract

Publication series

Conference

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this