What is “security”? Well, not in broad sense, that is, but in software security? What does it mean: to develop secure software? What do we understand to fall into the realm of software security?
I tell you what I mean when I say “software security”. For me, the software security means to bring the intent of the original designer to the customer.
This is very simple. The designer had some idea in mind when designing the software. He had some intention for the software to function in a particular way. That mental picture is translated into design, brought over into development, translated into source code, translated into binary, delivered, installed and configured at the csutomer’s site. And our task is to ensure that what operates now at the customer’s site reflects exactly what developer had in mind. If it does not – we have a breach of security.
I know that this is a very broad definition and it encompasses many areas traditionally thought to be outside the realm of security. Some people do not like that. But in my view, this is much simpler to act on than to try and define the precise separation of realms.
Take quality assurance for example. Traditionally, QA is outside security. However, think about it. QA ensures that software operates properly in a predefined environment, which is a subset of the environments that security concerns itself with. Security logically encompasses QA here. QA ensures that the software operates properly under “normal” circumstances and security ensures that the software operates properly under any circumstances.
And it is like that with everything.