White Papers
Click on the links below for PDF versions of the following white papers:
Software Assurance: Agile Testing (March 2008)
Agile testing enables clients to achieve improved coordination of their test resources with the agile development team by allowing automated tests to be developed in tandem with code development on the same set of requirements. The methodology employed eschews the concept of building automated tests after code has been released, unit tested, and manually tested. Instead, the test team creates automated tests in parallel with the code development team for the same set of requirements.
Software Assurance: Test Automation (March 2008)
Test automation enables clients to achieve improved productivity of their test resources, and to reduce the length of regression testing cycles while increasing test coverage. It complements and vastly improves the efficacy of existing manual testing and integrates with the overall testing effort. Instead of executing basic system tests time and time again, test resources can instead concentrate on: test case design, execution of test cases via the use of automated tests, as well as execution of remaining manual tests. These are tasks that best utilize a tester’s domain expertise and knowledge of test methodologies and practices. The Cigital offering for Test Automation covers all levels of test at the various phases of the SDLC, from unit level to sub-system and system level.
Training: the secret to ongoing compliance (July 2007)
Hundreds of thousands of companies around the world have collectively spent billions of dollars in response to the security- and privacy-related compliance mandates of the past 10 years. They have all increased staffing, upgraded physical security, deployed technology point solutions, rolled out new processes and digested hundreds of vulnerability and application scanner reports. So, why are data breaches and other security failures still a common occurrence?
How Now Software Security? (June 2006), by Gary McGraw, Ph.D.
Today, everyone seems to agree that we need to do something to address the security problem at the software level, and a number of companies are even starting to do something about it. It's still early days for software security, though, and it's a very good time to assess the state of the problem, how far we've come to address it, and how far we have to go. In general, we are very optimistic about the state the industry is in, especially considering the progress that leading software producers are making.
Software Security (June 2004), by Gary McGraw, Ph.D.
Software security is the idea of engineering software so that it continues to function correctly under malicious attack. Most technologists acknowledge this undertaking's importance, but they need some help in understanding how to tackle it. This paper aims to provide that help by exploring software security best practices.
Software Design Misuse and Abuse Cases: Getting Past the Positive (November 2003), by Paco Hope and Gary McGraw, Ph.D.
In order to create secure and reliable software, we must think beyond features and anticipate abnormal behavior, including attacks. Misuse (or abuse) cases are a tool that can help an organization begin to view their software in the same light that attackers see it. By contemplating negative events, software security professionals can better understand how to create secure and reliable software.
Wireless Security's Future (October 2003), by Bruce Potter
New wireless network security standards are more complicated than their predecessors but allow for more scalable and secure wireless networks. They also dramatically raise the bar for attackers and administrators. Proper migration to 802.11i and mitigating the legacy wireless risks will be a bumpy road. However, the end result will provide users a secure base for mobile computing needs.
The Future of Cryptography: Practice and Theory (July 2003), by Adam Young, Ph.D.
Efforts to pioneer rigorous definitions of security have resulted in new cryptosystems that provide unprecedented levels of security. This white paper examines those new cryptosystems and looks ahead to the future challenges facing the field.
The Importance of Reliable Randomness: A Note on Random Number Generation and Combinatorial Sampling (June 2003), by Adam Young, Ph.D.
Generating and using random numbers correctly is subtle at best, and can completely undermine the security of a software application when performed incorrectly. This white paper brings scientists and practitioners alike up to speed on some of the common approaches to generating and using random numbers efficiently and securely.
Making Essential Software Work: Why Software Quality Management Makes Good Business Sense (March 2003), by Gary McGraw, Ph.D.
For businesses, the equation is simple: software must work. Nearly every large enterprise in the world relies on essential software, either embedded in its products or driving its business systems and operations. As business' reliance on software grows, so do the business-related consequences of software failure.
Building Secure Software: A Difficult But Critical Step in Protecting Your Business (November 2002), by Gary McGraw, Ph.D.
The ultimate answer to the computer security problem lies in making software behave. Current approaches, based on fixing vulnerabilities only after they have been exploited, address only symptoms, ignoring the cause of the problem.
Java Security for Smart Cards (April 2002), by Gary McGraw, Ph.D. and Mark McGovern
Smart cards are an important enabling technology for secure e-commerce, and Java can help make smart cards more accessible to developers and business people by providing a well-understood, familiar environment that includes a certain amount of built-in security.
Wireless Security Vulnerabilities Continue to Surface (October 2001), by IDC
Organizations are rapidly enabling their employees and other constituent with untethered network access. However, the introduction of wireless technologies into the production network without taking into full consideration the security or business risk ramifications can expose a window of opportunity for malicious activity.
The Importance of Building Quality and Reliability Into the Full Development Lifecycle (February 2000), by Kamesh Pemmaraju, Ed Lord and Gary McGraw, Ph.D.
Identifying and resolving software risks early in the game saves both time and money. The basic premise is simple: design quality and reliability into software from the beginning and test for each at key points throughout the development lifecycle.
Software Risk Management for Security (April 1999), by Gary McGraw, Ph.D.
One essential element shared by every modern information system is the software that determines how the system behaves. The implications for computer security are immense. This paper discusses an approach that Cigital has applied successfully over the years.