Safety & Security

An interesting point that came out from the IET conference on System Safety incorporating the Cyber Security in Edinburgh this month is that in German the word Sicherheit means both Security and Safety depending on the context. This highlighted the commonality between building safety systems and secure systems and ensuring flaws, vulnerabilities and risk are taken into account during the requirement phase of a project and then built in during the design and production. Naturally as security & safety are parts of requirements the testing will ensure these requirements have been met and to complete the lifecycle the maintenance of the system needs to ensure the requirements are continued to be built into the systems.

Techniques from writing safe code and for writing secure code are interchangeable and ensure that software flaws such as buffer overflow, inadequate input validation are eliminated. For those writing secure code the more mature safe code standards can help with guidance in the coding of projects ensuring that the effect of unexpected features are eliminated.

Buffer overflows are still a common problem with modern software, 50% of CERT advisories still have buffer overflows despite them being known since 1972. The techniques for preventing and detecting them are well understood by programmers and testers however they are still being found by researchers in software that has been deployed.

Adherence to coding standards and use of secure and safe programming techniques will reduce vulnerabilities in software, with web application attacks being the most common attack vector along with social engineering reducing the number of flaws in applications will reduce the number of successful attacks.