REVIEW: "Integrating Security and Software Engineering", Haralambos Mouratidis/Paolo Giorgini
- BKISESWE.RVW 20080209
"Integrating Security and Software Engineering", Haralambos
Mouratidis/Paolo Giorgini, 2007, 1-59904-147-2, U$94.95
%E Haralambos Mouratidis
%E Paolo Giorgini
%C Suite 200 701 E. Chocolate Ave., Hershey, PA 17033-1117
%I IRM Press/Idea Group/IGI Global
%O U$94.95 800-345-432 717-533-8845 cust@...
%O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P 288 p.
%T "Integrating Security and Software Engineering"
In the preface, the editors state that, with this collection of
papers, they are attempting to provide a work that will narrow the gap
between software developers, who do not know or care much about
security, and security experts, who only deal in theoretical matters.
I'm sure a number of security experts would be surprised to hear that
last point. Chapter one is a review of a few papers on secure
Section one deals with security engineering requirements. Chapter two
suggests defining and checking security through formal and abstract
(and therefore theoretical) methods. A standard breakdown of the
process of determining requirements is called a "method" in chapter
three. A system for graphically representing social relationships is
used, in chapter four, to diagram a potential security problem.
Section two considers the use of software pattern models for secure
development. Chapter five presents a generic view of the first few
phases of a standard system development cycle. More graphical
representation is given in chapter six, but the explanation is even
more limited than in the previous paper, and the relation to security
engineering even more tenuous.
Section three moves on to modelling languages and methodologies for
secure software development. Chapter seven discusses the extension of
security controls to agile development methods, but seems to recommend
limiting security considerations to a subset of development, which is
almost a blueprint for ensuring that security vulnerabilities will be
created in the resulting applications. The graphical representation
scheme described in chapter eight is based on (and, in fact, explains
more effectively) the system from chapter four, but seems to be
limited to access control issues in complex database environments. A
structure for documenting security issues that have been separately
identified is outlined in chapter nine. (The method may have some
uses in quantitative risk analysis.) A method for chronicling access
control in object-oriented systems is given in chapter ten. In the
paper that makes up chapter eleven, the authors properly point out
that new approaches are needed for the extreme complexities of the
modern computing environment (including emergent properties of
interacting systems, which they refer to as "ambient intelligence"),
but they are only proposing that a new mechanism be created, rather
than proposing any solution. (The text is also ragged and difficult
to read in places, from both problems in grammar and missing words.)
Chapter twelve is a terse and generic review of a few issues in
The papers do present some interesting points for consideration, but
in very limited topics and areas. The security of software
engineering is not addressed comprehensively. The two groups of
software developers and security professionals will find little in
this book to assist them in their separate endeavors, let alone
bringing them closer together.
copyright Robert M. Slade, 2008 BKISESWE.RVW 20080209
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... slade@... rslade@...
My parents went to Middle Earth and all I got was a lousy ring.
- Marty Helgesen