Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "Integrating Security and Software Engineering", Haralambos Mouratidis/Paolo Giorgini

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Han
    BKISESWE.RVW 20080209 Integrating Security and Software Engineering , Haralambos Mouratidis/Paolo Giorgini, 2007, 1-59904-147-2, U$94.95 %E Haralambos
    Message 1 of 1 , May 26 4:30 PM
    • 0 Attachment
      BKISESWE.RVW 20080209

      "Integrating Security and Software Engineering", Haralambos
      Mouratidis/Paolo Giorgini, 2007, 1-59904-147-2, U$94.95
      %E Haralambos Mouratidis
      %E Paolo Giorgini
      %C Suite 200 701 E. Chocolate Ave., Hershey, PA 17033-1117
      %D 2007
      %G 1-59904-147-2
      %I IRM Press/Idea Group/IGI Global
      %O U$94.95 800-345-432 717-533-8845 cust@...
      %O http://www.amazon.com/exec/obidos/ASIN/1599041472/robsladesinterne
      http://www.amazon.co.uk/exec/obidos/ASIN/1599041472/robsladesinte-21
      %O http://www.amazon.ca/exec/obidos/ASIN/1599041472/robsladesin03-20
      %O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
      %P 288 p.
      %T "Integrating Security and Software Engineering"

      In the preface, the editors state that, with this collection of
      papers, they are attempting to provide a work that will narrow the gap
      between software developers, who do not know or care much about
      security, and security experts, who only deal in theoretical matters.
      I'm sure a number of security experts would be surprised to hear that
      last point. Chapter one is a review of a few papers on secure
      software engineering.

      Section one deals with security engineering requirements. Chapter two
      suggests defining and checking security through formal and abstract
      (and therefore theoretical) methods. A standard breakdown of the
      process of determining requirements is called a "method" in chapter
      three. A system for graphically representing social relationships is
      used, in chapter four, to diagram a potential security problem.

      Section two considers the use of software pattern models for secure
      development. Chapter five presents a generic view of the first few
      phases of a standard system development cycle. More graphical
      representation is given in chapter six, but the explanation is even
      more limited than in the previous paper, and the relation to security
      engineering even more tenuous.

      Section three moves on to modelling languages and methodologies for
      secure software development. Chapter seven discusses the extension of
      security controls to agile development methods, but seems to recommend
      limiting security considerations to a subset of development, which is
      almost a blueprint for ensuring that security vulnerabilities will be
      created in the resulting applications. The graphical representation
      scheme described in chapter eight is based on (and, in fact, explains
      more effectively) the system from chapter four, but seems to be
      limited to access control issues in complex database environments. A
      structure for documenting security issues that have been separately
      identified is outlined in chapter nine. (The method may have some
      uses in quantitative risk analysis.) A method for chronicling access
      control in object-oriented systems is given in chapter ten. In the
      paper that makes up chapter eleven, the authors properly point out
      that new approaches are needed for the extreme complexities of the
      modern computing environment (including emergent properties of
      interacting systems, which they refer to as "ambient intelligence"),
      but they are only proposing that a new mechanism be created, rather
      than proposing any solution. (The text is also ragged and difficult
      to read in places, from both problems in grammar and missing words.)
      Chapter twelve is a terse and generic review of a few issues in
      security.

      The papers do present some interesting points for consideration, but
      in very limited topics and areas. The security of software
      engineering is not addressed comprehensively. The two groups of
      software developers and security professionals will find little in
      this book to assist them in their separate endeavors, let alone
      bringing them closer together.

      copyright Robert M. Slade, 2008 BKISESWE.RVW 20080209


      ====================== (quote inserted randomly by Pegasus Mailer)
      rslade@... slade@... rslade@...
      My parents went to Middle Earth and all I got was a lousy ring.
      - Marty Helgesen
      http://victoria.tc.ca/techrev/rms.htm
    Your message has been successfully submitted and would be delivered to recipients shortly.