Idea-Caution Before Exploitation: The Use of Cybersecurity Domain Knowledge to Educate Software Engineers Against Software Vulnerabilities

  • Tayyaba NafeesEmail author
  • Natalie CoullEmail author
  • Robert Ian FergusonEmail author
  • Adam SampsonEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10379)


The transfer of cybersecurity domain knowledge from security experts (‘Ethical Hackers’) to software engineers is discussed in terms of desirability and feasibility. Possible mechanisms for the transfer are critically examined. Software engineering methodologies do not make use of security domain knowledge in its form of vulnerability databases (e.g. CWE, CVE, Exploit DB), which are therefore not appropriate for this purpose. An approach based upon the improved use of pattern languages that encompasses security domain knowledge is proposed.


Software Development Lifecycle (SDLC) Security Pattern (SP) Software Fault Pattern (SFP) Attack Pattern (AP) Vulnerability DataBase (VDB) 


  1. 1.
    McConnell, S.: Code Complete: A Practical Handbook of Software Construction. Microsoft, Redmond (1993)Google Scholar
  2. 2.
    Todorov, A.: User guide for open source project bug submissions (2015).
  3. 3.
    Leveson, N.: A new accident model for engineering safer systems. Saf. Sci. 42, 237–270 (2004)CrossRefGoogle Scholar
  4. 4.
    Cabinet Office: The cost of cybercrime (2011)Google Scholar
  5. 5.
    Bekrar, S., et al.: Finding software vulnerabilities by smart fuzzing, pp. 427–430 (2011)Google Scholar
  6. 6.
    Jorgensen, P.C.: Software Testing: A Craftsman’s Approach. CRC Press, Boca Raton (2013)zbMATHGoogle Scholar
  7. 7.
    DHS: Cyber incident response at DHS (2017)Google Scholar
  8. 8.
    Aslam, T., Krsul, I., Spafford, E.H.: Use of a taxonomy of security faults (1996)Google Scholar
  9. 9.
    Howard, M., Lipner, S.: The security development lifecycle: a process for developing demonstrably more secure software (2006)Google Scholar
  10. 10.
    Busch, M., Koch, N., Wirsing, M.: Evaluation of engineering approaches in the secure software development life cycle. In: Heisel, M., Joosen, W., Lopez, J., Martinelli, F. (eds.) Engineering Secure Future Internet Services and Systems. LNCS, vol. 8431, pp. 234–265. Springer, Cham (2014). doi: 10.1007/978-3-319-07452-8_10 CrossRefGoogle Scholar
  11. 11.
    Fernandez, E.B., Yoshioka, N., Washizaki, H.: A worm misuse pattern, No. 2 (2010)Google Scholar
  12. 12.
    Mansourov, D.N.: Software fault patterns: towards formal compliance points for CWE (2011)Google Scholar
  13. 13.
    Schumacher, M., et al.: Security Patterns: Integrating Security and Systems Engineering. Wiley, Hoboken (2013)Google Scholar
  14. 14.
    Bourque, P., Fairley, R.E.: Guide to the Software Engineering Body of Knowledge (SWEBOK (R)): Version 3.0. IEEE Computer Society Press, Washington, D.C. (2014)Google Scholar
  15. 15.
    Shiralkar, T., Grove B.: Guidelines for secure coding (2009)Google Scholar
  16. 16.
    Howard, M.: Security development lifecycle (SDL) banned function calls (2012)Google Scholar
  17. 17.
    Howard, M., Lipner, S.: The Security Development Lifecycle. Microsoft Press, Redmond (2006)Google Scholar
  18. 18.
    Brenner, J.: ISO 27001: Risk management and compliance. Risk Manage. 54, 24 (2007)Google Scholar
  19. 19.
    Halkidis, S., et al.: A qualitative analysis of software security patterns. Comput. Secur. 25, 379–392 (2006)CrossRefGoogle Scholar
  20. 20.
    MITRE Corporation: Common weakness enumeration (2015).
  21. 21.
    Van Wyk, K.R., McGraw, G.: Bridging the gap between software development and information security. IEEE Secur. Privacy 3, 75–79 (2005)Google Scholar
  22. 22.
    Viega, J., McGraw, G.: Building Secure Software: How to Avoid Security Problems the Right Way Portable Documents. Pearson Education, Essex (2001)Google Scholar
  23. 23.
    Mansourov, N., et al.: Why hackers know more about our systems, pp. 1–21 (2011)Google Scholar
  24. 24.
    Bunke, M.: Software-security patterns: degree of maturity, p. 42 (2015)Google Scholar
  25. 25.
    Fernandez-Buglioni, E.: Security Patterns in Practice: Designing Secure Architectures Using Software Patterns. Wiley, Hoboken (2013)Google Scholar
  26. 26.
    Hui, Z., Huang, S., Ren, Z., Yao, Y.: Review of software security defects taxonomy. In: Yu, J., Greco, S., Lingras, P., Wang, G., Skowron, A. (eds.) RSKT 2010. LNCS, vol. 6401, pp. 310–321. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-16248-0_46 CrossRefGoogle Scholar
  27. 27.
    McGraw, G.: Software Security: Building Security In. Addison-Wesley Professional, Boston (2006)Google Scholar
  28. 28.
    Huang, C., Lin, F., Lin, F.Y., Sun, Y.S.: A novel approach to evaluate software vulnerability prioritization. J. Syst. Software 86, 2822–2840 (2013)CrossRefGoogle Scholar
  29. 29.
    Ghani, H., et al.: Predictive vulnerability scoring in the context of insufficient information availability, pp. 1–8 (2013)Google Scholar
  30. 30.
    Yun-hua, G., Pei, L.: Design and research on vulnerability database (2010)Google Scholar
  31. 31.
    Fahl, S., et al.: Rethinking SSL development in an appified world, pp. 49–60 (2013)Google Scholar
  32. 32.
    Acar, Y., et al.: You get where you’re looking for: the impact of information sources on code security, pp. 289–305 (2016)Google Scholar
  33. 33.
    Borstad, O.G.: Finding security patterns to countermeasure software vulnerabilities (2008)Google Scholar
  34. 34.
    McGraw, G.: Software security. 36, 662–665 (2012)Google Scholar
  35. 35.
    Julisch, K.: Understanding and overcoming cyber security anti-patterns. Comput. Netw. 57, 2206–2211 (2013)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.School of Arts, Media and Computer GamesUniversity of Abertay DundeeDundeeUK

Personalised recommendations