Software Security
Software security can be viewed from several perspectives.
First, the organization developing the software must implement a secure process to ensure that the products it develops can be trusted. This can be done as part of a continuous integration / continuous distribution process (CI/CD), implementing and mastering the Software Development Life Cycle (SDLC).
Second, within the organizational framework and processes, secure software design must be enforced, using for example secure coding rules and vulnerability assessment.
Finally, the objective of the developed software product will be to allow users to perform secure functions and services. Thus, the software system, and the data it processes must be trustworthy.
Security can be implemented as part of an organizational security and quality process, for example by following recommendations of standards such as the ISO21434 on automotive cybersecurity. It can also benefit from CI/CD and SLDC guidelines and best practices, which are commonly used in modern software development.
Software products should be developed implementing coding rules appropriate to the standards and market segment being addressed, and verified throughout the development cycle with appropriate static and dynamic tools. Vulnerability assessment can be performed during the development cycle.
Common Weakness Enumeration (CWE) can be used as a reference checklist, and Common Vulnerability and Exposures (CVE) can be used on a regular basis as a source of information on issues to avoid or solve in products already on the market, or on tools and libraries that may be in common use: software tools should always be up to date and no obsolete version should be used. CVE may also receive new information if a vulnerability is discovered.
The security software may be used to perform various services such as key generation or key derivation, with the generated keys being used in various cryptographic operations.
The security software may also be used to perform various cryptographic functions, either symmetric encryption and decryption, public key encryption or decryption, and digital signature generation and validation, and used for example for user authentication.
This last point is addressed by Secure-IC’s Software Cryptographic Library solution. This solution embeds multiples software implementations of cryptographic algorithms such as AES, RSA-based cryptography, ECC-based cryptography and hash and MAC functions.