Secure Engineering

Overview

Ensuring security and privacy is still a major challenge in developing software and hardware. Most research in security is focused on new mechanisms, new architectures, new cryptographic primitives and protocols, and on verification and validation of security properties. These are important areas, and failures in these areas are responsible for several high profile security incidents. But the vast majority of everyday vulnerabilities plagueing the users of IT are not introduced through weak mechansisms or weak architectures, but rather through lack of engineering discipline and tools, and lack of usability of mechanisms for developers and end users. An additional challenge is the lack of an economic understanding of the value of security mechanisms vis-a-vis the actual threats and risks of an actual IT system, which makes it difficult to get security the appropriate management attention.

One specific focus for our research is "the ordinary developer": what can be done to make it really simple and effective for non-security specialists to get security right? Our work in this area is performed in cooperation with partners from industry.

More information

• Software Security: Building Security In; by Gary McGraw; Addison-Wesley Professional; February 2006.
• Security Engineering: A Guide to Building Dependable Distributed Systems (2nd ed); by Ross Anderson; Wiley, April 2008.
•  OWASP Consortium