The best way to get management excited about a disaster plan is to burn down the building across the street.

—Dan Erwin

Security is not a product, but a process.

—Bruce Schneier

What You Will Learn in This Chapter:

• Cybersecurity terms such as shift-left security and DevSecOps
• Kinds of malware including phishing attacks, viruses, Trojans, spoofs, sploits, and ransomware
• Signs of social engineering attacks
• Malware countermeasures

Security has been a key issue in software engineering as long as there has been software. Early computers were huge behemoths with limited or no dial-up access, so security was mainly physical.

Today computers are small, portable, and massively interconnected, so the security landscape has changed dramatically. Physical security is still important (you don't want someone to steal a laptop, phone, or flash drive containing sensitive data), but attacks through a network are far more common. It's hard to calculate exact numbers because many cyberattacks go unreported or even unnoticed, but the estimates are frightening. For example, it's estimated that around 30 percent of the world's computers are currently infected with malware.

This chapter describes some of the security issues that you should consider and address during high-level and low-level design.

SECURITY GOALS

You can summarize basic security goals with the acronym CIA, also known as the CIA triad. Here the letters in CIA stand for confidentiality, integrity, and availability. ...