Software Development and Quality Assurance
Pascal Meunier, Purdue University
This chapter, which has for its title the subject of many books, focuses on current observations, practices, consideration, and techniques that appear most effective in producing secure and trustworthy software. This chapter does not address related software engineering issues, such as obtaining predictions of release readiness, software quality metrics and quality models, or modularization and layer models. With reference to the common criteria EALs (evaluation assurance levels), the content is appropriate for low- and medium-assurance software projects (EALs 1–4). Because commercial, off-the-shelf software (COTS) rarely reaches EAL 4, this chapter is relevant for most COTS projects. Another chapter in this handbook focuses on high-assurance efforts (EALs 5–7).
The current state of COTS is grim. The ICAT (http://icat.nist.gov) vulnerability database contains more than 6,600 vulnerability entries (as of May 2004). Crackers think that they are clever for finding them and releasing exploits. Spam e-mail marketing, after getting banned and pursed away from ...