Software Development and Quality Assurance

Pascal Meunier, Purdue University

Introduction

Metaissues in Software Development

Software Development Models

Capability Maturity Models

Certification

Requirements and Design

Requirements

Secure Design Principles

Best Practices

Languages

Quality Assurance in Coding and Testing

Coding Style

Secure Programming

Code Reviews

Testing

Conclusion

Glossary

Cross References

References

INTRODUCTION

This chapter, which has for its title the subject of many books, focuses on current observations, practices, consideration, and techniques that appear most effective in producing secure and trustworthy software. This chapter does not address related software engineering issues, such as obtaining predictions of release readiness, software quality metrics and quality models, or modularization and layer models. With reference to the common criteria EALs (evaluation assurance levels), the content is appropriate for low- and medium-assurance software projects (EALs 1–4). Because commercial, off-the-shelf software (COTS) rarely reaches EAL 4, this chapter is relevant for most COTS projects. Another chapter in this handbook focuses on high-assurance efforts (EALs 5–7).

The current state of COTS is grim. The ICAT (http://icat.nist.gov) vulnerability database contains more than 6,600 vulnerability entries (as of May 2004). Crackers think that they are clever for finding them and releasing exploits. Spam e-mail marketing, after getting banned and pursed away from ...