xx Core Software Security
• Remote control, modification, or disablement of critical weapon sys-
tems or platforms
• Disablement or modification of surveillance systems
• Criminal financial exploitation and blackmail
• Manipulation of financial markets and investments
• Murder or harm to humans through the modification of medical
support systems or devices, surgery schedules, or pharmaceutical
prescriptions
• Political insurrection and special-interest influence through the
modification of voting software, blackmail, or brand degradation
though website defacement or underlying Web application take-
down or destruction
A side effect of the cyber approach is that it has given us the abil-
ity to do the above at a scale, distance, and degree of anonymity pre-
viously unthought of from jurisdictionally protected locations through
remote exploitation and attacks. This gives government, criminal groups,
and activists abilities to proxy prime perpetuators to avoid responsibility,
detection, and political fallout.
Although there is much publicity regarding network security, the real
Achilles heel is the (insecure) software which provides the potential ability
for total control and/or modification of a target as described above. The
criticality of software security as we move quickly toward this new age of
tasks previously relegated to the human mind being replaced by software-
driven machines cannot be underestimated. It is for this reason that we
have written this book. In contrast, and for the foreseeable future, soft-
ware programs are and will be written by humans. This also means that
new software will keep building on legacy code or software that was writ-
ten prior to security being taken seriously, or before sophisticated attacks
became prevalent. As long as humans write the programs, the key to suc-
cessful security for these programs is in making the software development
program process more efficient and effective. Although the approach of
this book includes people, process, and technology approaches to soft-
ware security, we believe the people element of software security is still
the most important part to manage as long as software is developed, man-
aged, and exploited by humans. What follows is a step-by-step process for
software security that is relevant to today’s technical, operational, busi-
ness, and development environments, with a focus on what humans can