I often see the terms computer security and software security used interchangeably. However, even though they can be used interchangeably in some contexts, they are fundamentally different. Here, I will provide a short explanation of both and their main difference. Also, I provide a real-world example of when the lack of security affected a business.
Computer Security
Computer Security is the term used to describe the protection of information systems to preserve the integrity, availability, and confidentiality of all the information system resources (Guttman and Roback 1995). The most common attacks that computer security faces are: attacks by employees, unintended actions by employees, accidental occurrences, attacks by nonemployees and/or ex-employees, attacks by outsiders, and unintended actions by outsiders (Carroll 1996).
Computer Security can be achieved by the creation and implementation of a computer security policy. A security policy is the documentation of all computer security decisions, including rules for particular systems, privacy, and information management (Guttman and Roback 1995). Another simple definition provided by the authors of The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities, is “It is a simple list of what’s allowed and what’s forbidden” (Dowd et al 2007).
Software Security
The software has bugs due to design flaws or even implementation bugs which creates a very high-security risk for any organization (MacGraw 2006). In addition, any program could or has security holes, no matter how scrupulous or expert the software developers are (MacGraw 2006); therefore, it is important to face software security problems and how they affect the company. Software security is defined by McGraw as “the idea of engineering software that it continues to function correctly under malicious attack” (McGraw 2004). The vulnerability that security holes create in any system can be exploited by attackers who inject or modify the software and use them like cancer that can invade and modify software that was previously healthy(Goertzel).
To achieve software security, the software engineers, developers, testers, and integrators should follow some principles to minimize the risk of any software security hole. Those security principles are part of or incorporated within the development life cycle (James 2009). The general principles of secure software development described by Goertzel from Home Land Security in her article “Introduction to Software Security” (Goertzel 2009) are:
- Minimize the number of high-consequence targets
- Don’t expose vulnerable and high-consequence components
- Deny attackers the means to compromise
- Always assume “the impossible” will happen
- Never make blind assumptions
- Security software is not the same as secure software
Differences Between Computer Security and Software Security
The difference between computer security and software security is that computer security is in charge of the security and prevents attacks on computers themselves and networks while software security is in charge of creating or developing software that is secure and prevents attacks. We can say that software security is a part of computer security that makes use of principles and best practices to make better software that can avoid hacks and can continue working during attacks (McGraw 2004).
How the Lack of Security Resulted in a Loss to a Business
Telephone Company in the Dominican Republic
In the early 2010s, a telephone company in the Dominican Republic had a big issue around the SMS platform because the users we able to see all text messages sent through their system which raised a very high-security issue related to user privacy. The real problem was that every SMS sent by the users was visible on a public page on the company’s website. All messages were shown in an HTML table containing the number who send it, the message itself, and the time of the message. This problem was reported by bloggers in the Dominican Republic and by the end of the day everybody knew about it. A lot of customers left the company and complain about the issue because all the messages were public and you just needed to search for the page for the phone number of a person of interest.
Software Engineer’s Role in Making Secure Software
The role played by a software engineer in making sure that software developed by him/her is secure is applying security patterns, best practices, and principles to their code to prevent most attacks. Additionally, they are required to test the software before it is released to production and to refactor the code to obtain optimal results.
The telephone company did not follow best practices to maintain and protect the security of the application and the privacy of the users. This HTML table might have been for testing purposes even before the system was shipped to production. However, keeping this page public and without a password drastically affected the business. Also, even with a password, this page was a bad idea because there should be policies on who could inspect this data.
References
- Carroll, John M. Computer Security. United States: Butterworth-Heinemann, 1996. Dowd, Mark, and others. The Art of Software Assessment: Identifying and Preventing Software Vulnerabilities. Michigan, Pearson Education Inc., 2007.
- Goertzel, Karen Mercedes. “Introduction to Software Security.” Homeland Security, September 1, 2009, accessed April 15, 2023,
http://web.archive.org/web/20100527135925/https://buildsecurityin.us-cert.gov/bsi/547-BSI.html - Guttman, Barbara, and Edward Roback. An Introduction to Computer Security: The NIST Handbook. Washington: US Government Printing Office, 1995.
- McGraw, Gary. Software Security: Building Security In. Indiana, Pearson Education Inc., 2003.
- McGraw, Gary. “Software Security.” Cigital, 2004, accessed April 15, 2023 https://www.garymcgraw.com/wp-content/uploads/2015/11/bsi1-swsec.pdf
