Fermilab Computing Division

CS Document 2984-v1

CHEP09 Abstract - A Code Inspection Process for Security Reviews

Document #:
CS-doc-2984-v1
Document type:
Conference
Submitted by:
Gabriele Garzoglio
Updated by:
Gabriele Garzoglio
Document Created:
12 Nov 2008, 09:02
Contents Revised:
19 May 2009, 10:25
Metadata Revised:
19 May 2009, 10:25
Viewable by:
  • Public document
Modifiable by:

Quick Links:
Latest Version

Other Versions:
CS-doc-2984-v0
12 Nov 2008, 09:14
Abstract:
In recent years, it has become more and more evident that software threat communities are taking an
increasing interest in Grid infrastructures. To mitigate the security risk associated with the increased numbers of attacks, the Grid software development community needs to scale up effort to reduce software vulnerabilities. This can be achieved by introducing security review processes as a standard project management practice.

The Grid Facilities Department of the Fermilab Computing Division has developed a code inspection process, tailored to
reviewing security properties of software. The goal of the process is to identify technical risks associated with an application and their impact.

This is achieved by focusing on the business needs of the application (what it does and protects), on understanding threats and exploit communities (what an exploiter gains), and on uncovering potential vulnerabilities (what defects can be exploited). The desired outcome of the process is an improvement of the quality of the software artifact and an enhanced understanding of possible mitigation strategies for residual risks.

This paper describes the inspection process and lessons learned on applying it to Grid middleware.

Files in Document:
Associated with Events:
CHEP 2009 held from 21 Mar 2009 to 27 Mar 2009 in Prague, Czech Republic
DocDB Home ]  [ Search ] [ Authors ] [ Events ] [ Topics ]

DocDB Version 8.8.9, contact Document Database Administrators