IEEE Security & Privacy

The magazine's founding editor in chief, George Cybenko, and his first successor, Carl E. Landwehr, provide perspectives on the need for measuring security and the meaning of those measurements in the context of adversarial dynamics. View full abstract»

The Parfait static-code-analysis tool started as a research project at Sun Labs (now Oracle Labs) to address runtime and precision shortcomings of C and C++ static-code-analysis tools. After developers started to see and verify the research outcomes, they made further requests to ensure the tool would be easy to use and integrate. This helped transition Parfait from a research artifact to a develo... View full abstract»

With water, we trust that qualities harmful to its intended use aren't present. To avoid a regulatory solution to problems with contaminants that endanger software's intended use, the industry needs to implement processes and technical methods for examining software for the contaminants that are most dangerous given its intended use. By finding systematic and verifiable ways to identify remove, an... View full abstract»

Open source software presents new opportunities for software acquisition but introduces risks. The selection of open source applications should take into account both features and security risks. Risks include security vulnerabilities, of which published vulnerabilities are only the tip of the iceberg. Having an application's source code lets us look deeper at its security. SAVI (Static-Analysis V... View full abstract»

For optimum success, static-analysis tools must balance the ability to find important defects against the risk of false positive reports. A human must interpret each reported warning to determine if any action is warranted, and the criteria for judging warnings can vary significantly depending on the analyst's role, the security risk, the nature of the defect, the deployment environment, and many ... View full abstract»

Just as seat belt use is widespread, static analysis should be part of ethical software development. Because security must be designed in, static analysis should occur early in software development to reduce vulnerabilities or, even better, provide feedback to educate software developers and reinforce good practices, minimizing vulnerable constructs ever getting in the code. Even as industry migra... View full abstract»

As part of this special issue on static analysis, guest editor Brian Chess put together a roundtable discussion with leaders in the field. Here, they discuss their views on where static analysis is today and what's required to make it an effective part of creating secure and reliable software. View full abstract»

Information breaches demand a vigorous response from organizations. The traditional response is to institute policies to constrain and control employee behavior. Information security policies inform employees about appropriate uses of information technology in an organization. Unfortunately, limited evidence exists that such policies effectively reduce confidentiality breaches or information loss.... View full abstract»

Targeted malicious emails (TME) for computer network exploitation have become more insidious and more widely documented in recent years. Beyond spam or phishing designed to trick users into revealing personal information, TME can exploit computer networks and gather sensitive information. They can consist of coordinated and persistent campaigns that can span years. A new email-filtering technique ... View full abstract»

The word “resilience” is increasingly popular to designate some properties we want from systems. When we use this word, do we all mean the same concept? Or the same set of multiple concepts? How do we know when we've achieved it, or them, or a certain amount of them? To design systems, write contracts, or manage organizations, we need some common view about all this. View full abstract»

The National Initiative for Cybersecurity Education (NICE) aims to create an operational, sustainable, and continually improving program for cybersecurity awareness, education, training, and workforce development. As part of the initiative, the NICE Cybersecurity Workforce Framework aims to codify cybersecurity talent; define the cybersecurity workforce in common terms; and tie the workforce's var... View full abstract»

Physical unclonable functions (PUFs) originate in intrinsic properties extracted from devices and objects for the purpose of identification. A special type of silicon PUFs called SRAM (static RAM) PUFs can help make integrated circuits securer. View full abstract»

Technology changes have driven us first away from centralized computer services and now back toward centralization. Security and reliability are likely to improve as expertise is also centralized and fewer demands are placed on the relatively inexperienced individual users. View full abstract»

Advanced persistent threats (APTs) are making technology providers reconsider their security assumptions for secure product development. This article suggests an industry roadmap for rethinking product security in the face of APTs. It also describes steps EMC has taken to implement this roadmap and strengthen its product development practices. View full abstract»

The natal announcement for the Index of Cyber Security (ICS) first appeared in these pages one year ago. As we promised at the outset, its first birthday marked the time for a review. The ICS is composed from a survey of expert sentiment-that is to say, it asks a set of respondents what they think. Sentiment-based indices have a long history and wide acceptance; two (US) examples are the Consumer ... View full abstract»