During the spring semester, my students did great work looking into the security of a car’s electrical system. They managed to decode signals, understand high-level data, and managed to perform small changes in the car’s function.
It all sounds great as thesis project. Both the students and the company loved this project. It was challenging, it was new, it was useful. But I’m not writing this post about that. I want to write about what has happened, or not happened, after that.
In the months that came after the thesis, I decided to look into mechanisms for how to design and implement secure software. Being a programmer at the bottom, I turned to GitHub for help. I search for tools and libraries for secure software design. I know, I could have searched for something different, but let’s start there.
The results were :
- Tools: sbilly/awesome-security: A collection of awesome software, libraries, documents, books, resources and cools stuffs about security. (github.com)
- Security checklist: shieldfy/API-Security-Checklist: Checklist of the most important security countermeasures when designing, testing, and releasing your API (github.com)
Analysis frameworks:
- MobSF/Mobile-Security-Framework-MobSF: Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. (github.com)
- 404notf0und/Security-Data-Analysis-and-Visualization: 2018-2020 Youth Safety Circle – Active Technology Blogger/Blog (github.com)
- Or3stis/apparatus: A graphical security analysis tool for IoT networks (github.com)
- Shopify/tainted_love: Dynamic Security Analysis for Ruby (github.com)
- Josh-Payne/iot-sec-attack-circuits: Attack circuits for IoT Network Security Analysis (github.com)
There were more of these, but most of the same kind. I was a bit amazed by the fact that there is so little outside of web design. I also looked at some of the research in this area (no systematic review, I promised myself not to do one). There I found all kinds of work, but mostly theoretical. The areas of interest:
- Cryptography: how to encode/decode information, keys, passwords.
- Secure software design: mostly analysis of vulnerabilities
- Secure systems: mostly about passwords and vulnerabilities.
- Privacy: how to keep the private information hidden from third parties (kind of security, but mostly something else – I’m still waiting to understand what).
- Legacy operations: how to make the software long-lived and provide it with secure infrastructure.
- Infrastructure: security of the cloud environments, end-to-end security.
Since I worked with software safety, I thought that it would be very similar. However, it was not. The safety community discussed, mostly, standardization, hazards, risks. Very little about code analysis, finding unsafe code, etc. So, mostly something different.
I’ll keep digging and I will run a few experiments with some of my students to understand what the technology could be. However, I’m not as optimistic as I was at the beginning of my search.