Secure Software Engineering

Cyber attacks are increasingly targeting software vulnerabilities at the application layer. Vulnerabilities at this layer are well-known, for example OWASP publishes a list of common weaknesses, calledthe OWASP top ten. Addressing the vulnerabilities at the application layer is difficult however: Software at this layer is complex, and the security ultimately depends on the many software developers and software development firms who write web applications, apps, addons, libraries, and so on. We are deploying several activities in the area of secure software engineering:

• Secure software engineering initiatives stocktaking: We are monitoring EU and international initiatives that try to address the issue of secure software engineering. We have published an overview of different initiatives in the area of Secure software engineering (Secure Software Engineering Initiatives). We will organize a workshop in 2011, bringing together these different initiatives in an effort to foster collaboration across these initiatives, and at the same time promote their work.
• Secure App Development: In collaboration with OWASP (OWASP's Mobile Security project), ENISA is addressing the lack of security guidelines for developers of smartphone apps. The goal of this activity is to give smartphone developers a list of design principles and coding techniques for addressing the top ten smartphone risks.
• Assessment of the next generation web standards: W3C and other organisations are currently drafting a new generation of web application standards based on HTML and they will be issuing a final call for comments in Q2 of 2011. We are analyzing (together with Distrinet KULeuven) the new web application standards in order to assess the main risks and issues for users, websites, browser developers, web app developers, etc.