iSQI Blog - International Software Quality Institute

Secure Software Engineering

Written by ISQI Group | Jan 27, 2025 11:40:40 AM

"Security must be thought of holistically" - Richard Seidl

Autor: Richard Seidl

 

The advancement of digitization brings an increase in attack targets. Software is everywhere – in cars, refrigerators, and even toothbrushes. However, the smarter the systems, the greater the attack surface. Secure Software Engineering (SSE) is the answer to this threat: a structured approach that not only defends against hackers but also builds trust.

Why Secure Software Needs to Be a Priority Now

In the past, security was often only considered at the end of the software development process, when a pen-test was performed. Sometimes it went well. Sometimes not – and then the panic set in, because some issues couldn’t be easily fixed at that point.

Cyberattacks aim to cause damage – and I believe we don’t even fully understand how large that damage really is. Many victims don't even realize it.

The solution: Integrating security into the entire development process. This reduces stress at the end of development, builds trust in the software from all stakeholders, and helps ensure compliance with regulations like the Cyber-Resilience Act (CRA).

Learning How to Do It

  • What sounds simple in theory is actually challenging in practice. I see this every day with my clients. "Integrating into the development process" sounds easy – but it involves so many areas that it quickly becomes complicated: risk management, requirements, architecture and design, software testing, lifecycle models, team, deployment, operations... It’s easy to lose track.

    This challenge is addressed by the new certification content in "ASQF Secure Software Engineering – Foundation Level". It covers these various aspects and provides guidance and direction on how SSE can be implemented.

    Over three days training, the following topics will be covered:

    > Basic Understanding of SSE: What is SSE? What does it include and what doesn’t it?
    > Threat Analysis and Requirements: How does SSE fit into requirements engineering and risk management? What methods are available?
    > Engineering and Architecture: What does security mean in architectural concepts and design methods?
    > Security Testing: Which static and dynamic testing methods help with security?
    > Lifecycle and Processes: How does SSE fit into deployment processes? What should be considered in operations?

    Personally, I see this as the right step forward. We can no longer afford to take an isolated perspective on different areas of software development. Our projects are too complex, too critical, and too prone to change. Quality must become the mindset of the team and all involved parties. The ASQF training offers this holistic view of the entire process while keeping the core topic of security at the forefront.

    Yours, Richie

 

 

About our Guest Author

Richard Seidl: Richard Seidl is a consultant, speaker, and podcast host. Throughout his career, he’s seen a lot of software – good and bad, large and small, new and old. Some software is so beautiful it makes you cry, and others are enough to make your toenails curl. For him, it’s clear: To create excellent software today, you need to think about the entire development process holistically: people, context, methods, and tools – only when everything aligns, does a mindset for potential and innovation emerge. He’s a sought-after keynote speaker at international conferences and events, has shared his expertise in eight books, and runs a successful community podcast about software testing.

 

 

 
View full post