IEEE offers a variety of tools and services to help make systems more secure.
The IEEE Cybersecurity Web portal houses the latest activities of the IEEE Cybersecurity Initiative, including its Center for Secure Design, which seeks to identify common software design flaws. The portal also has links to organizations involved with protecting computer security and privacy, as well as excerpts from books on software security and articles from the IEEE Computer Society Digital Library.
The portal also has a link to the entire catalog—more than 100 episodes—of the “Silver Bullet” podcast, which IEEE Senior Member Gary McGraw has been hosting for more than eight years. McGraw, chief technology officer at the software security consultant Cigital, interviews security experts on a variety of topics.
One of the episodes, for example, is a roundtable discussion with people who helped establish the Center for Secure Design. They discuss its origin, explain why design flaws are more difficult to fix than implementation bugs, and point out the problems with software designed for cars.
IEEE Security & Privacy magazine, from the IEEE Computer Society, publishes articles by leaders in the field. It covers diverse aspects of information assurance such as legal issues, privacy concerns, tools for securing information, attack analysis, cybersecurity design trends, and developments in hardware and software.
Also from the Computer Society is the bimonthly IEEE Transactions on Dependable and Secure Computing, which publishes archival research results focusing on the foundations, methodologies, and mechanisms of systems and networks. Articles focus on measurement, modeling, and simulation techniques, as well as on foundations for jointly evaluating, verifying, and designing within performance, security, and dependability constraints.
IEEE Transactions on Information Forensics and Security, published by the IEEE Signal Processing Society, covers the science, technologies, systems, and applications related to information security, biometrics, surveillance, and related fields.
Look for them in the IEEE Xplore Digital Library.
The Computer Society offers four software security–related courses: Foundations of Software Security, Secure Software Design, Managing Security Software Development, and Security Software Coding. The foundations course, for example, provides an overview of counter measures used to thwart well-known and emerging threats. The course on coding presents language- and application-specific techniques. Each course takes about 7 hours.
They can be found in the Professional Education section of the society’s website.
The IEEE Industry Connections Security Group is composed of organizations that pool their resources to address threats. The ICSG was established in 2009 under the umbrella of the IEEE Standards Association’s Industry Connections program, which brings together market competitors to build consensus and incubate standards, products, and services suitable for sharing.
Four subgroups have been established. The Malware Working Group tackles malicious software that can infiltrate operating systems and cause all kinds of trouble, including the loss of personal data. The group is establishing better ways of sharing malware samples and the information associated with them, so as to improve computer security. In 2010, the ICSG released free XML schemes for sharing malware samples.
The Malware Metadata Exchange Format Working Group also focuses on expanding the breadth of information exchanged.
The Privilege Management Protocols Working Group develops procedures for efficient authentication and secure determination of “who can do what.” The “who” is defined as a framework that uses public key–based identities for authentication.
In cryptography, a public key is a value provided by a designated authority that, combined with a private key derived from the public key, can be used to encrypt messages and digital signatures. The authorization of “what” a device can do is based on management of the identity that can be authenticated, formed by hashing the public key. This approach has considerable advantages over shared key–based systems.
The IEEE Standards Association offers other types of assistance to combat malware. The IEEE Anti-Malware Support Service has two tools: the Clean File Metadata Exchange (CMX) and a “taggant” system.
The CMX provides real-time access to information related to clean software files, even prior to the publication of the corresponding software. That can help reduce the number of false positives detected by antivirus software as it searches for malware.
The taggant system places a cryptographically secure marker in files created by commercial software distribution packaging programs, or packers. Legitimate packers often are abused by malware creators that develop many difficult-to-detect variants of their malware. The taggant system’s markers identify the specific packer user’s license key, enabling a blacklisting of the malware. The system also reports suspicious files.
Visit the Standards Association website for more information on these and other services.