Reflections

At the beginning of the module, techniques were learned that can be used in the development and creation of secure software to optimize the process. This includes the waterfall and agile approaches to software development, such as the SCRUM approach. The standards for the secure development of software were also emphasized and an introduction to UML models was given again. Working in a team is subject to various challenges that must be met in order to achieve optimal efficiency. Especially in view of the fact that in this module software is to be created within six weeks, smooth and productive teamwork is of high priority in order to be able to use the time efficiently and in a goal-oriented manner. The techniques discussed in this unit help here, although it must be differentiated which technique is most suitable for the module. Due to the limited time in which the software is to be developed, only an agile technique such as the SCRUM approach offers the appropriate flexibility and timing to create a product that is as finished as possible in a short time. This approach also offers the possibility of creating a finished product in different instances, so that the final product can be variable, depending on the development speed and requirements. Beyond the theory, however, this approach still has to be validated in a practical test in the team over the next few weeks in order to be able to develop a considered opinion on this variable approach. The reflected consideration of the standards in relation to the secure development of software offered an overview of the previous standards and regulations of the last modules. Although no new insights were gained, a change of perspective was made in a certain way, since the relevant standards and regulations are now not only analyzed and examined in the context of case studies, but also have to be considered when creating your own software. The same applies to the UML models. Since the models have only been used up to now to recreate existing structures, the models should now offer a possibility to support structured work in the team. Thus, the reflective handling and an understanding of conventions are of high priority in order to be able to exploit the potential of these presentation options.

The aim of this unit was to develop possibilities for the integration of software security development practices in the Software Development Life Cycle (SDLC) and to understand the challenges of software security. In order to develop general skills in dealing with software security, the ISO/IEC definitions of terms were examined (ISO, 2018). In order to train the application-related correct handling of these definitions, a blog entry was written about the dangers and mitigation approaches of employees in relation to security threats. The result of this blog entry was not only that terminology and awareness of dealing with terms in the context of cyber security was acquired, but also the importance of the potential danger for threats from internal sources was addressed. Since more than 50% of all security breaches are caused by employees, this represents an important aspect in the development of secure software (Giandomenico & Groot, 2020). This once again made it clear to me the importance of the 'least privilege principle' and the 'zero trust approach'. Such insights form the basis for the design of secure software, since often only external factors are taken into account in such a development and internal factors are overlooked or given less consideration. The seminar also discussed which factors should be given the greatest importance for the development of secure software. It was highlighted that design, as opposed to the language used and testing, has the greatest impact on successful secure software development. However, it should be noted that the other two factors, the programming language used, as well as testing and penetration testing, have a major impact on the final product. All of these factors have a great influence and can also influence each other. Furthermore, it was found in the seminar session that Python offers some advantages for secure software. Python doesn't store new input in an old memory space, but creates a new one, while the old memory space is cleared by the garbage collector. This represents an advantage over other programming languages such as C.

• ISO (2018) Information technology – Security techniques – Information security management systems – Overview and vocabulary. Available from: https://www.iso.org/obp/ui/#iso:std:iso-iec:27000:ed-5:v1:en [Accessed 13 March 2022].

The aim of the unit was to get an overview of the history and concepts of programming languages. Security aspects as well as advantages and disadvantages of selected programming languages were also examined and discussed whether Python can be described as a 'safe programming language'. When looking at the historical development of programming languages, an interesting finding was the extent to which the individual programming languages are intertwined and the rapid development of new languages from 1985 onwards (Sestoft, 2020). When technically examining selected programming languages such as C, Python, Java, Ruby and Pearl, it is noticeable that each individual language offers its advantages and disadvantages in terms of security aspects (Cifuentes & Bierman, 2019). Based on this consideration, it is difficult for me to give a clear statement about the thesis whether Python can be classified as a 'safe programming language'. However, it should also be emphasized here that the term 'secure' is a difficult one to define precisely, as one might assume that 'secure' in this context could mean the absence of any threat or vulnerability. Under this assumption, no programming language is secure. However, there are programming languages that pay more attention to security than others. Given that 'secure' in this context means that a programming language offers basic possibilities to prevent or mitigate vulnerabilities, Python could be called a secure programming language. With this assumption, it is up to the programmer and the choice of design for the software to increase the security of a program and reduce vulnerabilities. However, it should be noted that in order to actively mitigate vulnerabilities, these must also be known. Python is a very popular and widely used programming language, which means that many studies on known and common vulnerabilities are available. This makes it easier to understand potential risks when writing the code, thereby increasing security.

• Cifuentes, C. & Bierman, G. (2019) What is a Secure Programming Language? Leibniz International Procceedings in Informatics. 3(3):1-15. Available from: https://drops.dagstuhl.de/opus/volltexte/2019/10546/pdf/LIPIcs-SNAPL-2019-3.pdf [Accessed 24 March 2022].
• Sestoft, P.(2020) Programming Language Concepts. Available from: https://www.itu.dk/people/sestoft/plc/ [Accessed 25 March 2022].

In this unit, programming languages were examined for typical vulnerabilities and the influence they have on secure software development was determined. Furthermore, software testing modules were learned, which can contribute to secure software and gained an insight into cryptography. The analysis of different programming languages has shown that each of the widely used programming languages offers potential targets for hackers (Cifuentes & Bierman, 2019). This knowledge brings me to the conclusion that when choosing a programming language for a project, this must already be taken into account in order to be able to create an end product that is as secure as possible. Furthermore, an understanding of known vulnerabilities offers a programmer the opportunity to actively shape the design in the development process in such a way that the threat of a successful attack can be minimized. This was a particularly interesting topic for me, as it gave me a lot of insights into secure software development. Getting to know and practicing with python software testing modules taught me how software can automatically determine errors in programs and how this can contribute to the development of software and lead to more secure software. This is particularly helpful with regard to the planned development of software as part of the team project in the next course of the module, since the skills learned will not only be used here, but can also be further improved. Another very interesting topic of this unit was the discussion of cryptographic and steganographic approaches to encryption. Risks when using different encryption approaches were examined and discussed, which aspects must be considered for secure encryption and which potential threats in terms of technical threats must be observed. A completely new topic for me was steganography. This approach of hiding information in inert documents was an interesting yet obvious finding (Provos & Honeyman, 2003). The goal of decryption is to protect information from unauthorized access. The approach of steganography should offer the same result, since information that cannot be found by unauthorized persons also protects against unauthorized access. This realization made me realize the potential behind the versatile possibilities of steganography and encouraged me to gain deeper insights into this topic.

• Cifuentes, C. & Bierman, G. (2019) What is a Secure Programming Language? Leibniz International Proceedings in Informatik. 3: 1-15. Available from: https://drops.dagstuhl.de/opus/volltexte/2019/10546/pdf/LIPIcs-SNAPL-2019-3.pdf [Accessed 31 March 2022].
• Provos, N. & Honeyman, P. (2013) Hide and seek: an introduction to steganaography. IEEE Security & Privacy. 1(3): 32-44. Available from: https://ieeexplore.ieee.org/abstract/document/1203220 [Accessed 30 March 2022].

This unit provided an outlook on new trends in the software industry. These included Blockchain, Fog Computing, Internet of Things (IoT) and Cyber Physical Systems. The aspect of secure programming languages in the context of new developments was also examined. Blockchain technology is an extremely interesting approach to encryption and distributed peer-to-peer networking. While there are many advantages of blockchain technologies, such as encryption, traceability of relational flows and limitation of existential volumes (cryptocurrency), there are also disadvantages associated with the implementation of this technology. One of the most obvious disadvantages, especially with regard to cryptocurrencies, is the immense energy consumption involved in trading and mining the currency. For example, for the most well-known cryptocurrency Bitcoin alone, as much energy is consumed annually as entire countries require, with an upward trend (Huynh et al., 2012). In my opinion, such developments should give cause for concern, since although there is financial value creation here, it must be questioned whether this is sustainable and in what respect a financial equivalent is created. There is a heated debate about cryptocurrencies with representatives of both positions, so that an evaluation from my side is not sought. Cyber-physical systems are systems in which information and software technology are connected to mechanical components, with data transfer and exchange as well as control and management taking place in real time via an infrastructure such as the Internet. Essential components are mobile and moving equipment, devices and machines, embedded systems and networked objects (IoT), which play a central role in new industrial technologies in particular (Ochoa et al., 2017). Networking, which will continue to grow exponentially in the future, and the associated importance of the Internet in many aspects of our lives has great potential to have a positive influence on humanity, but this development also harbors risks. The backbone of any software, which forms the foundation of digital technologies, is the programming language. From a cyber security perspective, a central question is therefore whether and in what way programming languages can be described as secure. As discussed in the previous unit, this is a matter of definition. However, it should be noted that the development of programming languages in the historical context shows that programming languages are becoming more and more secure and that newly developed programming languages take more and more security aspects into account. It is therefore to be hoped that a programming language will be developed which can be defined as safe in relation to all aspects. However, this will be accompanied by the risk that new vulnerabilities will arise and be found.

• Ochoa, S. F., Fortino, G. & Fatta, G. (2017) Cyber-physical systems, internet of things and big data. Future Generation Computer Systems. 75: 82-84. Available from: https://www.sciencedirect.com/science/article/pii/S0167739X17311196 [Accessed 08 April 2022].
• Huynh, A., Burggraf, T., Luong, H. & Bui, N. (2021) Energy Consumption and Bitcoin Market. Asia-Pacific Financial Markets. 29: 79-93. Available from: https://link.springer.com/article/10.1007/s10690-021-09338-4 [Accessed 08 April 2022].

In this unit, programming languages like Rust and Swift were compared to Python and discussed which of the programming languages is the safest and best. Furthermore, the coding project was completed in this unit. The debate about programming languages and their security aspects that took place during the seminar session was an extremely interesting exchange of different perspectives. It was interesting to see what further developments and technical innovations have taken place in the last few decades in relation to programming languages and their security aspects. This also expanded my knowledge in relation to other languages, since I knew the programming language Rust by name, for example, but I had no knowledge of this language. Swift, on the other hand, was completely new to me, so it was a good experience for me to focus on aspects of the programming language. So it was a sensible finding that Swift can be seen as a counterpart to Python, since both languages are relatively easy to use, but in comparison Swift affects some security aspects, which can be found in Python as well-known vulnerabilities (Echo innovative IT, N.D.) . However, I also managed to take a critical look at Swift in order to reflect on the language. When comparing Rust and Swift during the seminar, it was found that Rust addresses and mitigates other aspects of security, but is not as user-friendly as Swift. In my opinion, it is therefore always necessary to weigh up which software should be developed and to choose the programming language on this basis. The voting in the seminar also suggested this, since a decision on the best programming language was required. One aspect that should be particularly emphasized is the argument that the best programming language is not one that takes into account as many security aspects as possible, but also other arguments such as user-friendliness. In this context, it should be noted that one of the most important security aspects when programming software is not the language, but the programmer's awareness of vulnerabilities in the chosen programming language and the associated design. When potential threats are known and addressed, these vulnerabilities can be mitigated. When using a potentially secure programming language without this awareness, careless use can lead to fatal vulnerabilities. An equally important insight was gained through the coding project. As part of the teamwork, it turned out that some team members took the leading role in the development of the program and thus an uneven participation in the code took place. It was therefore agreed that the code should be tested by other team members using testing tools. However, two problems have emerged as a result. On the one hand, testing the code was perceived as more difficult by me, since I did not have the in-depth knowledge of the code processes as the programmers did. On the other hand, it turned out that the code had errors and didn't work and I could only help to a very limited extent with troubleshooting due to the lack of knowledge about the code mentioned. This insight has shown me that even if some team members are better at programming, I have to actively participate in the development process, because on the one hand potential further developments of skills cannot otherwise be perceived and on the other hand blind trust in other team members poses a risk that the final product does not correspond to your own ideas. Even if this knowledge unfortunately came late and therefore cannot be applied to this project, I will take this knowledge with me to future coding projects and teamwork.

• Echo innovate IT (N.D.) Swift Vs Python: Which of Them is More Promising. Available from: https://echoinnovateit.com/swift-vs-python/ [Accessed 11 April 2022].

In the Secure Software Development module, a program was developed as part of a team project, which should address the security aspects of secure software. A central component was therefore the protection of information against unauthorised access. In the following, cryptographic and steganographic approaches are presented, associated vulnerabilities and risks are discussed and the resulting personal meaning for me is reflected. Cryptography and steganography aim to protect information from unauthorised access. While information is encrypted in cryptography, steganography follows the approach of hiding information in carrier media. The millennium-old development history of cryptography shows that attempts have always been made to encrypt information securely (Damico, 2009). However, insights I already learned have led me to the realisation that "for every action to store, secure and use data, there is an equal or greater reaction to steal data" (VanSyckel, 2018). It is therefore not surprising that the development in digital cryptography is characterised by rapid development, accompanied by a relatively short expiration time for the security of new developments. This can be seen, for example, in the Secure Hash Algorithm (SHA), which was developed in 1993 by the National Institute of Standards and Technology (NIST) to create a digital signature and was further developed in 1995, 2002 and 2015 to address security aspects due to technical progress and to accommodate decryption breakthroughs (NIST, 2015).While the current SHA-3 version is considered secure, study results show that vulnerabilities and loopholes in cryptography can remain unseen for years, but taking into account VanSyckel's thesis, malicious people will eventually find them, so it can be assumed that there is no permanently secure encryption method and possibly never will be (Mouha et al., 2018). Steganography offers an extremely interesting approach to increasing security, since the goal is that the information to be secured is not found. Images, audio, video or text documents can be used as carrier media to digitally hide information (Kaur & Behal, 2014). For example, using the Least Significant Bit (LSB) approach, up to 180,000 bytes of information to be hidden can be embedded in an 800 x 600 pixel image (Morkel et al., 2005). A disadvantage that arises here is that the colour of the original image is modified somewhat, since changes are made to the intensity of the RGB components. A viewer who knows the original image might notice this. Audio files offer a variety of options for hiding information. As with images, this can be realised through LSB, echo hiding, tone insertion, codebook modification, magnitude spectrum and many other approaches (Djebbar et al., 2012). While these examples demonstrate the variety of options that can be used to hide information in carrier data, it must be noted that each method of steganography comes with its own drawbacks that go hand in hand and a modification of the original carrier medium can be quickly identified by an automated technical investigation (Jayaram et al., 2011; Bell & Lee, 2010). The combination of steganography with cryptography can contribute significantly to the secure storage of secret information. However, both of these approaches have a central problem: How can the encryption key safely reach its destination when the information is transmitted without being intercepted by malicious persons? No matter how good the encryption is, with the key and enough effort, decryption will always be possible. A theoretical technical approach to enable this is the theory of quantum encryption. This is not an encryption in the classical sense, but essentially relates to the physical possibility of generating shared Einstein-Podolsky-Rosen quantum pairs and to use them for key transmission (Zhang et al., 2001). The physical background is that unique quanta can be created, split and directed to different spatial positions. However, accessing one of the quanta and thus the information stored in it results in both quantum pairs being extinguished. As a result of this physical peculiarity, secure transmission of the key can theoretically be guaranteed, since unauthorised access to the communication becomes noticeable. Disadvantages of quantum encryption can be found in technical challenges as well as practical application limitations. For example, communication using shared Einstein-Podolsky-Rosen quanta on Earth is spatially very limited due to the atmosphere and the resulting interference of the quanta with matter inside of cables, which means that use over large distances is only possible in space (Bedington et al., 2017). On the one hand, this in-depth consideration of cryptographic and stagnographic approaches made it clear to me the multitude of possibilities to protect information from unauthorised access. On the other hand, it was clearly recognisable that ongoing further development of skills in relation to data security is necessary in order to cope with the rapid development of new technologies and exploits. This study also only scratched the surface of the existing techniques for securing data, so that further investigations on this subject area are absolutely necessary. I was able to use the knowledge I had already acquired from physics to develop a new horizon of knowledge. The knowledge I have acquired helps me to expand my skills in terms of secure software development and to expand my portfolio of skills in a professional context. For future personal development, constant pursuit of new scientific advances must be striven for and the theoretically discussed methods practiced in practical applications.

• Bedington, R., Arrazola, J. M. & Ling, A. (2017) Progress in satellite quantum key distribution. Quantum Information. 3(1): 1-13. Available from: https://www.nature.com/articles/s41534-017-0031-5 [Accessed 07 April 2022].
• Bell, G. & Lee, Y. K. (2010) A Method of Automatic Identification of Signatures of Steagnography Software. IEEE Transactions on Information Forensics and Security. 5(2): 354-358. Available from: https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5439771 [Accessed 03 April 2022].
• Damico, T. M. (2009) A Brief History of Cryptography. Inquireies Journal. Available from: http://www.inquiriesjournal.com/a?id=1698 [Accessed 01 April 2022].
• Djebbar, F., Ayad, B., Meriam, K. A. & Hamam, H. (2012) Comparative study of digital audio steganography techniques. EURASIP Journal on Audio, Speech and Music Processing. 1-16. Available from: https://asmp-eurasipjournals.springeropen.com/track/pdf/10.1186/1687-4722-2012-25.pdf [Accessed 05 April 2022].
• Jayaram, P., Ranganatha, H. R. & Anupama, H. S. (2011) Information hiding using audio steganography – a survey. The International Journal of Multimedia & Its Applications. 3: 86-96. Available from: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.1084.4166&rep=rep1&type=pdf [Accessed 05 April 2022].
• Kaur, N. & Behal, S. (2014) A Survey on various types of Steganography and Analysis of Hiding Techniques. International Journal of Engineering Trends and Technology. 11(8): 388-392. Available from: https://www.researchgate.net/profile/Sunny-Behal/publication/275597046_A_Survey_on_various_types_of_Steganography_and_Analysis_of_Hiding_Techniques/links/565be97408ae1ef92981597f/A-Survey-on-various-types-of-Steganography-and-Analysis-of-Hiding-Techniques.pdf [Accessed 05 April 2022].
• Morkel, T., Eloff, J.H.P & Olivier, M.S. (2005) An overview of image steganography. ISSA. 1(5): 1-11. Available from: https://d1wqtxts1xzle7.cloudfront.net/30900669/stegoverview-with-cover-page-v2.pdf?Expires=1648805937&Signature=Fs0WpH2Senyhw9NlyXNenDy3QAskKzqElcgRkqSLKO8G5pjWuYP~SvbzMP8P7ASfPCfiE8dU6w4eB2MlTTr~Vmx9aWlikvrLhbjw72yBSx-~wSuGuyPntWFlvbgeshXwKtcpDTv20QX6IOf4Uh964rF0FId8rmdGBY4oXBnhpYcxJJ~0R3bqiYwDwnY31i5e7FVg-3xRZjyyiMMSp1g6zqiSGWwlgjEcUyXUpC4ZwgU0DOXs4qJWeKn0Eumj7MKEebfePQ0dIJzVeTMbuT~5z1~moz0oQc-MLXANNvwS7vUSfMHXV~OA2I-MleHPjKQgLewLS8Sam2EOHfSuhICUDw__&Key-Pair-Id=APKAJLOHF5GGSLRBV4ZA [Accessed 03 April 2022].
• Mouha, N., Raunak, M. S., Kuhn, D. R. & Kacker, R. (2018) Finding Bugs in Cryptographic Hash Function Implementations. IEEE Transactions on Reliability. 67(3): 870-884. Available from: https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=8405614 [Accessed 03 April 2022].
• NIST (2015) Secure Hash Standard (SHS). Available from: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf [Accessed 02 April 2022].
• VanSyckel, L. (2018) Sealevel Systems White Paper – Introducing Cybersecurity. Sealevel. Available from: https://www.sealevel.com/support/white-paper-introducing-cybersecurity/ [Accessed 02 April 2022].
• Zhang, Y. S., Li, C. F. & Guo, G. C. (2001) Quantum key distribution via quantum encryption. Physical Review A. 62(2): 1-4. DOI: 10.1103/PhysRevA.64.024302. [Accessed 06 April 2022].