ARUR_logoY Soft Applied Research and University Relations (ARUR) is a program under which we ysofters:

  • Supervise and consult students working on their theses
  • Support student research positions at research laboratories
  • Offer student internships
  • Give lectures at universities
  • Organize and support student events

This post provides statistics (collected for the last six years) about some of the Y Soft ARUR activities mentioned above.

Theses supervision

During the last six years, 46 bachelor and master theses realized in collaboration with Y Soft were successfully defended. See Figure 1 for a number of theses defended per each year. In 2015, for example, 6 bachelor and 8 master theses were successfully defended. Most of all the theses came from Y Soft R&D in collaboration with the Faculty of Informatics, Masaryk University.

Figure 1

Figure 1. Number of defended theses

More than 75% of all theses defended during the last six years received “A” or “B” grade. See Figure 2 for grades statistics per each year. In 2015, for example, 14 theses were successfully defended and received eight “A” and six “B” grades (i.e., 100% of the theses defended in 2015 received “A” or “B” grade).

Figure 2

Figure 2. Grades of defended theses

Since 2012, five of the students received awards for their theses (see Figure 3).

Figure 3

Figure 3. Number of awards

Part-time positions at Y Soft

14 students were given part-time jobs within the scope of ARUR during the last six years. Some of these part-timers have been working in Y Soft on their bachelor or master thesis for more than a year. There were ten students from the Faculty of Informatics (Masaryk University), two from the Faculty of Electrical Engineering and Communication (Brno University of Technology), and two from the Faculty of Information Technology (Brno University of Technology).

Student positions at research laboratories

Every year, in cooperation with the Faculty of Informatics, Masaryk University, we participate in organizing a competition for talented students who are in the first or the second year of their bachelor studies. During the last six years, we have supported nine students who were winners of the competition. Some students were funded for more than one year. In 2015, six student positions at research laboratories have been funded.

Thanks to all already participating in our ARUR program and we are looking forward for new participants!

We are more than happy to discuss any suggestions and ideas for cooperation you might have.

Contact us: uni-rel@ysoft.com

sdl-shield-greenNowadays, security becomes an important aspect of almost every software system. Unfortunately, it does not necessary mean that security is adequately considered in every piece of software. What does “adequately” mean? For me, security measures are adequate if an investment to them is less than loss caused if these measures were not implemented. I would say this explanation is clear if there is no unknown variable there, i.e., the potential loss.

If a company has no security incidents so far, does it mean that its security measures are adequate and it should not put additional investments in security? It is really hard to say yes or no. The software may change (e.g., it may introduces new features with new attack vectors), the market can change (e.g., more people can start using the software, so it may become more attractive to attackers), and the environment where the software is used may change (e.g., from an intranet solution it may become a public cloud based solution).

The history gives us a generous hint. No matter what, security incidents happen. The question is only when a what impact it will have on the customers and the company.

“Security is a process, not a product”
– Bruce Schneier

In order to create secure products, a company should regularly evolve and adapt its development processes to changes that continuously take place around us.
Here, in Y Soft, we decided to examine and try in one of our development teams the Microsoft Secure Development Lifecycle (SDL) that is a process aiming to help to build more secure software.

In this series of posts, I would like to:

  • Look at Microsoft SDL in more details,
  • Describe its advantage/disadvantages as we perceive them here in Y Soft,
  • Describe obstacles we meet and how we overcome them.

Secure Development Lifecycle (SDL) is a process that helps to build more secure software. Microsoft introduced its SDL in 2004, successfully uses and regularly updates it. Microsoft SDL covers all phases of development process, e.g., Requirements, Design, Implementation, Verification and Release.

Training → Requirements → Design → Implementation → Verification → Release → Response

Microsoft SDL describes tasks that should be completed at each phase and also provides tools and training materials that are available free of charge.
Key features of Microsoft SDL, as I perceive them, are:

  1. Security is considered systematically. Developers and managers can be certain to some degree that important security issues were not overlooked and they will not emerge at release (or after release) phase where their resolution is often not cost effective.
  2. Microsoft SDL is designed to be a part of software development process. And this is probably the most important thing about it. A bullet-proof system does not exist. New attacks appear all the time. And it is important that new defenses that come after are in place and in time.
  3. Security is considered early in the product lifecycle. The process starts from the requirements phase. It means that design reflects requirements on security features and features that need to be secure. The process that starts from the requirements phase, among other, decreases the risk of security design flaws in the later phases and hence decreases the total development cost.
  4. Process is primarily focused on developers. Most of the tasks from the Microsoft SDL are completed by developers themselves. The tasks include among others, threat modeling, secure design, code analysis using static analysis tools, etc. Security experts are those who are consulting, reviewing and helping developers to get their job done right.
  5. It can be integrated gradually. Microsoft SDL defines four maturity levels (Basic, Standardized, Advanced and Dynamic) where each level has additional tasks (that should be completed) in comparison to the previous one.
  6. It naturally fits the software development process. Tasks and activities defined in the Microsoft SDL logically follow or extend tasks that are normally done by developers. For example, for systematic threat analysis, a developer can utilize the Microsoft SDL Threat Modeling Tool. This tool uses Data Flow Diagrams (DFDs) that resemble container/component diagram from C4 model that is used by our developing teams.

Next time, we will look at the training and requirements phase, and discuss activities and tasks we decided to implement.