Security Engineering

IT security is an important requirement for companies that depend on information technology, and users increasingly count on security against attacks and data protection being assured in IT products and services. However, the increasing sophistication, complexity, and mobility of software and systems present an obstacle when it comes to demonstrably protecting the design of a system in terms of security and balancing security needs with other system qualities that are just as important.

Security by design

Security against attacks is no isolated quality that can be integrated into a system retroactively. It requires careful consideration right at the start of the development process and demands continuous attention and control throughout a system’s lifecycle. In order to ensure an adequate degree of security with acceptable costs, analytical and constructive skills must be combined with care and on various levels of abstraction.

Our guidelines for secure software design and implementation help you to avoid security vulnerabilities and to take appropriate technical and organizational security measures in all phases of development and operation. Our Certified Professionals for Secure Software Engineering (CPSSE) can guide your staff in implementing the principles and practices of secure software engineering with high quality.

We inspect your existing systems with regard to security vulnerabilities, which also includes checking the solidity of your security design and its implementation. We evaluate the adequacy and correctness of your security algorithms and test whether the protection of your user interfaces can be breached.

Considering competing quality properties

Security— as important as it may be — is only one of several qualities of a system. In most cases, it is not the primary goal of system development, but is only of secondary importance. The usefulness of an IT infrastructure depends on many quality factors, and IT security is often in conflict with other quality factors. Therefore it is extremely important to follow an integrated quality assurance approach in order to achieve an optimal balance between safety and security on the one hand, and usefulness, usability, and cost efficiency on the other hand. In striving to achieve this optimum, our experts, whose experience spans many topic areas, make use of our integrated software engineering skills for your benefit. For example: We evaluate the usability of your security design and assess how security risks can influence the safety of your safety-critical system.

We bundle our institute’s core competencies in the following areas in order to reconcile different requirements:

Mastering complexity

Developers are often faced with very large and complex IT infrastructures, software systems, or service architectures. In security engineering, focusing on just a few crucial aspects regarding design and implementation does constitute a challenge, but is indispensable for success and cost efficiency.

Our analysis methods support a modular process and make it possible to aggregate partial results for individual system components incrementally in order to derive security requirements for the overall system in a traceable manner.

Achieving and proving compliance with standards

In environments in which domain-specific security standards and regulations apply, it is not sufficient to provide a secure system: The challenge is also to fulfill specific normative requirements and to provide evidence that all rules and regulations have been correctly implemented in the respective software systems.

We help you determine the requirements for your individual product that are demanded by security standards such as 21 CFR Part 11 or the Protection Profile for the Gateway of a Smart Metering System, which is based on ISO/IEC15408. We check your products in order to assess their compliance with a particular security standard and to identify existing compliance issues. Our experts support you in eliminating these issues. In addition, we also help you to represent the results of your threat and risk analyses in a way that makes it easy and convincing to prove compliance with the standard.

Secure IT infrastructure

Nowadays, no company can do without information technology, even if its core business has little to do with software or IT. Data protection and data security are essential prerequisites needed to protect processes and company secrets and to ensure dependable IT support.

We analyze your IT infrastructure with regard to fundamental security requirements and generally recognized best practices, for instance in accordance with the IT baseline protection catalogs. We help you to identify your greatest IT risk potentials and to secure your local IP networks.

We support you in accordance with established security principles:

  • in the design of a secure LAN architecture
  • in the configuration of your routers, switches, and firewalls