DEV Community

Dimitris Kyrkos
Dimitris Kyrkos

Posted on

Safety VS Security

#security #safety #programming #devops

In the context of software, safety and security refer to two different aspects of system integrity:

1. Software Safety: This is about ensuring that a system operates without causing any unacceptable risk of physical injury or damage to the health of people, either directly or indirectly. For example, a software system controlling a medical device or an industrial process is safety-critical because a malfunction could cause harm to people. Safety issues are typically related to accidental failures of software.

2. Software Security: This is about protecting a system against malicious attacks and unauthorized access. Security measures are put in place to prevent unauthorized access to the system's data or services. This includes protection against threats such as hacking, viruses, and other forms of cyber-attacks. Security issues are typically related to intentional, malicious actions aimed at causing harm to the system or its users.

In summary, while safety is about preventing harm that could be caused by software failures (often unintentional), security is about preventing harm that could be caused by intentional malicious actions. Both are important aspects of software quality and require different strategies and techniques to address.

There are several safety standards that apply to software, particularly in safety-critical industries. Here are some of the most commonly used ones:

1. ISO 26262: This is an international standard for functional safety of electrical and electronic systems in production automobiles. It includes guidance on the development of software that is used in these systems.

2. IEC 61508: This is a generic standard for functional safety of electrical, electronic, and programmable electronic safety-related systems. It provides requirements for the entire lifecycle of these systems, including software development.

3. DO-178C (also known as EUROCAE ED-12C):** This is the primary standard used for the certification of software in airborne systems and equipment in the aviation industry.

4. IEC 62304: This is a standard for the development of medical device software and software within medical devices. It specifies life cycle requirements for the development of medical software and software within medical devices.

5. ISO 13849: This standard provides safety requirements and guidance on the principles for the design and integration of safety-related parts of control systems, including the software.

6. ISO 25119: This standard applies to tractors and machinery for agriculture and forestry. It addresses the safety-related parts of the control system and also covers the software aspects.

7. MISRA (Motor Industry Software Reliability Association): MISRA provides guidelines for the development of safety-related systems in road vehicles. While it originated in the automotive industry, MISRA guidelines, particularly MISRA C and MISRA C++, have been widely adopted in various industries to improve the safety and reliability of software. These guidelines provide rules for writing C and C++ code in a safe and reliable manner.

8. FDA (U.S. Food and Drug Administration): The FDA provides guidelines for the development of software used in medical devices. The document "General Principles of Software Validation; Final Guidance for Industry and FDA Staff" is a comprehensive guide that covers the validation of software used in medical devices. The FDA also has guidelines for software contained in medical devices, software that is a medical device, and software used in the production of a device or in the implementation of a device's quality system.

These guidelines and standards are designed to ensure that software used in safety-critical systems is developed and maintained in a way that ensures its safety, reliability, and quality.

These standards provide guidance on the entire software development process, including requirements specification, design, implementation, testing, maintenance, and quality assurance. They also provide specific techniques and measures to manage and control the risks associated with safety-critical software.

There are several security standards and guidelines that apply to software, particularly in industries where data protection and system integrity are crucial. Here are some of the most commonly used ones:

  1. ISO/IEC 27001: This is an international standard for information security management systems (ISMS). It provides a framework for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an ISMS.

  2. NIST Special Publication 800-53: Published by the National Institute of Standards and Technology (NIST), this document provides a catalog of security and privacy controls for all U.S. federal information systems except those related to national security.

  3. PCI DSS (Payment Card Industry Data Security Standard): This is an information security standard for organizations that handle branded credit cards from the major card schemes. It provides an actionable framework for developing a robust payment card data security process, including prevention, detection, and appropriate reaction to security incidents.

  4. OWASP (Open Web Application Security Project): While not a standard, OWASP is a non-profit organization that provides freely available security resources, including the OWASP Top 10, a regularly updated document outlining the most critical web application security risks.

  5. CIS Controls (Center for Internet Security): The CIS Controls are a set of 20 actions designed to mitigate the most common cyber attacks. They are a widely recognized security standard for defending IT systems and data.

  6. HIPAA (Health Insurance Portability and Accountability Act): In the United States, HIPAA sets the standard for protecting sensitive patient data. Any company that deals with protected health information (PHI) must ensure that all the required physical, network, and process security measures are in place and followed.

  7. GDPR (General Data Protection Regulation): This is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. It also addresses the transfer of personal data outside the EU and EEA areas.

  8. CWE (Common Weakness Enumeration): CWE is a community-developed list of software and hardware weakness types. It serves as a common language for describing vulnerabilities, a standard measuring stick for software security tools targeting these vulnerabilities, and as a baseline for vulnerability identification, mitigation, and prevention efforts.

  9. CERT-C: The CERT-C Secure Coding Standards are a set of software guidelines designed to help programmers avoid common mistakes that can lead to vulnerabilities in software. These standards provide rules and recommendations for secure coding in the C programming language.

  10. ISO/IEC 17961: This is an international standard that establishes rules for secure coding in the C language. It aims to help programmers avoid coding errors that can lead to exploitable vulnerabilities. The standard is designed to be used by C language software developers and maintainers, and it complements the CERT-C Secure Coding Standards.

These standards and guidelines are designed to help software developers avoid common mistakes and pitfalls that can lead to vulnerabilities and security issues in software. They provide rules and recommendations for writing secure code and help to improve the overall security of software systems.

References

  • European Parliament and Council of the European Union (2016) Regulation (EU) 2016/679 (General Data Protection Regulation). Official Journal of the European Union.

  • International Electrotechnical Commission (IEC) (2010) IEC 61508: Functional safety of electrical/electronic/programmable electronic safety-related systems. Geneva: IEC.

  • International Electrotechnical Commission (IEC) (2015) IEC 62304: Medical device software – Software life cycle processes. Geneva: IEC.

  • International Organization for Standardization (ISO) (2011) ISO 26262: Road vehicles – Functional safety. Geneva: ISO.

  • International Organization for Standardization (ISO) (2015) ISO 13849: Safety of machinery – Safety-related parts of control systems. Geneva: ISO.

  • International Organization for Standardization (ISO) (2018) ISO 25119: Tractors and machinery for agriculture and forestry – Safety-related parts of control systems. Geneva: ISO.

  • International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) (2013) ISO/IEC 27001: Information security management systems – Requirements. Geneva: ISO.

  • International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) (2015) ISO/IEC 17961: Information technology – Programming languages, their environments and system software interfaces – C secure coding rules. Geneva: ISO.

  • MITRE Corporation (2024) Common Weakness Enumeration (CWE). Available at: https://cwe.mitre.org (Accessed: 21 January 2026).

  • Motor Industry Software Reliability Association (MISRA) (2019) MISRA C: Guidelines for the use of the C language in critical systems. UK: MISRA.

  • Motor Industry Software Reliability Association (MISRA) (2008) MISRA C++: Guidelines for the use of the C++ language in critical systems. UK: MISRA.

  • National Institute of Standards and Technology (NIST) (2020) Security and privacy controls for information systems and organizations (SP 800-53 Rev. 5). Gaithersburg, MD: NIST.

  • Open Web Application Security Project (OWASP) (2023) OWASP Top 10 – Web application security risks. Available at: https://owasp.org
    (Accessed: 21 January 2026).

  • PCI Security Standards Council (2022) Payment Card Industry Data Security Standard (PCI DSS). Available at: https://www.pcisecuritystandards.org
    (Accessed: 21 January 2026).

  • RTCA (2011) DO-178C: Software considerations in airborne systems and equipment certification. Washington, DC: RTCA.

  • Software Engineering Institute (SEI) (2023) CERT C Secure Coding Standard. Carnegie Mellon University. Available at: https://www.securecoding.cert.org
    (Accessed: 21 January 2026).

  • U.S. Department of Health and Human Services (FDA) (2002) General principles of software validation: Final guidance for industry and FDA staff. Food and Drug Administration

  • U.S. Department of Health and Human Services (HHS) (1996) Health Insurance Portability and Accountability Act (HIPAA). Public Law 104-191.

Top comments (0)