Core software security : security at the source

Select an Action

Place Hold(s)
Add to My Lists
Email
Print

Title:

Personal Author:

Ransome, James F., author

Publication Information:

Boca Raton : Taylor & Francis, 2014

Physical Description:

xxvi, 388 pages : illustrations ; 24 cm.

ISBN:

9781466560956

Abstract:

"This book outlines a step-by-step process for software security that is relevant to today's technical, operational, business, and development environments. The authors focus on what humans can do to control and manage a secure software development process in the form of best practices and metrics. Although security issues will always exist, this book will teach you how to maximize an organizations ability to minimize vulnerabilities in your software products before they are released or deployed by building security into the development process. This book is targeted towards anyone who is interested in learning about software security in an enterprise environment to include product security and quality executives, software security architects, security consultants, software development engineers, enterprise SDLC program managers, chief information security officers, chief technology officers, and chief privacy officers whose companies develop software. If you want to learn about how software security should be implemented in developing enterprise software, this is a book you don't want to skip"--provided by publisher

Subject Term:

Computer security

Added Author:

Misra, Anmol,

Schoenfield, Brook,

Available:*

Library	Item Barcode	Call Number	Material Type	Item Category 1	Status
Searching... PSZ JB	30000010344146	QA76.9.A25 R364 2014	Open Access Book	Book	Searching... Unknown

On Order

Summary

"... an engaging book that will empower readers in both large and small software development and engineering organizations to build security into their products.nbsp;... Readers are armed with firm solutions for the fight against cyber threats."
--Dr. Dena Haritos Tsamitis. Carnegie Mellon University

"... a must read for security specialists, software developers and software engineers. ... should be part of every security professional's library ."
--Dr. Larry Ponemon,nbsp;Ponemon Institute

"... the definitive how-to guide for software security professionals. Dr. Ransome, Anmol Misra, and Brook Schoenfield deftly outline the procedures and policies needed to integrate real security into the software development process. ...A must-have for anyone on the front lines of the Cyber Warnbsp;..."
--Cedric Leighton, Colonel, USAF (Ret.), Cedric Leighton Associates

"Dr. Ransome, Anmol Misra, and Brook Schoenfield give you a magic formula in this book - the methodology and process to build security into the entire software development life cycle so that the software is secured at the source! "
--Eric S. Yuan, Zoom Video Communications

There is much publicity regarding network security, but the real cyber Achilles' heel is insecure software. Millions of software vulnerabilities create a cyber house of cards, in which we conduct our digital lives. In response, security people build ever more elaborate cyber fortresses to protect this vulnerable software. Despite their efforts, cyber fortifications consistently fail to protect our digital treasures. Why? The security industry has failed to engage fully with the creative, innovative people who write software.

Core Software Security expounds developer-centric software security, a holistic process to engage creativity for security. As long as software is developed by humans, it requires the human element to fix it. Developer-centric security is not only feasible but also cost effective and operationally relevant. The methodology builds security into software development, which lies at the heart of our cyber infrastructure. Whatever development method is employed, software must be secured at the source.

Book Highlights:

Supplies a practitioner's view of the SDL Considers Agile as a security enabler Covers the privacy elements in an SDL Outlines a holistic business-savvy SDL framework that includes people, process, and technology Highlights the key success factors, deliverables, and metrics for each phase of the SDL Examines cost efficiencies, optimized performance, and organizational structure of a developer-centric software security program and PSIRT Includes a chapter by noted security architect Brook Schoenfield who shares his insights and experiences in applying the book's SDL framework

View the authors' website at http://www.androidinsecurity.com/

Author Notes

Dr. James Ransome is the Senior Director of Product Security and responsible for all aspects of McAfee's Product Security Program, a corporate-wide initiative that supports McAfee's business units in delivering best-in-class, secure software products to customers. In this role, James sets program strategy, manages security engagements with McAfee business units, maintains key relationships with McAfee product engineers, and works with other leaders to help define and build product security capabilities. His career has been marked by leadership positions in private and public industries, including three chief information security officer (CISO) and four chief security officer (CSO) roles. Prior to entering the corporate world, James had 23 years of government service in various roles supporting the U.S. intelligence community, federal law enforcement, and the Department of Defense.

James holds a Ph.D. in Information Systems. He developed/tested a security model, architecture, and provided leading practices for converged wired/wireless network security for his doctoral dissertation as part of a NSA/DHS Center of Academic Excellence in Information Assurance Education program. He is the author of several books on information security, and Core Software Security: Security at the Source is his 10th. James is a member of Upsilon Pi Epsilon, the International Honor Society for the Computing and Information Disciplines, and he is a Certified Information Security Manager (CISM), a Certified Information Systems Security Professional (CISSP), and a Ponemon Institute Distinguished Fellow.

Anmol Misra is an author and a security professional with a wide range of experience in the field of information security. His expertise includes mobile and application security, vulnerability management, application and infrastructure security assessments, and security code reviews. He is a Program Manager in Cisco's Information Security group. In this role, he is responsible for developing and implementing security strategy and programs to drive security best practices into all aspects of Cisco's hosted products. Prior to joining Cisco, Anmol was a Senior Consultant with Ernst & Young LLP. In this role, he advised Fortune 500 clients on defining and improving information security programs and practices. He helped corporations to reduce IT security risk and achieve regulatory compliance by improving their security posture.

Anmol is co-author of Android Security: Attacks and Defenses , and is a contributing author of Defending the Cloud: Waging War in Cyberspace . He holds a master's degree in Information Networking from Carnegie Mellon University and a Bachelor of Engineering degree in Computer Engineering. He is based out of San Francisco, California.

Hon. Howard A. Schmidt

Dedication	p. v
Foreword	p. xiii
Preface	p. xix
Acknowledgments	p. xxiii
About the Authors	p. xxv
Chapter 1 Introduction	p. 1
1.1 The Importance and Relevance of Software Security	p. 3
1.2 Software Security and the Software Development Lifecycle	p. 6
1.3 Quality Versus Secure Code	p. 10
1.4 The Three Most Important SDL Security Goals	p. 11
1.5 Threat Modeling and Attack Surface Validation	p. 13
1.6 Chapter Summary-What to Expect from This Book	p. 15
References	p. 16
Chapter 2 The Secure Development Lifecycle	p. 19
2.1 Overcoming Challenges in Making Software Secure	p. 20
2.2 Software Security Maturity Models	p. 21
2.3 ISO/IEC 27034-Information Technology-Security Techniques-Application Security	p. 23
2.4 Other Resources for SDL Best Practices	p. 25
2.4.1 SAFECode	p. 25
2.4.2 U.S. Department of Homeland Security Software Assurance Program	p. 26
2.4.3 National Institute of Standards and Technology	p. 27
2.4.4 MITRE Corporation Common Computer Vulnerabilities and Exposures	p. 28
2.4.5 SANS Institute Top Cyber Security Risks	p. 30
2.4.6 U.S. Department of Defense Cyber Security and Information Systems Information Analysis Center (CSIAC)	p. 30
2.4.7 CERT, Bugtraq, and SecurityFocus	p. 31
2.5 Critical Tools and Talent	p. 31
2.5.1 The Tools	p. 32
2.5.2 The Talent	p. 34
2.6 Principles of Least Privilege	p. 40
2.7 Privacy	p. 41
2.8 The Importance of Metrics	p. 42
2.9 Mapping the Security Development Lifecycle to the Software Development Lifecycle	p. 45
2.10 Software Development Methodologies	p. 50
2.10.1 Waterfall Development	p. 51
2.10.2 Agile Development	p. 53
2.3 Chapter Summary	p. 56
References	p. 57
Chapter 3 Security Assessment (A1): SDL Activities and Best Practices	p. 61
3.1 Software Security Team Is Looped in Early	p. 63
3.2 Software Security Hosts a Discovery Meeting	p. 64
3.3 Software Security Team Creates an SDL Project Plan	p. 66
3.4 Privacy Impact Assessment (PIA) Plan Initiated	p. 66
3.5 Security Assessment (A1) Key Success Factors and Metrics	p. 73
3.5.1 Key Success Factors	p. 73
3.5.2 Deliverables	p. 76
3.5.3 Metrics	p. 78
3.6 Chapter Summary	p. 79
References	p. 79
Chapter 4 Architecture (A2): SDL Activities and Best Practices	p. 81
4.1 A2 Policy Compliance Analysis	p. 83
4.2 SDL Policy Assessment and Scoping	p. 84
4.3 Threat Modeling/Architecture Security Analysis	p. 84
4.3.1 Threat Modeling	p. 84
4.3.2 Data Flow Diagrams	p. 88
4.3.3 Architectural Threat Analysis and Ranking of Threats	p. 95
4.3.4 Risk Mitigation	p. 117
4.4 Open-Source Selection	p. 124
4.5 Privacy Information Gathering and Analysis	p. 124
4.6 Key Success Factors and Metrics	p. 125
4.6.1 Key Success Factors	p. 125
4.6.2 Deliverables	p. 126
4.6.3 Metrics	p. 127
4.7 Chapter Summary	p. 128
References	p. 129
Chapter 5 Design and Development (A3): SDL Activities and Best Practices	p. 133
5.1 A3 Policy Compliance Analysis	p. 135
5.2 Security Test Plan Composition	p. 135
5.3 Threat Model Updating	p. 146
5.4 Design Security Analysis and Review	p. 146
5.5 Privacy Implementation Assessment	p. 150
5.6 Key Success Factors and Metrics	p. 154
5.6.1 Key Success Factors	p. 154
5.6.2 Deliverables	p. 156
5.6.3 Metrics	p. 157
5.7 Chapter Summary	p. 158
References	p. 158
Chapter 6 Design and Development (A4): SDL Activities and Best Practices	p. 161
6.1 A4 Policy Compliance Analysis	p. 163
6.2 Security Test Case Execution	p. 164
6.3 Code Review in the SDLC/SDL Process	p. 168
6.4 Security Analysis Tools	p. 174
6.4.1 Static Analysis	p. 177
6.4.2 Dynamic Analysis	p. 182
6.4.3 Fuzz Testing	p. 185
6.4.4 Manual Code Review	p. 188
6.5 Key Success Factors	p. 192
6.6 Deliverables	p. 193
6.7 Metrics	p. 194
6.8 Chapter Summary	p. 195
References	p. 195
Chapter 7 Ship (A5): SDL Activities and Best Practices	p. 199
7.1 A5 Policy Compliance Analysis	p. 201
7.2 Vulnerability Scan	p. 202
7.3 Penetration Testing	p. 205
7.4 Open-Source Licensing Review	p. 208
7.5 Final Security Review	p. 212
7.6 Final Privacy Review	p. 216
7.7 Key Success Factors	p. 217
7.8 Deliverables	p. 219
7.9 Metrics	p. 221
7.10 Chapter Summary	p. 221
References	p. 223
Chapter 8 Post-Release Support (PRSA1-5)	p. 225
8.1 Right-Sizing Your Software Security Group	p. 227
8.1.1 The Right Organizational Location	p. 227
8.1.2 The Right People	p. 229
8.1.3 The Right Process	p. 229
8.2 PRSA1: External Vulnerability Disclosure Response	p. 232
8.2.1 Post-Release PSIRT Response	p. 233
8.2.2 Post-Release Privacy Response	p. 238
8.2.3 Optimizing Post-Release Third-Party Response	p. 239
8.3 PRSA2: Third-Party Reviews	p. 240
8.4 PRSA3: Post-Release Certifications	p. 242
8.5 PRSA4: Internal Review for New Product Combinations or Cloud Deployments	p. 243
8.6 PRSA5: Security Architectural Reviews and Tool-Based Assessments of Current, Legacy, and M&A Products and Solutions	p. 243
8.6.1 Legacy Code	p. 243
8.6.2 Mergers and Acquisitions (M&As)	p. 247
8.7 Key Success Factors	p. 248
8.8 Deliverables	p. 251
8.9 Metrics	p. 252
8.10 Chapter Summary	p. 252
References	p. 253
Chapter 9 Applying the SDL Framework to the Real World	p. 255
9.0 Introduction	p. 256
9.1 Build Software Securely	p. 261
9.1.1 Produce Secure Code	p. 264
9.1.2 Manual Code Review	p. 269
9.1.3 Static Analysis	p. 271
9.2 Determining the Right Activities for Each Project	p. 275
9.2.1 The Seven Determining Questions	p. 275
9.3 Architecture and Design	p. 292
9.4 Testing	p. 302
9.4.1 Functional Testing	p. 303
9.4.2 Dynamic Testing	p. 304
9.4.3 Attack and Penetration Testing	p. 309
9.4.4 Independent Testing	p. 311
9.5 Agile: Sprints	p. 312
9.6 Key Success Factors and Metrics	p. 317
9.6.1 Secure Coding Training Program	p. 317
9.6.2 Secure Coding Frameworks (APIs)	p. 318
9.6.3 Manual Code Review	p. 318
9.6.4 Independent Code Review and Testing (by Experts or Third Parties)	p. 318
9.6.5 Static Analysis	p. 319
9.6.6 Risk Assessment Methodology	p. 319
9.6.7 Integration of SDL with SDLC	p. 319
9.6.8 Development of Architecture Talent	p. 319
9.7 Metrics	p. 320
9.8 Chapter Summary	p. 321
References	p. 323
Chapter 10 Pulling It All Together: Using the SDL to Prevent Real-World Threats	p. 325
10.1 Strategic, Tactical, and User-Specific Software Attacks	p. 326
10.1.1 Strategic Attacks	p. 328
10.1.2 Tactical Attacks	p. 338
10.1.3 User-Specific Attacks	p. 339
10.2 Overcoming Organizational and Business Challenges with a Properly Designed, Managed, and Focused SDL	p. 339
10.3 Software Security Organizational Realities and Leverage	p. 340
10.4 Overcoming SDL Audit and Regulatory Challenges with Proper Governance Management	p. 342
10.5 Future Predications for Software Security	p. 343
10.5.1 The Bad News	p. 343
10.5.2 The Good News	p. 345
10.6 Conclusion	p. 345
References	p. 347
Appendix	p. 351
Index	p. 359

Available:*

On Order

Summary

Summary

Author Notes

Table of Contents