Core Software Security

Core Software Security

by James Ransome, Anmol Misra
Released October 2018
Publisher(s): Auerbach Publications
ISBN: 9780429623646

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Introducing users to existing software development life cycle (SDLC) models, this book explains their weakness and shows how to build security practices into these models. After working with Fortune 500 companies, the authors have often seen examples of a breakdown in SDLC practices. They supply a realistic look at how to best apply available Secure Software Development Lifecycle (SSDLC) models. e. The text proposes improvements in applying these models to the software code. Case studies from Linux, Apache, and web applications walk readers through examples of how to implement improved practices.

Table of contents

  1. Cover
  2. Half Title
  3. Title Page
  4. Copyright Page
  5. Contents
  6. Dedication
  7. Foreword
  8. Preface
  9. Acknowledgments
  10. About the Authors
  11. Chapter 1 Introduction
    1. 1.1 The Importance and Relevance of Software Security
    2. 1.2 Software Security and the Software Development Lifecycle
    3. 1.3 Quality Versus Secure Code
    4. 1.4 The Three Most Important SDL Security Goals
    5. 1.5 Threat Modeling and Attack Surface Validation
    6. 1.6 Chapter Summary—What to Expect from This Book
    7. References
  12. Chapter 2 The Secure Development Lifecycle
    1. 2.1 Overcoming Challenges in Making Software Secure
    2. 2.2 Software Security Maturity Models
    3. 2.3 ISO/IEC 27034—Information Technology—Security Techniques—Application Security
    4. 2.4 Other Resources for SDL Best Practices
      1. 2.4.1 SAFECode
      2. 2.4.2 U.S. Department of Homeland Security Software Assurance Program
      3. 2.4.3 National Institute of Standards and Technology
      4. 2.4.4 MITRE Corporation Common Computer Vulnerabilities and Exposures
      5. 2.4.5 SANS Institute Top Cyber Security Risks
      6. 2.4.6 U.S. Department of Defense Cyber Security and Information Systems Information Analysis Center (CSIAC)
      7. 2.4.7 CERT, Bugtraq, and SecurityFocus
    5. 2.5 Critical Tools and Talent
      1. 2.5.1 The Tools
      2. 2.5.2 The Talent
    6. 2.6 Principles of Least Privilege
    7. 2.7 Privacy
    8. 2.8 The Importance of Metrics
    9. 2.9 Mapping the Security Development Lifecycle to the Software Development Lifecycle
    10. 2.10 Software Development Methodologies
      1. 2.10.1 Waterfall Development
      2. 2.10.2 Agile Development
    11. 2.3 Chapter Summary
    12. References
  13. Chapter 3 Security Assessment (A1): SDL Activities and Best Practices
    1. 3.1 Software Security Team Is Looped in Early
    2. 3.2 Software Security Hosts a Discovery Meeting
    3. 3.3 Software Security Team Creates an SDL Project Plan
    4. 3.4 Privacy Impact Assessment (PIA) Plan Initiated
    5. 3.5 Security Assessment (A1) Key Success Factors and Metrics
      1. 3.5.1 Key Success Factors
      2. 3.5.2 Deliverables
      3. 3.5.3 Metrics
    6. 3.6 Chapter Summary
    7. References
  14. Chapter 4 Architecture (A2): SDL Activities and Best Practices
    1. 4.1 A2 Policy Compliance Analysis
    2. 4.2 SDL Policy Assessment and Scoping
    3. 4.3 Threat Modeling/Architecture Security Analysis
      1. 4.3.1 Threat Modeling
      2. 4.3.2 Data Flow Diagrams
      3. 4.3.3 Architectural Threat Analysis and Ranking of Threats
      4. 4.3.4 Risk Mitigation
    4. 4.4 Open-Source Selection
    5. 4.5 Privacy Information Gathering and Analysis
    6. 4.6 Key Success Factors and Metrics
      1. 4.6.1 Key Success Factors
      2. 4.6.2 Deliverables
      3. 4.6.3 Metrics
    7. 4.7 Chapter Summary
    8. References
  15. Chapter 5 Design and Development (A3): SDL Activities and Best Practices
    1. 5.1 A3 Policy Compliance Analysis
    2. 5.2 Security Test Plan Composition
    3. 5.3 Threat Model Updating
    4. 5.4 Design Security Analysis and Review
    5. 5.5 Privacy Implementation Assessment
    6. 5.6 Key Success Factors and Metrics
      1. 5.6.1 Key Success Factors
      2. 5.6.2 Deliverables
      3. 5.6.3 Metrics
    7. 5.7 Chapter Summary
    8. References
  16. Chapter 6 Design and Development (A4): SDL Activities and Best Practices
    1. 6.1 A4 Policy Compliance Analysis
    2. 6.2 Security Test Case Execution
    3. 6.3 Code Review in the SDLC/SDL Process
    4. 6.4 Security Analysis Tools
      1. 6.4.1 Static Analysis
      2. 6.4.2 Dynamic Analysis
      3. 6.4.3 Fuzz Testing
      4. 6.4.4 Manual Code Review
    5. 6.5 Key Success Factors
    6. 6.6 Deliverables
    7. 6.7 Metrics
    8. 6.8 Chapter Summary
    9. References
  17. Chapter 7 Ship (A5): SDL Activities and Best Practices
    1. 7.1 A5 Policy Compliance Analysis
    2. 7.2 Vulnerability Scan
    3. 7.3 Penetration Testing
    4. 7.4 Open-Source Licensing Review
    5. 7.5 Final Security Review
    6. 7.6 Final Privacy Review
    7. 7.7 Key Success Factors
    8. 7.8 Deliverables
    9. 7.9 Metrics
    10. 7.10 Chapter Summary
    11. References
  18. Chapter 8 Post-Release Support (PRSA1–5)
    1. 8.1 Right-Sizing Your Software Security Group
      1. 8.1.1 The Right Organizational Location
      2. 8.1.2 The Right People
      3. 8.1.3 The Right Process
    2. 8.2 PRSA1: External Vulnerability Disclosure Response
      1. 8.2.1 Post-Release PSIRT Response
      2. 8.2.2 Post-Release Privacy Response
      3. 8.2.3 Optimizing Post-Release Third-Party Response
    3. 8.3 PRSA2: Third-Party Reviews
    4. 8.4 PRSA3: Post-Release Certifications
    5. 8.5 PRSA4: Internal Review for New Product Combinations or Cloud Deployments
    6. 8.6 PRSA5: Security Architectural Reviews and Tool-Based Assessments of Current, Legacy, and M&A Products and Solutions
      1. 8.6.1 Legacy Code
      2. 8.6.2 Mergers and Acquisitions (M&As)
    7. 8.7 Key Success Factors
    8. 8.8 Deliverables
    9. 8.9 Metrics
    10. 8.10 Chapter Summary
    11. References
  19. Chapter 9 Applying the SDL Framework to the Real World
    1. 9.0 Introduction
    2. 9.1 Build Software Securely
      1. 9.1.1 Produce Secure Code
      2. 9.1.2 Manual Code Review
      3. 9.1.3 Static Analysis
    3. 9.2 Determining the Right Activities for Each Project
      1. 9.2.1 The Seven Determining Questions
    4. 9.3 Architecture and Design
    5. 9.4 Testing
      1. 9.4.1 Functional Testing
      2. 9.4.2 Dynamic Testing
      3. 9.4.3 Attack and Penetration Testing
      4. 9.4.4 Independent Testing
    6. 9.5 Agile: Sprints
    7. 9.6 Key Success Factors and Metrics
      1. 9.6.1 Secure Coding Training Program
      2. 9.6.2 Secure Coding Frameworks (APIs)
      3. 9.6.3 Manual Code Review
      4. 9.6.4 Independent Code Review and Testing (by Experts or Third Parties)
      5. 9.6.5 Static Analysis
      6. 9.6.6 Risk Assessment Methodology
      7. 9.6.7 Integration of SDL with SDLC
      8. 9.6.8 Development of Architecture Talent
    8. 9.7 Metrics
    9. 9.8 Chapter Summary
    10. References
  20. Chapter 10 Pulling It All Together: Using the SDL to Prevent Real-World Threats
    1. 10.1 Strategic, Tactical, and User-Specific Software Attacks
      1. 10.1.1 Strategic Attacks
      2. 10.1.2 Tactical Attacks
      3. 10.1.3 User-Specific Attacks
    2. 10.2 Overcoming Organizational and Business Challenges with a Properly Designed, Managed, and Focused SDL
    3. 10.3 Software Security Organizational Realities and Leverage
    4. 10.4 Overcoming SDL Audit and Regulatory Challenges with Proper Governance Management
    5. 10.5 Future Predications for Software Security
      1. 10.5.1 The Bad News
      2. 10.5.2 The Good News
    6. 10.6 Conclusion
    7. References
  21. Appendix
  22. Index

Product information

  • Title: Core Software Security
  • Author(s): James Ransome, Anmol Misra
  • Release date: October 2018
  • Publisher(s): Auerbach Publications
  • ISBN: 9780429623646