O'Reilly logo

Core Software Security by Anmol Misra, James Ransome

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

1
Chapter 1
Introduction
Welcome to our book about what we believe to be the most important
topic in information security for the foreseeable future: software security.
In the following sections, we will cover five major topics that highlight
the need, value, and challenges of software security. This will set the
stage for the remainder of the book, where we describe our model for
software security: building security into your software using an opera-
tionally relevant and manageable security development lifecycle (SDL)
that is applicable to all software development lifecycles (SDLCs). The
topics and reasons for including them in this introductory chapter are
listed below.
1. The importance and relevance of software security. Software is
critical to everything we do in the modern world and is behind our
most critical systems. As such, it is imperative that it be secure by
design. Most information technology (IT)-related security solutions
have been developed to mitigate the risk caused by insecure software.
To justify a software security program, the importance and relevance
of the monetary costs and other risks for not building security into
your software must be known, as well as the importance, relevance,
2 Core Software Security
and costs for building security in. At the end of the day, software
security is as much a business decision as it is about avoiding secu-
rity risks.
2. Software security and the software development lifecycle. It is
important to know the difference between what are generally known
in software development as software security and application security.
Although these terms are often used interchangeably, we differenti-
ate between them because we believe there is a distinct difference in
managing programs for these two purposes. In our model, software
security is about building security into the software through a SDL
in an SDLC, whereas application security is about protecting the soft-
ware and the systems on which it runs after release.
3. Quality versus secure code. Although secure code is not necessar-
ily quality code, and quality code is not necessarily secure code, the
development process for producing software is based on the prin-
ciples of both quality and secure code. You cannot have quality code
without security or security without quality, and their attributes
complement each other. At a minimum, quality and software secu-
rity programs should be collaborating closely during the develop-
ment process; ideally, they should be part of the same organization
and both part of the software development engineering department.
We will discuss this organizational and operational perspective later
in the book.
4. The three most important SDL security goals. At the core of all
software security analysis and implementation are three core elements
of security: confidentiality, integrity, and availability, also known as
the C.I.A. model. To ensure high confidence that the software being
developed is secure, these three attributes must be adhered to as key
components throughout the SDL.
5. Threat modeling and attack surface validation. The most time-
consuming and misunderstood part of the SDL is threat modeling
and attack surface validation. In todays world of Agile development,
you must get this right or you will likely fail to make your soft-
ware secure. Threat modeling and attack surface validation through-
out the SDL will maximize your potential to alleviate post-release
discovery of security vulnerabilities in your software product. We
believe this function to be so important that we have dedicated a
SDL section and a separate chapter to this topic.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required