Secure Software Systems

Secure Software Systems

by Erik Fretheim, Marie Deschene
Released March 2023
Publisher(s): Jones & Bartlett Learning
ISBN: 9781284261219

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Secure Software Systems presents an approach to secure software systems design and development that tightly integrates security and systems design and development (or software engineering) together. It addresses the software development process from the perspective of a security practitioner. The text focuses on the processes, concepts, and concerns of ensuring that secure practices are followed throughout the secure software systems development life cycle, including the practice of following the life cycle rather than just doing ad hoc development.

Table of contents

  1. Cover
  2. Title Page
  3. Copyright Page
  4. Contents
  5. Preface
  6. Acknowledgments
  7. CHAPTER 1 Secure Software Systems Development
    1. Introduction
    2. Secure Software Systems Life Cycle
      1. Understanding the Model
      2. System Initiation
      3. Defining and Planning
      4. Design and Decision
      5. Development
      6. Test and Evaluation
      7. Deployment
      8. Operations and Maintenance
      9. Retirement
      10. Variations in the Life Cycle
    3. The Five Ps
    4. Combining the Five Ps with the Secure Software Systems Life Cycle
    5. KEY TERMS
  8. CHAPTER 2 Product and Portfolio Management
    1. Introduction
    2. Product Management
      1. Identifying Opportunities
      2. Product Definition
      3. Product Planning
      4. Bringing the Product to Market
      5. Ecosystem Management
    3. Portfolio Management
    4. SUMMARY
    5. KEY TERMS
  9. CHAPTER 3 Program and Project Management
    1. Introduction
    2. Project Management
      1. Phase 1—Initiation/Conception/Analysis
      2. Phase 2—Define and Plan
      3. Phase 3—Implementation/Execution
      4. Phase 4—Monitor and Control
      5. Phase 5—Project Close
      6. Project Management Summary
    3. Program Management
      1. Strategic Approach
      2. Program Sponsorship
      3. Program Managers
      4. Program Management Office
    4. SUMMARY
    5. KEY TERMS
    6. REFERENCE
  10. CHAPTER 4 Process Management
    1. Introduction
    2. Managing Processes
      1. Identifying Processes
      2. Understanding Processes
    3. Documenting Processes
      1. Process Diagrams
      2. Static Process Analysis
      3. Dynamic Process Analysis
      4. Queueing Theory
    4. Workflow
    5. Process Quality
    6. Process Improvement
    7. Processes and Security
    8. Defining Processes for the Developed System
    9. SUMMARY
    10. KEY TERMS
  11. CHAPTER 5 Managing the Secure Software Systems Development Life Cycle
    1. Introduction
    2. Requirements Tracking
    3. Change Management
    4. Issue Management
    5. SUMMARY
    6. KEY TERMS
    7. REFERENCE
  12. CHAPTER 6 Security Culture, Responsibility, and Training
    1. Introduction
    2. Look and Feel of a Security Culture
      1. Leadership Sets the Tone for Cybersecurity
      2. Someone with Responsibility and Authority
      3. Security Roles and Responsibilities Defined for All
      4. Security Is Considered in All Aspects of Products
      5. Security Is Widely Discussed and Shared with Customers
      6. Security Is Valued
      7. Security Culture Maturity
      8. Company Policies and Procedures Are Established and Available
      9. An Effective Security Culture among Programmers and System Administrators Is Vital
    3. Responsibility
      1. Ethical Integrity
      2. Professionalism
      3. Long-Term Thinking
    4. Training the Organization to Be Secure
      1. What Training Is Important
      2. When to Train
      3. Training Style
    5. SUMMARY
    6. KEY TERMS
  13. CHAPTER 7 Requirements and Security Requirements Planning
    1. Introduction
    2. Types of Requirements
    3. System Definition and Scope
    4. Sources of Requirements
      1. Stakeholders as a Source of Requirements
      2. Intended Security Practices as Security Requirements
      3. Outsourcing and Cloud Services as a Source of Requirements
    5. Requirements Engineering
      1. Assessing Requirements for Security
    6. Requirements Documentation and Tracing
      1. Traceability
      2. Formatting Requirements for Sharing
    7. SUMMARY
    8. KEY TERMS
  14. CHAPTER 8 Compliance
    1. Introduction
    2. Need for Compliance
    3. Laws and Regulations Related to Compliance
      1. Implications of Data Privacy Regulations and Laws
      2. U.S. Regulations and Laws
      3. Canadian Regulations and Laws
      4. European Union Regulations and Laws
      5. China Regulations and Laws
    4. Compliance Models and Frameworks
      1. Control Objectives for Information and related Technology (COBIT)
      2. Capability Maturity Model Integration (CMMI)
      3. Secure Software Development Framework (SSDF) (NIST)
    5. Monitoring
    6. Systems Auditing
    7. SUMMARY
    8. KEY TERMS
    9. REFERENCES
  15. CHAPTER 9 Quality Management
    1. Introduction
    2. Quality Assurance
      1. Processes
      2. Tools
      3. Task Expectations
      4. Training
      5. Auditing and Monitoring Processes
    3. Quality Control
      1. Quality Expectations
      2. Testing
      3. Root Cause Analysis
      4. Corrective Actions
    4. Quality Organizations
    5. SUMMARY
    6. KEY TERMS
  16. CHAPTER 10 Modeling
    1. Introduction
    2. Choosing a Model
    3. Modeling Tools
    4. Modeling Techniques
      1. Flow Charts
      2. Structure Charts
      3. E-R Diagram
      4. Object Model
      5. Use Case Model
      6. Sequence Diagram
      7. State Diagram
    5. SUMMARY
    6. KEY TERMS
  17. CHAPTER 11 Architecture
    1. Introduction
    2. Architecture Views or Models
      1. Business or Functional Architecture
      2. Logical Architecture
      3. Application Architecture
      4. Data Architecture
      5. Physical and Technical Architectures
    3. Enterprise Architecture
    4. Creating the Architecture
      1. Architectural Concerns
      2. Architectural Principles
      3. Security Objectives
    5. Design Patterns
      1. Example Design Patterns
    6. Refinement Techniques
    7. Architectural Reviews
    8. SUMMARY
    9. KEY TERMS
  18. CHAPTER 12 Vulnerability and Threat Assessment
    1. Introduction
    2. Vulnerability Assessment and Mapping
      1. The Process
      2. The Vulnerability Matrix
    3. Risk Assessment
    4. Additional Vulnerability Assessment Tools
    5. Trust Boundaries
      1. Life of Data
      2. Other Sources for Analysis
    6. Threat Modeling
      1. Purpose of the System
    7. Threat Intelligence
      1. Building the Threat Model
    8. SUMMARY
    9. KEY TERMS
  19. CHAPTER 13 The Development Environment
    1. Introduction
    2. Culture of Secure Development Practices
    3. Secure Development Tools
    4. Software Sources
    5. Selecting the Development Language
    6. Using Libraries in the Development Process
      1. Commercial Considerations
      2. Excessive Library Dependence
      3. Dependency Issues
      4. Inherited Vulnerabilities
    7. Operating Systems and Architecture
    8. Cloud Environments
      1. Cloud Security Considerations
      2. Cloud Services Engagement
      3. Cloud Development Practices
    9. Coding Practices
      1. Standing Operating Procedures (SOPs)
      2. Programming Manuals or Style Guides
      3. Fail-Safe Logic and Coding
      4. Integration Issues
    10. SUMMARY
    11. KEY TERMS
    12. REFERENCES
  20. CHAPTER 14 Configuration Management
    1. Introduction
    2. Version Control
    3. Configuration Management in Product Development
    4. Configuration Management in Operations and Maintenance
    5. SUMMARY
    6. KEY TERMS
  21. CHAPTER 15 Testing
    1. Introduction
    2. Test-Driven Development
    3. The Test Plan
      1. The Risk-Based Test Strategy
      2. The Test Team
      3. Test Tracking and Communication
      4. Test Schedule
      5. Test Cases
      6. Testing Tools
    4. Types of Testing
      1. Standard Development Test Methods
      2. User Test Methods
      3. Specialized Test Methods
    5. SUMMARY
    6. KEY TERMS
    7. REFERENCE
  22. CHAPTER 16 Product Release and Deployment
    1. Introduction
    2. Preparing for Release
    3. Release Review
      1. Final Security Review
      2. Open Issues
    4. Accreditation for Release
      1. Internal Accreditation
      2. Government System Accreditation
    5. Deployment
      1. Deployment Roles
      2. Training before Deployment
      3. Deployment Communications
      4. Deployment or Migration Planning
      5. Deployment/Migration Window
    6. SUMMARY
    7. KEY TERMS
  23. CHAPTER 17 Operations and Maintenance
    1. Introduction
    2. Operations
      1. Monitoring
      2. Security Monitoring
      3. User Support
      4. Backups
    3. Incident Management
      1. Incident Response Plan
      2. Incident Root Cause Analysis
      3. Incident Tracking
      4. Disaster Recovery
      5. Preparation and Practice
      6. Post-Incident Review
    4. Maintenance
      1. Configuration and Software Updates
      2. Functional Fixes and Patches
      3. Security Configuration and Software Updates
      4. Vulnerability Management
      5. Change Management
      6. Maintenance Windows
    5. Environmental Issues
      1. Power Consumption
      2. E-Waste
    6. SUMMARY
    7. KEY TERMS
  24. CHAPTER 18 Retirement or End-of-Life
    1. Introduction
    2. End-of-Life
      1. Planning End-of-Life
      2. Archiving
    3. Strategies When Faced with End-of-Life
    4. Retirement
      1. Communication
      2. Developing a Retirement Plan
      3. Pre-Retirement Audit
      4. Timeline
      5. Removal from Service
      6. Transferring and Storing Data
      7. Decommissioning the Hardware
      8. Licensing Adjustments
      9. Finalizing the Retirement
    5. SUMMARY
    6. KEY TERMS
  25. Glossary
  26. Index

Product information

  • Title: Secure Software Systems
  • Author(s): Erik Fretheim, Marie Deschene
  • Release date: March 2023
  • Publisher(s): Jones & Bartlett Learning
  • ISBN: 9781284261219