book

Security-Driven Software Development

Name: Security-Driven Software Development
Author: Aspen Olmsted
ISBN: 9781835462836

by Aspen Olmsted

March 2024

Intermediate to advanced

262 pages

5h 54m

English

Packt Publishing

Read now

Unlock full access

Security-Driven Software Development
ContributorsAbout the authorAbout the reviewer
Preface
Who this book is forWhat this book coversTo get the most out of this bookConventions usedGet in touchShare your thoughtsDownload a free PDF copy of this book
Part 1: Modeling a Secure Application
Chapter 1: Security Principles
What could go wrong?PrinciplesOpen Web Application Security ProjectNIST’s Secure Software Development FrameworkMITRE frameworksSoftware development lifecyclesMicrosoft’s Security Development LifecycleConfidentiality, integrity, and availabilitySummarySelf-assessment questionsAnswers
Chapter 2: Designing a Secure Functional Model
Requirements gathering and specificationNon-functional requirements and securityCapturing scenariosTextual use cases and misuse casesGraphical use cases and misuse casesGraphical use case diagramGraphical misuse case diagramExample enterprise secure functional modelPurchase of tickets via self-serviceTrying to purchase tickets beyond the patron limitSummarySelf-assessment questionsAnswers
Chapter 3: Designing a Secure Object Model
Identify objects and relationshipsClass diagramsStereotypesInvariantsExample of the enterprise secure object modelSummarySelf-assessment questionsAnswers
Chapter 4: Designing a Secure Dynamic Model
Technical requirementsObject behaviorModeling interactions between objectsUML sequence diagramsUML activity diagramsConstraintsExample of the enterprise secure dynamic modelSummarySelf-assessment questionsAnswers
Chapter 5: Designing a Secure System Model
PartitionsModeling interactions between partitionsUML component diagramsPatternsExample – developing an enterprise secure system modelSummarySelf-assessment questionsAnswers
Chapter 6: Threat Modeling
Threat model overviewThe STRIDE threat modelThe DREAD threat modelAttack treesMitigationsMicrosoft Threat Modeling ToolExample of an enterprise threat modelSummarySelf-assessment questionsAnswers
Part 2: Mitigating Risks in Implementation

Chapter 7: Authentication and Authorization
AuthenticationAuthorizationSecurity ModelsSingle sign-on and open authorizationSingle sign-on (SSO)Open authorization (OAuth)Implementing SSO and OAuth with GoogleExample of enterprise implementationSummarySelf-assessment questionsAnswers
Chapter 8: Input Validation and Sanitization
Input validationInput sanitizationLanguage-specific defensesBuffer overflowsExample of the enterprise input validation and sanitizationSummarySelf-assessment questionsAnswers
Chapter 9: Standard Web Application Vulnerabilities
Injection attacksBroken authentication and session managementRequest forgeryLanguage-specific defensesExample of enterprise web defensesSummarySelf-assessment questionsAnswers
Chapter 10: Database Security
Overview of SQLSQL injectionMaintaining database correctnessManaging activity concurrencyLanguage-specific defensesRBAC security in DBMSEncryption in DBMSAn example of enterprise DB securitySummarySelf-assessment questionsAnswers
Part 3: Security Validation
Chapter 11: Unit Testing
The principles of unit testingThe advantages of unit testingUnit testing frameworksAn example of enterprise threat modelPHPUnitJUnitPyUnitSummarySelf-assessment questionsAnswers
Chapter 12: Regression Testing
Regression testing overviewKey conceptsProcessBenefitsRobotic process automationThe intersection of RPA and regression testingRegression testing toolsLoad testing Integration and complementarityUI.Vision RPAExample of the enterprise regression testsSummarySelf-assessment questionsAnswers
Chapter 13: Integration, System, and Acceptance Testing
Types of integration testsMocksStubsExamples of enterprise integration testingSystem testingAcceptance testingSummarySelf-assessment questionsAnswers
Chapter 14: Software Penetration Testing
Types of testsPhasesToolsInformation gathering and reconnaissanceVulnerability analysis and exploitationPost-exploitation and privilege escalationNetwork sniffingForensics and monitoringReporting and documentationAn example of an enterprise penetration test reportHigh-level summaryHost analysisSummarySelf-assessment questionsAnswers
Index
Why subscribe?
Other Books You May EnjoyPackt is searching for authors like youShare your thoughtsDownload a free PDF copy of this book

Overview

Secure Software Development: Learn to analyze and mitigate risks in your software projects equips you with the insights and methodologies to incorporate crucial security practices into your development lifecycle. You will not only learn to identify and address vulnerabilities and threats but also trace requirements through every phase of software development to build resilient applications.

What this Book will help me do

Understand the non-functional requirements integral to software security and operational reliability.
Gain the ability to model vulnerabilities and assess risk factors at various stages of software development.
Learn to analyze and counteract common software threat vectors, enhancing application resilience.
Develop strategies and frameworks for increasing the security of web-based applications.
Master techniques for safeguarding the database layers of applications against common and advanced threats.

Author(s)

Aspen Olmsted, PhD, is an accomplished software engineer and academic known for his extensive work in secure software design. With over two decades of experience in the industry, Aspen has focused on advancing strategies for application security at scale. His writing combines theoretical insights with practical expertise, bridging the gap between concept and execution.

Who is it for?

This book is tailored for software developers and engineers working in the field of application development, especially those focusing on ensuring security from concept to deployment. If you're a developer seeking to understand and mitigate software risks or a professional aiming to enhance your projects' resilience against attacks, this book is ideal. It also suits programmers aspiring to establish strong secure development practices. Beginners and experienced developers alike will find valuable insights in this comprehensive resource.

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781835462836

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills