Software Security: Building Security In

Software Security: Building Security In

by Gary McGraw
Released January 2006
Publisher(s): Addison-Wesley Professional
ISBN: 9780321356703

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

 "When it comes to software security, the devil is in the details. This book tackles the details."
--Bruce Schneier, CTO and founder, Counterpane, and author of Beyond Fear and Secrets and Lies

"McGraw's book shows you how to make the 'culture of security' part of your development lifecycle."
--Howard A. Schmidt, Former White House Cyber Security Advisor

"McGraw is leading the charge in software security. His advice is as straightforward as it is actionable. If your business relies on software (and whose doesn't), buy this book and post it up on the lunchroom wall."
--Avi Rubin, Director of the NSF ACCURATE Center; Professor, Johns Hopkins University; and coauthor of Firewalls and Internet Security

Beginning where the best-selling book Building Secure Software left off, Software Security teaches you how to put software security into practice.The software security best practices, or touchpoints, described in this book have their basis in good software engineering and involve explicitly pondering security throughout the software development lifecycle. This means knowing and understanding common risks (including implementation bugsand architectural flaws), designing for security, and subjecting all software artifacts to thorough, objective risk analyses and testing.

Software Security is about putting the touchpoints to work for you. Because you can apply these touchpoints to the software artifacts you already produce as you develop software, you can adopt this book's methods without radically changing the way you work. Inside you'll find detailed explanations of

  • Risk management frameworks and processes

  • Code review using static analysis tools

  • Architectural risk analysis

  • Penetration testing

  • Security testing

  • Abuse case development

    • In addition to the touchpoints, Software Security covers knowledge management, training and awareness, and enterprise-level software security programs. Now that the world agrees that software security is central to computer security, it is time to put philosophy into practice. Create your own secure development lifecycle by enhancing your existing software development lifecycle with the touchpoints described in this book. Let this expert author show you how to build more secure software by building security in.

    Table of contents

    1. Copyright
      1. Dedication
    2. Advance Praise for Software Security
    3. Addison-Wesley Software Security Series
    4. Foreword
    5. Preface
      1. Who This Book Is For
      2. What This Book Is About
        1. Icons
      3. The Series
      4. Contacting the Author
    6. Acknowledgments
    7. About the Author
    8. I. Software Security Fundamentals
      1. 1. Defining a Discipline
        1. The Security Problem
          1. The Trinity of Trouble: Why the Problem Is Growing
            1. Connectivity
            2. Extensibility
            3. Complexity
          2. Basic Science
        2. Security Problems in Software
          1. Bugs and Flaws and Defects, Oh My!
          2. The Range of Defects
          3. The Problem with Application Security
          4. Software Security and Operations
        3. Solving the Problem: The Three Pillars of Software Security
          1. Pillar I: Applied Risk Management
          2. Pillar II: Software Security Touchpoints
          3. Pillar III: Knowledge
        4. The Rise of Security Engineering
          1. Software Security Is Everyone’s Job
      2. 2. A Risk Management Framework
        1. Putting Risk Management into Practice
        2. How to Use This Chapter
        3. The Five Stages of Activity
          1. Stage 1: Understand the Business Context
          2. Stage 2: Identify the Business and Technical Risks
          3. Stage 3: Synthesize and Rank the Risks
          4. Stage 4: Define the Risk Mitigation Strategy
          5. Stage 5: Carry Out Fixes and Validate
          6. Measuring and Reporting on Risk
        4. The RMF Is a Multilevel Loop
        5. Applying the RMF: KillerAppCo’s iWare 1.0 Server
          1. Understanding the Business Context
            1. Gathering the Artifacts
            2. Conducting Project Research
          2. Identifying the Business and Technical Risks
            1. Developing Risk Questionnaires
            2. Interviewing the Target Project Team
            3. Analyzing the Research and Interview Data
            4. Uncovering Technical Risks
            5. Analyzing Software Artifacts
          3. Synthesizing and Ranking the Risks
            1. Reviewing the Risk Data
            2. Conducting the Business and Technical Peer Review
          4. Defining the Risk Mitigation Strategy
            1. Brainstorming on Risk Mitigation
            2. Authoring the Risk Analysis Report
            3. Producing Final Deliverables
          5. Carrying Out Fixes and Validating
        6. The Importance of Measurement
          1. Measuring Return
          2. Measurement and Metrics in the RMF
        7. The Cigital Workbench
        8. Risk Management Is a Framework for Software Security
    9. II. Seven Touchpoints for Software Security
      1. 3. Introduction to Software Security Touchpoints
        1. Flyover: Seven Terrific Touchpoints
          1. 1. Code Review (Tools)
          2. 2. Architectural Risk Analysis
          3. 3. Penetration Testing
          4. 4. Risk-Based Security Testing
          5. 5. Abuse Cases
          6. 6. Security Requirements
          7. 7. Security Operations
          8. *. External Analysis
          9. Why Only Seven?
        2. Black and White: Two Threads Inextricably Intertwined
        3. Moving Left
        4. Touchpoints as Best Practices
        5. Who Should Do Software Security?
          1. Building a Software Security Group
            1. Don’t start with security people
            2. Start with software people
        6. Software Security Is a Multidisciplinary Effort
        7. Touchpoints to Success
      2. 4. Code Review with a Tool
        1. Catching Implementation Bugs Early (with a Tool)
        2. Aim for Good, Not Perfect
        3. Ancient History
        4. Approaches to Static Analysis
          1. A History of Rule Coverage
          2. Modern Rules
        5. Tools from Researchland
        6. Commercial Tool Vendors
          1. Commercial Source Code Analyzers
          2. Key Characteristics of a Tool
          3. Three Characteristics to Avoid
          4. The Fortify Source Code Analysis Suite
          5. The Fortify Knowledge Base
          6. Using Fortify
        7. Touchpoint Process: Code Review
        8. Use a Tool to Find Security Bugs
      3. 5. Architectural Risk Analysis
        1. Common Themes among Security Risk Analysis Approaches
        2. Traditional Risk Analysis Terminology
        3. Knowledge Requirement
        4. The Necessity of a Forest-Level View
        5. A Traditional Example of a Risk Calculation
        6. Limitations of Traditional Approaches
        7. Modern Risk Analysis
          1. Security Requirements
          2. A Basic Risk Analysis Approach
        8. Touchpoint Process: Architectural Risk Analysis
          1. Attack Resistance Analysis
          2. Ambiguity Analysis
          3. Weakness Analysis
        9. Getting Started with Risk Analysis
        10. Architectural Risk Analysis Is a Necessity
      4. 6. Software Penetration Testing
        1. Penetration Testing Today
        2. Software Penetration Testing—a Better Approach
          1. Make Use of Tools
          2. Test More Than Once
        3. Incorporating Findings Back into Development
        4. Using Penetration Tests to Assess the Application Landscape
        5. Proper Penetration Testing Is Good
      5. 7. Risk-Based Security Testing
        1. What’s So Different about Security?
        2. Risk Management and Security Testing
        3. How to Approach Security Testing
          1. Who
          2. How
        4. Thinking about (Malicious) Input
        5. Getting Over Input
        6. Leapfrogging the Penetration Test
      6. 8. Abuse Cases
        1. Security Is Not a Set of Features
        2. What You Can’t Do
        3. Creating Useful Abuse Cases
          1. But No One Would Ever Do That!
        4. Touchpoint Process: Abuse Case Development
          1. Creating Anti-Requirements
          2. Creating an Attack Model
        5. An Abuse Case Example
        6. Abuse Cases Are Useful
      7. 9. Software Security Meets Security Operations
        1. Don’t Stand So Close to Me
        2. Kumbaya (for Software Security)
        3. Come Together (Right Now)
        4. Future’s So Bright, I Gotta Wear Shades
    10. III. Software Security Grows Up
      1. 10. An Enterprise Software Security Program
        1. The Business Climate
        2. Building Blocks of Change
        3. Building an Improvement Program
        4. Establishing a Metrics Program
          1. A Three-Step Enterprise Rollout
        5. Continuous Improvement
        6. What about COTS (and Existing Software Applications)?
          1. An Enterprise Information Architecture
        7. Adopting a Secure Development Lifecycle
      2. 11. Knowledge for Software Security
        1. Experience, Expertise, and Security
        2. Security Knowledge: A Unified View
        3. Security Knowledge and the Touchpoints
        4. The Department of Homeland Security Build Security In Portal
        5. Knowledge Management Is Ongoing
        6. Software Security Now
      3. 12. A Taxonomy of Coding Errors
        1. On Simplicity: Seven Plus or Minus Two
          1. Input Validation and Representation
          2. API Abuse
          3. Security Features
          4. Time and State
          5. Error Handling
          6. Code Quality
          7. Encapsulation
          8. Environment
        2. The Phyla
          1. More Phyla Needed
        3. A Complete Example
        4. Lists, Piles, and Collections
          1. Nineteen Sins Meet Seven Kingdoms
          2. Seven Kingdoms and the OWASP Ten
        5. Go Forth (with the Taxonomy) and Prosper
      4. 13. Annotated Bibliography and References
        1. Annotated Bibliography: An Emerging Literature
          1. Required Reading: The Top Five
          2. References Cited in Software Security: Building Security In
          3. Government and Standards Publications Cited
          4. Other Important References
        2. Software Security Puzzle Pieces
          1. Basic Science: Open Research Areas
    11. IV. Appendices
      1. A. Fortify Source Code Analysis Suite Tutorial
        1. 1. Introducing the Audit Workbench
          1. Exercises for the Reader
        2. 2. Auditing Source Code Manually
          1. Exercises for the Reader
        3. 3. Ensuring a Working Build Environment
        4. 4. Running the Source Code Analysis Engine
          1. Analysis Results of stackbuffer.c
          2. Analysis Results of Eightball.java
          3. Analysis Results of Sample1.exe
          4. Exercises for the Reader
        5. 5. Exploring the Basic SCA Engine Command Line Arguments
          1. Exercises for the Reader
        6. 6. Understanding Raw Analysis Results
          1. Exercises for the Reader
        7. 7. Integrating with an Automated Build Process
          1. Integrating with a Makefile
          2. Integrating with an ant Build File
          3. Advanced Command Line Syntax for Java
          4. Exercises for the Reader
        8. 8. Using the Audit Workbench
          1. Exercises for the Reader
        9. 9. Auditing Open Source Applications
          1. Exercises for the Reader
      2. B. ITS4 Rules
      3. C. An Exercise in Risk Analysis: Smurfware
        1. SmurfWare SmurfScanner Risk Assessment Case Study
          1. Instructions
          2. SmurfWare SmurfScanner Architecture and Implementation Description
          3. SmurfScanner Architecture Component Description
          4. Questions
          5. Answers
        2. SmurfWare SmurfScanner Design for Security
          1. Instructions
          2. Answers (Incomplete)
      4. D. Glossary
    12. InsideFrontCover
    13. InsideBackCover

    Product information

    • Title: Software Security: Building Security In
    • Author(s): Gary McGraw
    • Release date: January 2006
    • Publisher(s): Addison-Wesley Professional
    • ISBN: 9780321356703