Chapter 4. Secure Software Implementation/Coding
Secure coding includes both coding and integration of software components. Secure coding should follow secure coding practices and adhere to secure coding standards. This chapter explores these fundamentals and describes additional assurance concepts and activities that contribute to secure software implementation.
Declarative versus Programmatic Security
Declarative security enforces the security policy of the software application in its runtime environment. In declarative security, the application makes security decisions based on explicit statements that constrain security behavior. Declarative security may be implemented in a layer outside of the software code or may use attributes that are placed into the code itself. Declarative security is often used to set the permissions required by the application for access to local resources, and to provide role-based access control to individual software components and the application itself. The authorization decisions are normally coarse-grained in nature from an operational or external security perspective.
In programmatic security, the security behavior is controlled by the code of the software application. Authorization decisions are based on business logic, for example, the role of the user or the task the user is performing in a particular application context. Programmatic security enforces the internal security policy of the application independently of the runtime environment in ...
Get The CSSLP™ Prep Guide: Mastering the Certified Secure Software Lifecycle Professional now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.