Core Software Security : Security at the Source (Paperback)

IntroductionThe Importance and Relevance of Software SecuritySoftware Security and the Software Development Lifecycle Quality Versus Secure CodeThe Three Most Important SDL Security Goals Threat Modeling and Attack Surface Validation Chapter Summary?What to Expect from This BookReferencesThe Secure Development Lifecycle Overcoming Challenges in Making Software Secure Software Security Maturity Models ISO/IEC 27034?Information Technology?Security Techniques?Application Security Other Resources for SDL Best Practices SAFECode U.S. Department of Homeland SecuritySoftware Assurance Program National Institute of Standards and Technology MITRE Corporation Common Computer Vulnerabilities and Exposures SANS Institute Top Cyber Security Risks U.S. Department of Defense Cyber Security and Information Systems Information Analysis Center (CSIAC) CERT, Bugtraq, and SecurityFocus Critical Tools and Talent The Tools The TalentPrinciples of Least PrivilegePrivacyThe Importance of MetricsMapping the Security Development Lifecycle to the Software Development LifecycleSoftware Development Methodologies Waterfall Development Agile Development Chapter Summary References Security Assessment (A1): SDL Activities and Best Practices Software Security Team Is Looped in Early Software Security Hosts a Discovery Meeting Software Security Team Creates an SDL Project Plan Privacy Impact Assessment (PIA) Plan Initiated Security Assessment (A1) Key Success Factors and Metrics Key Success Factors Deliverables Metrics Chapter Summary ReferencesArchitecture (A2): SDL Activities and Best Practices A2 Policy Compliance Analysis SDL Policy Assessment and Scoping Threat Modeling/Architecture Security Analysis Threat Modeling Data Flow Diagrams Architectural Threat Analysis and Ranking of Threats Risk Mitigation Open-Source Selection Privacy Information Gathering and AnalysisKey Success Factors and Metrics Key Success Factors Deliverables Metrics Chapter Summary References Design and Development (A3): SDL Activities and Best Practices A3 Policy Compliance Analysis Security Test Plan Composition Threat Model Updating Design Security Analysis and Review Privacy Implementation AssessmentKey Success Factors and Metrics Key Success Factors Deliverables Metrics Chapter Summary References Design and Development (A4): SDL Activities and Best PracticesA4 Policy Compliance AnalysisSecurity Test Case Execution Code Review in the SDLC/SDL ProcessSecurity Analysis Tools Static Analysis Dynamic Analysis Fuzz Testing Manual Code Review Key Success FactorsDeliverablesMetrics Chapter Summary References Ship (A5): SDL Activities and Best PracticesA5 Policy Compliance AnalysisVulnerability Scan Penetration Testing Open-Source Licensing ReviewFinal Security Review Final Privacy ReviewKey Success Factors Deliverables Metrics Chapter Summary References Post-Release Support (PRSA1?5)Right-Sizing Your Software Security Group The Right Organizational Location The Right People The Right Process PRSA1: External Vulnerability Disclosure Response Post-Release PSIRT Response Post-Release Privacy Response Optimizing Post-Release Third-Party ResponsePRSA2: Third-Party Reviews PRSA3: Post-Release CertificationsPRSA4: Internal Review for New Product Combinations or Cloud DeploymentsPRSA5: Security Architectural Reviews and Tool-Based Assessments of Current, Legacy, and M&A Products and Solutions Legacy Code Mergers and Acquisitions (M&As) Key Success Factors DeliverablesMetrics Chapter SummaryReferencesApplying the SDL Framework to the Real World Introduction Build Software Securely Produce Secure Code Manual Code Review Static Analysis Determining the Right Activities for Each Project The Seven Determining Questions Architecture and Design TestingFunctional Testing Dynamic Testing Attack and Penetration Testing Independent TestingAgile: Sprints Key Success Factors and Metrics Secure Coding Training Program Secure Coding Frameworks (APIs) Manual Code Review Independent Code Review and Testing (by Experts or Third Parties) Static Analysis Risk Assessment Methodology Integration of SDL with SDLC Development of Architecture Talent MetricsChapter Summary ReferencesPulling It All Together: Using the SDL to Prevent Real-World ThreatsStrategic, Tactical, and User-Specific Software Attacks Strategic Attacks Tactical Attacks User-Specific Attacks Overcoming Organizational and Business Challenges with a Properly Designed, Managed, and Focused SDL Software Security Organizational Realities and Leverage Overcoming SDL Audit and Regulatory Challenges with Proper Governance Management Future Predications for Software Security The Bad News The Good News Conclusion References Appendix Index