Cover
Half Title
Title Page
Copyright Page
Dedications
Table of Contents
List of Figures
List of Tables
Preface
About the Book
Audience
Support
Structure
Assumptions
Acknowledgments
About the Authors
Chapter 1: Introduction
Chapter Overview
Chapter Take-Aways
1.1 The Importance and Relevance of Software Security
1.2 Software Security and the Software Development Life Cycle
1.3 Quality Versus Secure Code
1.4 The Three Most Important SDL Security Goals
1.5 Threat Modeling and Attack Surface Validation
1.6 Summary
Chapter Quick-Check
Exercises
References
Chapter 2: The Security Development Lifecycle
Chapter Overview
Chapter Take-Aways
2.1 Overcoming Challenges in Making Software Secure
2.2 Software Security Maturity Models
2.3 ISO/IEC 27034โInformation TechnologyโSecurity TechniquesโApplication Security
2.4 Other Resources for SDL Best Practices
2.4.1 SAFECode
2.4.2 U.S. Department of Homeland Security Software Assurance Program
2.4.3 National Institute of Standards and Technology
2.4.4 Common Computer Vulnerabilities and Exposures
2.4.5 SANS Institute Top Cyber Security Risks
2.4.6 U.S. Department of Defense Cyber Security and Information Systems Information Analysis Center (CSIAC)
2.4.7 CERT, Bugtraqยฎ, and SecurityFocus
2.5 Critical Tools and Talent
2.5.1 The Tools
2.5.2 The Talent
2.6 Principles of Least Privilege
2.7 Privacy
2.8 The Importance of Metrics
2.9 Mapping the Security Development Lifecycle to the Software Development Life Cycle
2.10 Software Development Methodologies
2.10.1 Waterfall Development
2.10.2 Agile Development
2.11 Summary
Chapter Quick-Check
Exercises
References
Chapter 3: Security Assessment (A1): SDL Activities and Best Practices
Chapter Overview
Chapter Take-Aways
3.1 Software Security Team Is Looped in Early
3.2 Software Security Hosts a Discovery Meeting
3.3 Software Security Team Creates an SDL Project Plan
3.4 Privacy Impact Assessment (PIA) Plan Initiated
3.5 Security Assessment (A1) Key Success Factors and Metrics
3.5.1 Key Success Factors
3.5.2 Deliverables
3.5.3 Metrics
3.6 Summary
Chapter Quick-Check
Exercises
References
Chapter 4: Architecture (A2): SDL Activities and Best Practices
Chapter Overview
Chapter Take-Aways
4.1 A2 Policy Compliance Analysis
4.2 SDL Policy Assessment and Scoping
4.3 Threat Modeling/Architecture Security Analysis
4.3.1 Threat Modeling
4.3.2 Data Flow Diagrams
4.3.3 Architectural Threat Analysis and Ranking of Threats
4.3.4 Risk Mitigation
4.4 Open-Source Selection
4.5 Privacy Information Gathering and Analysis
4.6 Key Success Factors and Metrics
4.6.1 Key Success Factors
4.6.2 Deliverables
4.6.3 Metrics
4.7 Summary
Chapter Quick-Check
Exercises
References
Chapter 5: Design and Development (A3): SDL Activities and Best Practices
Chapter Overview
Chapter Take-Aways
5.1 A3 Policy Compliance Analysis
5.2 Security Test Plan Composition
5.3 Threat Model Updating
5.4 Design Security Analysis and Review
5.5 Privacy Implementation Assessment
5.6 Key Success Factors and Metrics
5.6.1 Key Success Factors
5.6.2 Deliverables
5.6.3 Metrics
5.7 Summary
Chapter Quick-Check
Exercises
References
Chapter 6: Design and Development (A4): SDL Activities and Best Practices
Chapter Overview
Chapter Take-Aways
6.1 A4 Policy Compliance Analysis
6.2 Security Test Case Execution
6.3 Code Review in the SDLC/SDL Process
6.4 Security Analysis Tools
6.4.1 Static Analysis
6.4.2 Dynamic Analysis
6.4.3 Fuzz Testing
6.4.4 Manual Code Review
6.5 Key Success Factors
6.6 Deliverables
6.7 Metrics
6.8 Summary
Chapter Quick-Check
Exercises
References
Chapter 7: Ship (A5): SDL Activities and Best Practices
Chapter Overview
Chapter Take-Aways
7.1 A5 Policy Compliance Analysis
7.2 Vulnerability Scan
7.3 Code-Assisted Penetration Testing
7.4 Open-Source Licensing Review
7.5 Final Security Review
7.6 Final Privacy Review
7.7 Key Success Factors
7.8 Deliverables
7.9 Metrics
7.10 Summary
Chapter Quick-Check
Exercises
References
Chapter 8: Post-Release Support (PRSA1โ5)
Chapter Overview
Chapter Take-Aways
8.1 Right-Sizing Your Software Security Group
8.1.1 The Right Organizational Location
8.1.2 The Right People
8.1.3 The Right Process
8.2 PRSA1: External Vulnerability Disclosure Response
8.2.1 Post-Release PSIRT Response
8.2.2 Post-Release Privacy Response
8.2.3 Optimizing Post-Release Third-Party Response
8.3 PRSA2: Third-Party Reviews
8.4 PRSA3: Post-Release Certifications
8.5 PRSA4: Internal Review for New Product Combinations or Cloud Deployments
8.6 PRSA5: Security Architectural Reviews and Tool-Based Assessments of Current, Legacy, and M&A Products and Solutions
8.6.1 Legacy Code
8.6.2 Mergers and Acquisitions (M&As)
8.7 Key Success Factors
8.8 Deliverables
8.9 Metrics
8.10 Summary
Chapter Quick-Check
Exercises
References
Chapter 9: Adapting Our Reference Framework to Your Environment
Chapter Overview
Chapter Take-Aways
9.1 Overview of the Top Four Environments in Which You Are Likely to Deploy Your SDL
9.1.1 Agile
9.1.2 DevOps
9.1.3 Cloud
9.1.4 Digital Enterprise
9.2 Key Success Factors, Deliverables, and Metrics for Each Phase of Our SDL Reference Framework
9.3 Software Security Maturity Models and the SDL
9.3.1 Maturity Models for Security and Resilience
9.3.2 Software Assurance Maturity ModelโOpenSAMM
9.4 The Building Security In Maturity Model (BSIMM)
9.4.1 BSIMM Organization
9.4.2 BSIMM Software Security Framework
9.4.3 Deployment
9.4.4 BSIMMโs 12 Practice Areas
9.4.5 Measuring Results with BSIMM
9.4.6 The BSIMM Community
9.4.7 Conducting a BSIMM Assessment
9.4.8 Section Summary
9.5 Enhancing Your Threat Modeling Practice As Part of the SDL
9.5.1 Practical Threat and Application Risk Modeling
9.5.2 MITRE ATT&CKยฎ and MITRE D3FENDยฎ
9.6 Pulling It All Together
9.7 Overcoming Organizational and Business Challenges with a Properly Designed, Managed, and Focused SDL
9.8 Software Security Organizational Realities and Leverage
9.9 Future Predictions for Software Security
9.9.1 The Bad News
9.9.2 The Good News
9.10 Comprehensive SDL Review
9.11 Conclusion
References
Appendix A: Case Study for Chapters 3 Through 8 Exercises
Appendix B: Answers to Chapter Quick-Check Questions
Glossary
Index