Security-Driven Software Development: Learn to analyze and mitigate risks in your software projects

✍ Scribed by Aspen Olmsted

Publisher: Packt Publishing Pvt Ltd
Year: 2024
Tongue: English
Leaves: 342
Category: Library

No coin nor oath required. For personal study only.

✦ Synopsis

Trace security requirements through each development phase, mitigating multiple-layer attacks with practical examples, and emerge equipped with the skills to build resilient applications

Key Features
Explore the practical application of secure software development methodologies
Model security vulnerabilities throughout the software development lifecycle (SDLC)
Develop the skills to trace requirements, from requirements gathering through to implementation

Book Description
Extend your software development skills to integrate security into every aspect of your projects. Perfect for any programmer or developer working on mission-critical applications, this hands-on guide helps you adopt secure software development practices. Explore core concepts like security specifi cation, modeling, and threat mitigation with the iterative approach of this book that allows you to trace security requirements through each phase of software development. You won't stop at the basics; you'll delve into multiple-layer att acks and develop the mindset to prevent them. Through an example application project involving an entertainment ticketing software system, you'll look at high-profi le security incidents that have aff ected popular music stars and performers. Drawing from the author's decades of experience building secure applications in this domain, this book off ers comprehensive techniques where problem-solving meets practicality for secure development.

By the end of this book, you'll have gained the expertise to systematically secure software projects, from crafting robust security specifi cations to adeptly mitigating multifaceted threats, ensuring your applications stand resilient in the face of evolving cybersecurity challenges.

What you will learn
Find out non-functional requirements crucial for software security, performance, and reliability
Develop the skills to identify and model vulnerabilities in software design and analysis
Analyze and model various threat vectors that pose risks to software applications
Acquire strategies to mitigate security threats specific to web applications
Address threats to the database layer of an application
Trace non-functional requirements through secure software design

Who this book is for
Many software development jobs require developing, maintaining, enhancing, administering, and defending software applications, websites, and scripts. This book is designed for software developers and web developers seeking to excel in these roles, offering concise explanations and applied example use-cases.

✦ Table of Contents

Security-Driven Software Development
Contributors
About the author
About the reviewer
Preface
Who this book is for
What this book covers
To get the most out of this book
Conventions used
Get in touch
Share your thoughts
Download a free PDF copy of this book
Part 1: Modeling a Secure Application
1
Security Principles
What could go wrong?
Principles
Open Web Application Security Project
NIST’s Secure Software Development Framework
MITRE frameworks
Software development lifecycles
Microsoft’s Security Development Lifecycle
Confidentiality, integrity, and availability
Summary
Self-assessment questions
Answers
2
Designing a Secure Functional Model
Requirements gathering and specification
Non-functional requirements and security
Capturing scenarios
Textual use cases and misuse cases
Graphical use cases and misuse cases
Graphical use case diagram
Graphical misuse case diagram
Example enterprise secure functional model
Purchase of tickets via self-service
Trying to purchase tickets beyond the patron limit
Summary
Self-assessment questions
Answers
3
Designing a Secure Object Model
Identify objects and relationships
Class diagrams
Stereotypes
Invariants
Example of the enterprise secure object model
Summary
Self-assessment questions
Answers
4
Designing a Secure Dynamic Model
Technical requirements
Object behavior
Modeling interactions between objects
UML sequence diagrams
UML activity diagrams
Constraints
Example of the enterprise secure dynamic model
Summary
Self-assessment questions
Answers
5
Designing a Secure System Model
Partitions
Modeling interactions between partitions
UML component diagrams
Patterns
Example – developing an enterprise secure system model
Summary
Self-assessment questions
Answers
6
Threat Modeling
Threat model overview
The STRIDE threat model
The DREAD threat model
Attack trees
Mitigations
Microsoft Threat Modeling Tool
Example of an enterprise threat model
Summary
Self-assessment questions
Answers
Part 2: Mitigating Risks in Implementation
7
Authentication and Authorization
Authentication
Authorization
Security Models
Single sign-on and open authorization
Single sign-on (SSO)
Open authorization (OAuth)
Implementing SSO and OAuth with Google
Example of enterprise implementation
Summary
Self-assessment questions
Answers
8
Input Validation and Sanitization
Input validation
Input sanitization
Language-specific defenses
Buffer overflows
Example of the enterprise input validation and sanitization
Summary
Self-assessment questions
Answers
9
Standard Web Application Vulnerabilities
Injection attacks
Broken authentication and session management
Request forgery
Language-specific defenses
Example of enterprise web defenses
Summary
Self-assessment questions
Answers
10
Database Security
Overview of SQL
SQL injection
Maintaining database correctness
Managing activity concurrency
Language-specific defenses
RBAC security in DBMS
Encryption in DBMS
An example of enterprise DB security
Summary
Self-assessment questions
Answers
Part 3: Security Validation
11
Unit Testing
The principles of unit testing
The advantages of unit testing
Unit testing frameworks
An example of enterprise threat model
PHPUnit
JUnit
PyUnit
Summary
Self-assessment questions
Answers
12
Regression Testing
Regression testing overview
Key concepts
Process
Benefits
Robotic process automation
The intersection of RPA and regression testing
Regression testing tools
Load testing
Integration and complementarity
UI.Vision RPA
Example of the enterprise regression tests
Summary
Self-assessment questions
Answers
13
Integration, System, and Acceptance Testing
Types of integration tests
Mocks
Stubs
Examples of enterprise integration testing
System testing
Acceptance testing
Summary
Self-assessment questions
Answers
14
Software Penetration Testing
Types of tests
Phases
Tools
Information gathering and reconnaissance
Vulnerability analysis and exploitation
Post-exploitation and privilege escalation
Network sniffing
Forensics and monitoring
Reporting and documentation
An example of an enterprise penetration test report
High-level summary
Host analysis
Summary
Self-assessment questions
Answers
Index
Why subscribe?
Other Books You May Enjoy
Packt is searching for authors like you
Share your thoughts
Download a free PDF copy of this book

📜 SIMILAR VOLUMES

Security-Driven Software Development: Le

📁 Security-Driven Software Development: Learn to analyze and mitigate risks in your software projects

✍ Aspen Olmsted 📂 Library 📅 2024 🏛 Packt Publishing 🌐 English

Trace security requirements through each development phase, mitigating multiple-layer attacks with practical examples, and emerge equipped with the skills to build resilient applicationsKey Features<ul><li>Explore the practical application of secure softw

Security-Driven Software Development: Le

📁 Security-Driven Software Development: Learn to analyze and mitigate risks in your software projects

✍ Aspen Olmsted 📂 Library 📅 2024 🏛 Packt Publishing 🌐 English

<h2 class="h5">Key benefits</h2><ul class="list-unstyled key__feature__content key__benefits"><li class="key__features"><ul class="key__feature__text"><li class="key__feature__text__content" type="disc">Explore the practical application of secure software development methodologies </li>

IoT Supply Chain Security Risk Analysis

📁 IoT Supply Chain Security Risk Analysis and Mitigation: Modeling, Computations, and Software Tools

✍ Timothy Kieras, Junaid Farooq, Quanyan Zhu 📂 Library 📅 2022 🏛 Springer 🌐 English

This SpringerBrief introduces methodologies and tools for quantitative understanding and assessment of supply chain risk to critical infrastructure systems. It unites system reliability analysis, optimization theory, detection theory and mechanism design theory to study vendor involvement i

IoT Supply Chain Security Risk Analysis

📁 IoT Supply Chain Security Risk Analysis and Mitigation: Modeling, Computations, and Software Tools

✍ Timothy Kieras, Junaid Farooq, Quanyan Zhu 📂 Library 📅 2022 🏛 Springer 🌐 English

Security Software Development: Assessing

📁 Security Software Development: Assessing and Managing Security Risks

✍ Douglas A. Ashbaugh CISSP 📂 Library 📅 2008 🏛 Auerbach Publications 🌐 English

Examining current trends and problems that have plagued application development for more than a decade, this book provides a foundation for security risk assessment and management during software development. It demonstrates how to achieve greater application security through assessing and managing

Instant RSpec Test-Driven Development Ho

📁 Instant RSpec Test-Driven Development How-to: Learn RSpec and redefine your approach towards software development

✍ Charles Feduke 📂 Library 📅 2013 🏛 Packt Publishing 🌐 English

RSpec is a behaviour driven development framework for Ruby programmers. It comes integrated with its own mocking framework based on Jmock. This book introduces you to RSpec helping you to write idiomatic specifications for Ruby code in a test first approach. Instant RSpec Test-Driven Development Ho