𝔖 Scriptorium
✦   LIBER   ✦
📁

Software Security Engineering: A Guide for Project Managers: A Guide for Project Managers (SEI Series in Software Engineering)

✍ Scribed by Julia H. Allen

Publisher
Addison-Wesley Professional
Year
2008
Tongue
English
Leaves
367
Category
Library
⬇  Acquire This Volume

No coin nor oath required. For personal study only.

✦ Synopsis

“This book’s broad overview can help an organization choose a set of processes, policies, and techniques that are appropriate for its security maturity, risk tolerance, and development style. This book will help you understand how to incorporate practical security techniques into all phases of the development lifecycle.”

      ―Steve Riley, senior security strategist, Microsoft Corporation

 

“There are books written on some of the topics addressed in this book, and there are other books on secure systems engineering. Few address the entire life cycle with a comprehensive overview and discussion of emerging trends and topics as well as this one.”

      ―Ronda Henning, senior scientist-software/security queen, Harris Corporation

 

Software that is developed from the beginning with security in mind will resist, tolerate, and recover from attacks more effectively than would otherwise be possible. While there may be no silver bullet for security, there are practices that project managers will find beneficial. With this management guide, you can select from a number of sound practices likely to increase the security and dependability of your software, both during its development and subsequently in its operation.

 

Software Security Engineering draws extensively on the systematic approach developed for the Build Security In (BSI) Web site. Sponsored by the Department of Homeland Security Software Assurance Program, the BSI site offers a host of tools, guidelines, rules, principles, and other resources to help project managers address security issues in every phase of the software development life cycle (SDLC). The book’s expert authors, themselves frequent contributors to the BSI site, represent two well-known resources in the security world: the CERT Program at the Software Engineering Institute (SEI) and Cigital, Inc., a consulting firm specializing in software security.

 

This book will help you understand why

  • Software security is about more than just eliminating vulnerabilities and conducting penetration tests
  • Network security mechanisms and IT infrastructure security services do not sufficiently protect application software from security risks
  • Software security initiatives should follow a risk-management approach to identify priorities and to define what is “good enough”―understanding that software security risks will change throughout the SDLC
  • Project managers and software engineers need to learn to think like an attacker in order to address the range of functions that software should not do, and how software can better resist, tolerate, and recover when under attack

Chapter 1: Why Is Security a Software Issue? 1

1.1 Introduction 1

1.2 The Problem 2

1.3 Software Assurance and Software Security 6

1.4 Threats to Software Security 9

1.5 Sources of Software Insecurity 11

1.6 The Benefits of Detecting Software Security Defects Early 13

1.7 Managing Secure Software Development 18

1.8 Summary 23

 

Chapter 2: What Makes Software Secure? 25

2.1 Introduction 25

2.2 Defining Properties of Secure Software 26

2.3 How to Influence the Security Properties of Software 36

2.4 How to Assert and Specify Desired Security Properties 61

2.5 Summary 71

 

Chapter 3: Requirements Engineering for Secure Software 73

3.1 Introduction 73

3.2 Misuse and Abuse Cases 78

3.3 The SQUARE Process Model 84

3.4 SQUARE Sample Outputs 91

3.5 Requirements Elicitation 99

3.6 Requirements Prioritization 106

3.7 Summary 112

 

Chapter 4: Secure Software Architecture and Design 115

4.1 Introduction 115

4.2 Software Security Practices for Architecture and Design: Architectural Risk Analysis 119

4.3 Software Security Knowledge for Architecture and Design: Security Principles, Security Guidelines, and Attack Patterns 137

4.4 Summary 148

 

Chapter 5: Considerations for Secure Coding and Testing 151

5.1 Introduction 151

5.2 Code Analysis 152

5.3 Coding Practices 160

5.4 Software Security Testing 163

5.5 Security Testing Considerations Throughout the SDLC 173

5.6 Summary 180

 

Chapter 6: Security and Complexity: System Assembly Challenges 183

6.1 Introduction 183

6.2 Security Failures 186

6.3 Functional and Attacker Perspectives for Security Analysis: Two Examples 189

6.4 System Complexity Drivers and Security 203

6.5 Deep Technical Problem Complexity 215

6.6 Summary 217

 

Chapter 7: Governance, and Managing for More Secure Software 221

7.1 Introduction 221

7.2 Governance and Security 223

7.3 Adopting an Enterprise Software Security Framework 226

7.4 How Much Security Is Enough? 236

7.5 Security and Project Management 244

7.6 Maturity of Practice 259

7.7 Summary 266

 

Chapter 8: Getting Started 267

8.1 Where to Begin 269

8.2 In Closing 281

✦ Table of Contents

Cover
Contents
Foreword
Preface
About the Authors
Chapter 1: Why Is Security a Software Issue?
1.1 Introduction
1.2 The Problem
1.2.1 System Complexity: The Context within Which Software Lives
1.3 Software Assurance and Software Security
1.3.1 The Role of Processes and Practices in Software Security
1.4 Threats to Software Security
1.5 Sources of Software Insecurity
1.6 The Benefits of Detecting Software Security Defects Early
1.6.1 Making the Business Case for Software Security: Current State
1.7 Managing Secure Software Development
1.7.1 Which Security Strategy Questions Should I Ask?
1.7.2 A Risk Management Framework for Software Security
1.7.3 Software Security Practices in the Development Life Cycle
1.8 Summary
Chapter 2: What Makes Software Secure?
2.1 Introduction
2.2 Defining Properties of Secure Software
2.2.1 Core Properties of Secure Software
2.2.2 Influential Properties of Secure Software
2.3 How to Influence the Security Properties of Software
2.3.1 The Defensive Perspective
2.3.2 The Attacker’s Perspective
2.4 How to Assert and Specify Desired Security Properties
2.4.1 Building a Security Assurance Case
2.4.2 A Security Assurance Case Example
2.4.3 Incorporating Assurance Cases into the SDLC
2.4.4 Related Security Assurance and Compliance Efforts
2.4.5 Maintaining and Benefitting from Assurance Cases
2.5 Summary
Chapter 3: Requirements Engineering for Secure Software
3.1 Introduction
3.1.1 The Importance of Requirements Engineering
3.1.2 Quality Requirements
3.1.3 Security Requirements Engineering
3.2 Misuse and Abuse Cases
3.2.1 Security Is Not a Set of Features
3.2.2 Thinking About What You Can’t Do
3.2.3 Creating Useful Misuse Cases
3.2.4 An Abuse Case Example
3.3 The SQUARE Process Model
3.3.1 A Brief Description of SQUARE
3.3.2 Tools
3.3.3 Expected Results
3.4 SQUARE Sample Outputs
3.4.1 Output from SQUARE Steps
3.4.2 SQUARE Final Results
3.5 Requirements Elicitation
3.5.1 Overview of Several Elicitation Methods
3.5.2 Elicitation Evaluation Criteria
3.6 Requirements Prioritization
3.6.1 Identify Candidate Prioritization Methods
3.6.2 Prioritization Technique Comparison
3.6.3 Recommendations for Requirements Prioritization
3.7 Summary
Chapter 4: Secure Software Architecture and Design
4.1 Introduction
4.1.1 The Critical Role of Architecture and Design
4.1.2 Issues and Challenges
4.2 Software Security Practices for Architecture and Design: Architectural Risk Analysis
4.2.1 Software Characterization
4.2.2 Threat Analysis
4.2.3 Architectural Vulnerability Assessment
4.2.4 Risk Likelihood Determination
4.2.5 Risk Impact Determination
4.2.6 Risk Mitigation Planning
4.2.7 Recapping Architectural Risk Analysis
4.3 Software Security Knowledge for Architecture and Design: Security Principles, Security Guidelines, and Attack Patterns
4.3.1 Security Principles
4.3.2 Security Guidelines
4.3.3 Attack Patterns
4.4 Summary
Chapter 5: Considerations for Secure Coding and Testing
5.1 Introduction
5.2 Code Analysis
5.2.1 Common Software Code Vulnerabilities
5.2.2 Source Code Review
5.3 Coding Practices
5.3.1 Sources of Additional Information on Secure Coding
5.4 Software Security Testing
5.4.1 Contrasting Software Testing and Software Security Testing
5.4.2 Functional Testing
5.4.3 Risk-Based Testing
5.5 Security Testing Considerations Throughout the SDLC
5.5.1 Unit Testing
5.5.2 Testing Libraries and Executable Files
5.5.3 Integration Testing
5.5.4 System Testing
5.5.5 Sources of Additional Information on Software Security Testing
5.6 Summary
Chapter 6: Security and Complexity: System Assembly Challenges
6.1 Introduction
6.2 Security Failures
6.2.1 Categories of Errors
6.2.2 Attacker Behavior
6.3 Functional and Attacker Perspectives for Security Analysis: Two Examples
6.3.1 Web Services: Functional Perspective
6.3.2 Web Services: Attacker’s Perspective
6.3.3 Identity Management: Functional Perspective
6.3.4 Identity Management: Attacker’s Perspective
6.3.5 Identity Management and Software Development
6.4 System Complexity Drivers and Security
6.4.1 Wider Spectrum of Failures
6.4.2 Incremental and Evolutionary Development
6.4.3 Conflicting or Changing Goals Complexity
6.5 Deep Technical Problem Complexity
6.6 Summary
Chapter 7: Governance, and Managing for More Secure Software
7.1 Introduction
7.2 Governance and Security
7.2.1 Definitions of Security Governance
7.2.2 Characteristics of Effective Security Governance and Management
7.3 Adopting an Enterprise Software Security Framework
7.3.1 Common Pitfalls
7.3.2 Framing the Solution
7.3.3 Define a Roadmap
7.4 How Much Security Is Enough?
7.4.1 Defining Adequate Security
7.4.2 A Risk Management Framework for Software Security
7.5 Security and Project Management
7.5.1 Project Scope
7.5.2 Project Plan
7.5.3 Resources
7.5.4 Estimating the Nature and Duration of Required Resources
7.5.5 Project and Product Risks
7.5.6 Measuring Software Security
7.6 Maturity of Practice
7.6.1 Protecting Information
7.6.2 Audit’s Role
7.6.3 Operational Resilience and Convergence
7.6.4 A Legal View
7.6.5 A Software Engineering View
7.6.6 Exemplars
7.7 Summary
Chapter 8: Getting Started
8.1 Where to Begin
8.2 In Closing
Glossary
A
B
C
D
E
F
H
I
M
N
P
R
S
T
U
V
W
Z
References
Build Security In Web Site References
Index
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
Z

📜 SIMILAR VOLUMES

Applied Software Risk Management: A Guid
📁 Applied Software Risk Management: A Guide for Software Project Managers
✍ C. Ravindranath Pandian 📂 Library 📅 2006 🏛 Auerbach Publications 🌐 English

Few software projects are completed on time, on budget, and to their original specifications. Focusing on what practitioners need to know about risk in the pursuit of delivering software projects, Applied Software Risk Management: A Guide for Software Project Managers covers key components of the r

Applied Software Risk Management: A Guid
📁 Applied Software Risk Management: A Guide for Software Project Managers
✍ Ravindranath C. Pandian 📂 Library 📅 2006 🏛 Auerbach Publications 🌐 English

Few software projects are completed on time, on budget, and to their original specifications. Focusing on what practitioners need to know about risk in the pursuit of delivering software projects, Applied Software Risk Management: A Guide for Software Project Managers covers key components of the r

Applied Software Risk Management: A Guid
📁 Applied Software Risk Management: A Guide for Software Project Managers
✍ C. Ravindranath Pandian 📂 Library 📅 2006 🏛 Auerbach Publications 🌐 English

Few software projects are completed on time, on budget, and to their original specification. Research supports that projects usually fail due to management, rather than technical, mistakes. Focusing on what practitioners need to know about risk in the pursuit of delivering software projects, Applied

Project Management for Automotive Engine
📁 Project Management for Automotive Engineers: A Field Guide
✍ Jon M. Quigley, Roopa Jha Shenoy 📂 Library 📅 2016 🏛 SAE International 🌐 English

<em>Project Management for Automotive Engineers: A Field Guide</em> was developed to help automotive engineers be better project managers as automotive projects involve suppliers dispersed across the globe, and can often span multiple years. Project scope change is common, and so too are the budget

Project Management for Automotive Engine
📁 Project Management for Automotive Engineers: A Field Guide
✍ Jon M. Quigley, Roopa Jha Shenoy 📂 Library 📅 2016 🏛 SAE International 🌐 English

<em>Project Management for Automotive Engineers: A Field Guide</em> was developed to help automotive engineers be better project managers as automotive projects involve suppliers dispersed across the globe, and can often span multiple years. Project scope change is common, and so too are the budget

Managing Risk: Methods for Software Syst
📁 Managing Risk: Methods for Software Systems Development (SEI Series in Software Engineering)
✍ Elaine M. Hall 📂 Library 📅 1998 🏛 Addison Wesley 🌐 English

"The increasing rate of technological change we are experiencing in our lifetime yields competitive advantage to organizations and individuals who are willing to embrace risk and the opportunities it presents. Those who choose to minimize or avoid risk, as opposed to managing it, set a course for ob