وبلاگ بلیان

Building in security at agile speed subtitle

جلد کتاب Building in security at agile speed subtitle

معرفی کتاب «Building in security at agile speed subtitle» نوشتهٔ James Ransome, Brook S. E. Schoenfield, James F. Ransome، منتشرشده توسط نشر Auerbach Publications در سال 2021. این کتاب در فرمت pdf، زبان انگلیسی ارائه شده است.

__Today's high-speed and rapidly changing development environments demand equally high-speed security practices. Still, achieving security remains a human endeavor, a core part of designing, generating and verifying software. Dr. James Ransome and Brook S.E. Schoenfield have built upon their previous works to explain that security starts with people; ultimately, humans generate software security. People collectively act through a particular and distinct set of methodologies, processes, and technologies that the authors have brought together into a newly designed, holistic, generic software development lifecycle facilitating software security at Agile, DevOps speed**.**__ ―Eric. S. Yuan, Founder and CEO, Zoom Video Communications, Inc. It is essential that we embrace a mantra that ensures security is baked in throughout any development process. Ransome and Schoenfield leverage their abundance of experience and knowledge to clearly define why and how we need to build this new model around an understanding that the human element is the ultimate key to success. **―Jennifer Sunshine Steffens, CEO of IOActive** __Both practical and strategic, **Building in Security at Agile Speed** is an invaluable resource for change leaders committed to building secure software solutions in a world characterized by increasing threats and uncertainty. Ransome and Schoenfield brilliantly demonstrate why creating robust software is a result of not only technical, but deeply human elements of agile ways of working.__ **__―__Jorgen Hesselberg, author of __Unlocking Agility__ and Cofounder of Comparative Agility** __The proliferation of open source components and distributed software services makes the principles detailed in **Building in Security at Agile Speed** more relevant than ever. Incorporating the principles and detailed guidance in this book into your SDLC is a must for all software developers and IT organizations.__ **__―__George K Tsantes, CEO of Cyberphos, former partner at Accenture and Principal at EY** Detailing the people, processes, and technical aspects of software security, **__Building in Security at Agile Speed__** emphasizes that the people element remains critical because software is developed, managed, and exploited by humans. This book presents a step-by-step process for software security that uses today’s technology, operational, business, and development methods with a focus on best practice, proven activities, processes, tools, and metrics for any size or type of organization and development practice. Cover Half Title Title Page Copyright Page Dedications Table of Contents Foreword Preface Acknowledgments About the Authors Chapter 1: Setting the Stage 1.1 Introduction 1.2 Current Events 1.3 The State of Software Security 1.4 What Is Secure Software? 1.5 Developing an SDL Model That Can Work with Any Development Methodology 1.5.1 Our Previous Secure Development Lifecycle Design and Methodology 1.5.2 Mapping the Security Development Lifecycle (SDL) to the Software Development Life Cycle (SDLC) 1.5.3 Software Development Methodologies 1.6 The Progression from Waterfall and Agile to Scrum: A Management Perspective 1.6.1 DevOps and CI/CD 1.6.2 Cloud Services 1.6.3 Platform Services 1.6.4 Automation 1.6.5 General Testing and Quality Assurance 1.6.6 Security Testing 1.6.7 DevSecOps 1.6.8 Education 1.6.9 Architects and Principal Engineers 1.6.10 Pulling It All Together Using Visual Analogies 1.6.11 DevOps Best Practices 1.6.12 Optimizing Your Team Size 1.7 Chapter Summary Chapter 2: Software Development Security Management in an Agile World 2.1 Introduction 2.2 Building and Managing the DevOps Software Security Organization 2.2.1 Use of the Term DevSecOps 2.2.2 Product Security Organizational Structure 2.2.3 Software Security Program Management 2.2.4 Software Security Organizational Realities and Leverage 2.2.5 Software Security Organizational and People Management Tips 2.3 Security Tools, Automation, and Vendor Management 2.3.1 Security Tools and Automation 2.3.2 DevOps Tools: Going Beyond the SDL 2.3.3 Vendor Management 2.4 DevOps Security Incident Response 2.4.1 Internal Response to Defects and Security Vulnerabilities in Your Source Code 2.4.2 External Response to Security Vulnerabilities Discovered in Your Product Source Code 2.4.3 Post-Release PSIRT Response 2.4.4 Optimizing Post-Release Third-Party Response 2.4.5 Key Success Factors 2.5 Security Training Management 2.6 Security Budget Management 2.6.1 Preparing and Delivering the Budget Message 2.6.2 Other Things to Consider When Preparing Your Budget 2.7 Security Governance, Risk, and Compliance (GRC) Management 2.7.1 SDL Coverage of Relevant Regulations, Certifications, and Compliance Frameworks 2.7.2 Third-Party Reviews 2.7.3 Post-Release Certifications 2.7.4 Privacy 2.8 Security Metrics Management 2.8.1 The Importance of Metrics 2.8.2 SDL Specific Metrics 2.8.3 Additional Security Metrics Focused on Optimizing Your DevOps Environment 2.9 Mergers and Acquisitions (M&A) Management 2.9.1 Open Source M&A Considerations 2.10 Legacy Code Management 2.11 Chapter Summary Chapter 3: A Generic Security Development Lifecycle (SDL) 3.1 Introduction 3.2 Build Software Securely 3.2.1 Produce Secure Code 3.2.2 Manual Code Review 3.2.3 Static Analysis 3.2.4 Third-Party Code Assessment 3.2.5 Patch (Upgrade or Fix) Issues Identified in Third-Party Code 3.3 Determining the Right Activities for Each Project 3.3.1 The SDL Determining Questions 3.4 Architecture and Design 3.5 Testing 3.5.1 Functional Testing 3.5.2 Dynamic Testing 3.5.3 Attack and Penetration Testing 3.5.4 Independent Testing 3.6 Assess and Threat Model Build/Release/Deploy/Operate Chain 3.7 Agile: Sprints 3.8 Key Success Factors and Metrics 3.8.1 Secure Coding Training Program 3.8.2 Secure Coding Frameworks (APIs) 3.8.3 Manual Code Review 3.8.4 Independent Code Review and Testing (by Experts or Third Parties) 3.8.5 Static Analysis 3.8.6 Risk Assessment Methodology 3.8.7 Integration of SDL with SDLC 3.8.8 Development of Architecture Talent 3.8.9 Metrics 3.9 Chapter Summary Chapter 4: Secure Design through Threat Modeling 4.1 Threat Modeling Is Foundational 4.2 Secure Design Primer 4.3 Analysis Technique 4.3.1 Before the Threat Model 4.3.2 Pre-Analysis Knowledge 4.3.3 ATASM Process 4.3.4 Target System Discovery 4.4 A Short “How To” Primer 4.4.1 Enumerate CAV 4.4.2 Structure, Detail, and Abstraction 4.4.3 Rating Risk 4.4.4 Identifying Defenses 4.5 Threat Model Automation 4.6 Chapter Summary Chapter 5: Enhancing Software Development Security Management in an Agile World 5.1 Introduction 5.2 Building and Managing the DevOps Software Security Organization 5.2.1 Continuous and Integrated Security 5.2.2 Security Mindset versus Dedicated Security Organization 5.2.3 Optimizing Security to Prevent Real-World Threats 5.3 Security Tools, Automation, and Vendor Management 5.3.1 Static Application Security Testing (SAST) 5.3.2 Dynamic Analysis Security Testing (DAST) 5.3.3 Fuzzing and Continuous Delivery 5.3.4 Unit and Functional Testing 5.3.5 Integration Testing 5.3.6 Automate Red Team Testing 5.3.7 Automate Pen Testing 5.3.8 Vulnerability Management 5.3.9 Automated Configuration Management 5.3.10 Software Composition Analysis 5.3.11 Bug Bounty Programs 5.3.12 Securing Your Continuous Delivery Pipeline 5.3.13 Vendor Management 5.4 DevOps Security Incident Response 5.4.1 Organizational Structure 5.4.2 Proactive Hunting 5.4.3 Continuous Detection and Response 5.4.4 Software Bill of Materials 5.4.5 Organizational Management 5.5 Security Training Management 5.5.1 People 5.5.2 Process 5.5.3 Technology 5.6 Security Budget Management 5.7 Security Governance, Risk, and Compliance (GRC) Management 5.8 Security Metrics Management 5.9 Mergers and Acquisitions (M&A) Management 5.10 Legacy Code Management 5.10.1 Security Issues 5.10.2 Legal and Compliance Issues 5.11 Chapter Summary Chapter 6: Culture Hacking 6.1 Introduction 6.2 Culture Must Shift 6.3 Hack All Levels 6.3.1 Executive Support 6.3.2 Mid-Management Make or Break 6.3.3 Accept All Help 6.4 Trust Developers 6.5 Build a Community of Practice 6.6 Threat Model Training Is for Everyone 6.7 Audit and Security Are Not the Same Thing 6.8 An Organizational Management Perspective 6.8.1 Security Cultural Change 6.8.2 Security Incident Response 6.8.3 Security Training 6.8.4 Security Technical Debt (Legacy Software) 6.9 Summary/Conclusion Appendix A: The Generic Security Development Lifecycle Index "... An engaging book that will empower readers in both large and small software development and engineering organizations to build security into their products. ... Readers are armed with firm solutions for the fight against cyber threats."-Dr. Dena Haritos Tsamitis. Carnegie Mellon University"... a must read for security specialists, software developers and software engineers. ... should be part of every security professional's library." -Dr. Larry Ponemon, Ponemon Institute"... the definitive how-to guide for software security professionals. Dr. Ransome, Anmol Misra, and Brook Schoenfield deftly outline the procedures and policies needed to integrate real security into the software development process. ...A must-have for anyone on the front lines of the Cyber War ..." -Cedric Leighton, Colonel, USAF (Ret.), Cedric Leighton Associates"Dr. Ransome, Anmol Misra, and Brook Schoenfield give you a magic formula in this book - the methodology and process to build security into the entire software development life cycle so that the software is secured at the source! "-Eric S. Yuan, Zoom Video CommunicationsThere is much publicity regarding network security, but the real cyber Achilles' heel is insecure software. Millions of software vulnerabilities create a cyber house of cards, in which we conduct our digital lives. In response, security people build ever more elaborate cyber fortresses to protect this vulnerable software. Despite their efforts, cyber fortifications consistently fail to protect our digital treasures. Why? The security industry has failed to engage fully with the creative, innovative people who write software.Core Software Security expounds developer-centric software security, a holistic process to engage creativity for security. As long as software is developed by humans, it requires the human element to fix it. Developer-centric security is not only feasible but also cost effective and operationally relevant. The methodology builds security into software development, which lies at the heart of our cyber infrastructure. Whatever development method is employed, software must be secured at the source. Book Highlights: Supplies a practitioner's view of the SDL Considers Agile as a security enabler Covers the privacy elements in an SDL Outlines a holistic business-savvy SDL framework that includes people, process, and technology Highlights the key success factors, deliverables, and metrics for each phase of the SDL Examines cost efficiencies, optimized performance, and organizational structure of a developer-centric software security program and PSIRT Includes a chapter by noted security architect Brook Schoenfield who shares his insights and experiences in applying the book's SDL framework View the authors' website at http://www.androidinsecurity.com "... an engaging book that will empower readers in both large and small software development and engineering organizations to build security into their products. ... Readers are armed with firm solutions for the fight against cyber threats." Dr. Dena Haritos Tsamitis. Carnegie Mellon University "... a must read for security specialists, software developers and software engineers. ... should be part of every security professionals library . " Dr. Larry Ponemon, Ponemon Institute "... the definitive how-to guide for software security professionals. Dr. Ransome, Anmol Misra, and Brook Schoenfield deftly outline the procedures and policies needed to integrate real security into the software development process. ...A must-have for anyone on the front lines of the Cyber War ..." Cedric Leighton, Colonel, USAF (Ret.), Cedric Leighton Associates "Dr. Ransome, Anmol Misra, and Brook Schoenfield give you a magic formula in this book - the methodology and process to build security into the entire software development life cycle so that the software is secured at the source! " Eric S. Yuan, Zoom Video Communications There is much publicity regarding network security, but the real cyber Achilles heel is insecure software. Millions of software vulnerabilities create a cyber house of cards, in which we conduct our digital lives. In response, security people build ever more elaborate cyber fortresses to protect this vulnerable software. Despite their efforts, cyber fortifications consistently fail to protect our digital treasures. Why? The security industry has failed to engage fully with the creative, innovative people who write software. Core Software Security expounds developer-centric software security, a holistic process to engage creativity for security. As long as software is developed by humans, it requires the human element to fix it. Developer-centric security is not only feasible but also cost effective and operationally relevant. The methodology builds security into software development, which lies at the heart of our cyber infrastructure. Whatever development method is employed, software must be secured at the source . Book View the authors' website at Any organization with valuable data has been or will be attacked, probably successfully, at some point and with some damage. And, don't all digitally connected organizations have at least some data that can be considered'valuable'?Cyber security is a big, messy, multivariate, multidimensional arena. A reasonable'defense-in-depth'requires many technologies; smart, highly skilled people; and deep and broad analysis, all of which must come together into some sort of functioning whole, which is often termed a security architecture. Secrets of a Cyber Security Architect is about security architecture in practice. Expert security architects have dozens of tricks of their trade in their kips. In this book, author Brook S. E. Schoenfield shares his tips and tricks, as well as myriad tried and true bits of wisdom that his colleagues have shared with him. Creating and implementing a cyber security architecture can be hard, complex, and certainly frustrating work. This book is written to ease this pain and show how to express security requirements in ways that make the requirements more palatable and, thus, get them accomplished. It also explains how to surmount individual, team, and organizational resistance. The book covers: What security architecture is and the areas of expertise a security architect needs in practice The relationship between attack methods and the art of building cyber defenses Why to use attacks and how to derive a set of mitigations and defenses Approaches, tricks, and manipulations proven successful for practicing security architecture Starting, maturing, and running effective security architecture programs Secrets of the trade for the practicing security architecture Tricks to surmount typical problems Filled with practical insight, Secrets of a Cyber Security Architect is the desk reference every security architect needs to thwart the constant threats and dangers confronting every digitally connected organization. Internet attack on computer systems is pervasive. It can take from less than a minute to as much as eight hours for an unprotected machine connected to the Internet to be completely compromised. It is the information security architect's job to prevent attacks by securing computer systems. This book describes both the process and the practice of assessing a computer system's existing information security posture. Detailing the time-tested practices of experienced security architects, it explains how to deliver the right security at the right time in the implementation lifecycle. Securing Systems: Applied Security Architecture and Threat Models covers all types of systems, from the simplest applications to complex, enterprise-grade, hybrid cloud architectures. It describes the many factors and prerequisite information that can influence an assessment. The book covers the following key aspects of security analysis: * When should the security architect begin the analysis? * At what points can a security architect add the most value? * What are the activities the architect must execute? * How are these activities delivered? * What is the set of knowledge domains applied to the analysis? * What are the outputs? * What are the tips and tricks that make security architecture risk assessment easier? To help you build skill in assessing architectures for security, the book presents six sample assessments. Each assessment examines a different type of system architecture and introduces at least one new pattern for security analysis. The goal is that after you've seen a sufficient diversity of architectures, you'll be able to understand varied architectures and can better see the attack surfaces and prescribe security solutions Any organization with valuable data has been or will be attacked, probably successfully, at some point and with some damage. And, don't all digitally connected organizations have at least some data that can be considered "valuable"? Cyber security is a big, messy, multivariate, multidimensional arena. A reasonable "defense-in-depth" requires many technologies; smart, highly skilled people; and deep and broad analysis, all of which must come together into some sort of functioning whole, which is often termed a security architecture. Secrets of a Cyber Security Architect is about security architecture in practice. Expert security architects have dozens of tricks of their trade in their kips. In this book, author Brook S. E. Schoenfield shares his tips and tricks, as well as myriad tried and true bits of wisdom that his colleagues have shared with him. Creating and implementing a cyber security architecture can be hard, complex, and certainly frustrating work. This book is written to ease this pain and show how to express security requirements in ways that make the requirements more palatable and, thus, get them accomplished. It also explains how to surmount individual, team, and organizational resistance. The book Filled with practical insight, Secrets of a Cyber Security Architect is the desk reference every security architect needs to thwart the constant threats and dangers confronting every digitally connected organization. "This book outlines a step-by-step process for software security that is relevant to today's technical, operational, business, and development environments. The authors focus on what humans can do to control and manage a secure software development process in the form of best practices and metrics. Although security issues will always exist, this book will teach you how to maximize an organizations ability to minimize vulnerabilities in your software products before they are released or deployed by building security into the development process. This book is targeted towards anyone who is interested in learning about software security in an enterprise environment to include product security and quality executives, software security architects, security consultants, software development engineers, enterprise SDLC program managers, chief information security officers, chief technology officers, and chief privacy officers whose companies develop software. If you want to learn about how software security should be implemented in developing enterprise software, this is a book you don't want to skip"-- Provided by publisher This Book Is Filled With Techniques, Tips, And Tricks That Secure Software Architects And Developers Can Apply Directly. From Assessing The Sensitivity Of Data In A System Through Actually Getting Requirements Implemented, This Book Offers Readers Practical, How-to Advice In Small, Focused And Directly Applicable Gems Of Insight, Knowledge, And Wisdom From Secure Software Principal Architect Brook S.e. Schoenfield. The Book Is Organized By Applicability Of Topics That Include Getting Security Architecture Started, Helping Architects Be Effective, Working With Partner Teams, Assessing Systems, Driving Security Requirements To Completion, And Programmatic Hints. The authors bring a "voice from the trenches" describing best practices for effective security development. This book is a must-read for product security practitioners, managers, and advocates for a safer cyber world. Its successful secure, resilient, and agile software development practices exceed the demands of today's digital world. James Ransome, Anmol Misra ; Contruibuting Author (chapter 9) Brook Schoenfield ; Foreword By Howard Schmidt. Includes Bibliographical References.
دانلود کتاب Building in security at agile speed subtitle