Practical Core Software Security: A Reference Framework (Contemporary Issues in Social Science Research)
معرفی کتاب «Practical Core Software Security: A Reference Framework (Contemporary Issues in Social Science Research)» نوشتهٔ Suhas Kshirsagar و James F. Ransome; Anmol Misra; Mark S. Merkow، منتشرشده توسط نشر Auerbach Publications در سال 2022. این کتاب در فرمت pdf، زبان انگلیسی ارائه شده است.
As long as humans write software, the key to successful software security is making the software development program process more efficient and effective. Although the approach of this textbook includes people, process, and technology approaches to software security, Practical Core Software Security: A Reference Framework stresses the people element of software security, which is still the most important part to manage as software is developed, controlled, and exploited by humans. The text outlines a step-by-step process for software security that is relevant to today’s technical, operational, business, and development environments. It focuses on what humans can do to control and manage a secure software development process using best practices and metrics. Although security issues will always exist, students learn how to maximize an organization’s ability to minimize vulnerabilities in software products before they are released or deployed by building security into the development process. The authors have worked with Fortune 500 companies and have often seen examples of the breakdown of security development lifecycle (SDL) practices. The text takes an experience-based approach to apply components of the best available SDL models in dealing with the problems described above. Software security best practices, an SDL model, and framework are presented in this book. Starting with an overview of the SDL, the text outlines a model for mapping SDL best practices to the software development life cycle (SDLC). It explains how to use this model to build and manage a mature SDL program. Exercises and an in-depth case study aid students in mastering the SDL model. Professionals skilled in secure software development and related tasks are in tremendous demand today. The industry continues to experience exponential demand that should continue to grow for the foreseeable future. This book can benefit professionals as much as students. As they integrate the book’s ideas into their software security practices, their value increases to their organizations, management teams, community, and industry. About the Authors Dr. James Ransome, PhD, CISSP, CISM is a veteran of numerous chief information security officer (CISO), chief security officer (CSO), and chief production security officer (CPSO) roles, as well as an author and co-author of numerous cybersecurity books. Anmol Misra is an accomplished leader, researcher, author, and security expert with over 16 years of experience in technology and cybersecurity. Mark S. Merkow, CISSP, CISM, CSSLP has over 25 years of experience in corporate information security and 17 years in the AppSec space helping to establish and lead application security initiatives to success and sustainment. This textbook explains developer-centric software security, a holistic process to engage security. As long as software is developed by humans, it requires the human element to fix it. It outlines a step-by-step process for software security that is focused on educating graduate and undergraduate students. Cover 1 Half Title 2 Title Page 4 Copyright Page 5 Dedications 6 Table of Contents 8 List of Figures 14 List of Tables 16 Preface 18 About the Book 19 Audience 20 Support 20 Structure 20 Assumptions 20 Acknowledgments 22 About the Authors 24 Chapter 1: Introduction 26 Chapter Overview 26 Chapter Take-Aways 26 1.1 The Importance and Relevance of Software Security 27 1.2 Software Security and the Software Development Life Cycle 30 1.3 Quality Versus Secure Code 32 1.4 The Three Most Important SDL Security Goals 33 1.5 Threat Modeling and Attack Surface Validation 34 1.6 Summary 36 Chapter Quick-Check 36 Exercises 37 References 37 Chapter 2: The Security Development Lifecycle 40 Chapter Overview 40 Chapter Take-Aways 40 2.1 Overcoming Challenges in Making Software Secure 41 2.2 Software Security Maturity Models 42 2.3 ISO/IEC 27034—Information Technology—Security Techniques—Application Security 43 2.4 Other Resources for SDL Best Practices 44 2.4.1 SAFECode 44 2.4.2 U.S. Department of Homeland Security Software Assurance Program 44 2.4.3 National Institute of Standards and Technology 45 2.4.4 Common Computer Vulnerabilities and Exposures 46 2.4.5 SANS Institute Top Cyber Security Risks 47 2.4.6 U.S. Department of Defense Cyber Security and Information Systems Information Analysis Center (CSIAC) 48 2.4.7 CERT, Bugtraq®, and SecurityFocus 48 2.5 Critical Tools and Talent 48 2.5.1 The Tools 49 2.5.2 The Talent 50 2.6 Principles of Least Privilege 54 2.7 Privacy 55 2.8 The Importance of Metrics 56 2.9 Mapping the Security Development Lifecycle to the Software Development Life Cycle 58 2.10 Software Development Methodologies 60 2.10.1 Waterfall Development 64 2.10.2 Agile Development 65 2.11 Summary 68 Chapter Quick-Check 68 Exercises 69 References 69 Chapter 3: Security Assessment (A1): SDL Activities and Best Practices 72 Chapter Overview 72 Chapter Take-Aways 72 3.1 Software Security Team Is Looped in Early 72 3.2 Software Security Hosts a Discovery Meeting 74 3.3 Software Security Team Creates an SDL Project Plan 76 3.4 Privacy Impact Assessment (PIA) Plan Initiated 76 3.5 Security Assessment (A1) Key Success Factors and Metrics 81 3.5.1 Key Success Factors 81 3.5.2 Deliverables 83 3.5.3 Metrics 84 3.6 Summary 84 Chapter Quick-Check 85 Exercises 85 References 86 Chapter 4: Architecture (A2): SDL Activities and Best Practices 88 Chapter Overview 88 Chapter Take-Aways 88 4.1 A2 Policy Compliance Analysis 90 4.2 SDL Policy Assessment and Scoping 90 4.3 Threat Modeling/Architecture Security Analysis 91 4.3.1 Threat Modeling 91 4.3.2 Data Flow Diagrams 94 4.3.3 Architectural Threat Analysis and Ranking of Threats 99 4.3.4 Risk Mitigation 114 4.4 Open-Source Selection 118 4.5 Privacy Information Gathering and Analysis 120 4.6 Key Success Factors and Metrics 120 4.6.1 Key Success Factors 120 4.6.2 Deliverables 121 4.6.3 Metrics 122 4.7 Summary 122 Chapter Quick-Check 123 Exercises 124 References 124 Chapter 5: Design and Development (A3): SDL Activities and Best Practices 128 Chapter Overview 128 Chapter Take-Aways 128 5.1 A3 Policy Compliance Analysis 130 5.2 Security Test Plan Composition 130 5.3 Threat Model Updating 137 5.4 Design Security Analysis and Review 138 5.5 Privacy Implementation Assessment 140 5.6 Key Success Factors and Metrics 142 5.6.1 Key Success Factors 142 5.6.2 Deliverables 143 5.6.3 Metrics 144 5.7 Summary 144 Chapter Quick-Check 145 Exercises 145 References 145 Chapter 6: Design and Development (A4): SDL Activities and Best Practices 148 Chapter Overview 148 Chapter Take-Aways 148 6.1 A4 Policy Compliance Analysis 150 6.2 Security Test Case Execution 150 6.3 Code Review in the SDLC/SDL Process 153 6.4 Security Analysis Tools 157 6.4.1 Static Analysis 160 6.4.2 Dynamic Analysis 163 6.4.3 Fuzz Testing 165 6.4.4 Manual Code Review 167 6.5 Key Success Factors 170 6.6 Deliverables 171 6.7 Metrics 172 6.8 Summary 172 Chapter Quick-Check 173 Exercises 173 References 174 Chapter 7: Ship (A5): SDL Activities and Best Practices 176 Chapter Overview 176 Chapter Take-Aways 176 7.1 A5 Policy Compliance Analysis 178 7.2 Vulnerability Scan 178 7.3 Code-Assisted Penetration Testing 181 7.4 Open-Source Licensing Review 183 7.5 Final Security Review 185 7.6 Final Privacy Review 188 7.7 Key Success Factors 189 7.8 Deliverables 190 7.9 Metrics 191 7.10 Summary 192 Chapter Quick-Check 192 Exercises 194 References 194 Chapter 8: Post-Release Support (PRSA1–5) 196 Chapter Overview 196 Chapter Take-Aways 196 8.1 Right-Sizing Your Software Security Group 198 8.1.1 The Right Organizational Location 198 8.1.2 The Right People 199 8.1.3 The Right Process 202 8.2 PRSA1: External Vulnerability Disclosure Response 202 8.2.1 Post-Release PSIRT Response 203 8.2.2 Post-Release Privacy Response 206 8.2.3 Optimizing Post-Release Third-Party Response 207 8.3 PRSA2: Third-Party Reviews 207 8.4 PRSA3: Post-Release Certifications 209 8.5 PRSA4: Internal Review for New Product Combinations or Cloud Deployments 209 8.6 PRSA5: Security Architectural Reviews and Tool-Based Assessments of Current, Legacy, and M&A Products and Solutions 210 8.6.1 Legacy Code 210 8.6.2 Mergers and Acquisitions (M&As) 212 8.7 Key Success Factors 213 8.8 Deliverables 215 8.9 Metrics 216 8.10 Summary 216 Chapter Quick-Check 216 Exercises 217 References 217 Chapter 9: Adapting Our Reference Framework to Your Environment 220 Chapter Overview 220 Chapter Take-Aways 220 9.1 Overview of the Top Four Environments in Which You Are Likely to Deploy Your SDL 221 9.1.1 Agile 221 9.1.2 DevOps 221 9.1.3 Cloud 222 9.1.4 Digital Enterprise 224 9.2 Key Success Factors, Deliverables, and Metrics for Each Phase of Our SDL Reference Framework 227 9.3 Software Security Maturity Models and the SDL 227 9.3.1 Maturity Models for Security and Resilience 227 9.3.2 Software Assurance Maturity Model—OpenSAMM 227 9.4 The Building Security In Maturity Model (BSIMM) 235 9.4.1 BSIMM Organization 235 9.4.2 BSIMM Software Security Framework 236 9.4.3 Deployment 238 9.4.4 BSIMM’s 12 Practice Areas 239 9.4.5 Measuring Results with BSIMM 239 9.4.6 The BSIMM Community 239 9.4.7 Conducting a BSIMM Assessment 239 9.4.8 Section Summary 241 9.5 Enhancing Your Threat Modeling Practice As Part of the SDL 241 9.5.1 Practical Threat and Application Risk Modeling 242 9.5.2 MITRE ATT&CK® and MITRE D3FEND® 245 9.6 Pulling It All Together 246 9.7 Overcoming Organizational and Business Challenges with a Properly Designed, Managed, and Focused SDL 247 9.8 Software Security Organizational Realities and Leverage 247 9.9 Future Predictions for Software Security 248 9.9.1 The Bad News 249 9.9.2 The Good News 250 9.10 Comprehensive SDL Review 250 9.11 Conclusion 250 References 255 Appendix A: Case Study for Chapters 3 Through 8 Exercises 258 Appendix B: Answers to Chapter Quick-Check Questions 260 Glossary 266 Index 270 Cybersecurity;,Hacking;,Human,factors;,Software,development;,Software,engineering;,Security,development,life,cycle Cybersecurity,Hacking,Human factors,Software development,Software engineering,Security development life cycle
دانلود کتاب Practical Core Software Security: A Reference Framework (Contemporary Issues in Social Science Research)