Software Security: Concepts & Practices

Software Security: Concepts & Practices is designed as a textbook and explores fundamental security theories that govern common software security technical issues. It focuses on the practical programming materials that will teach readers how to implement security solutions using the most popular software packages. It’s not limited to any specific cybersecurity subtopics and the chapters touch upon a wide range of cybersecurity domains, ranging from malware to biometrics and more. Features The book presents the implementation of a unique socio-technical solution for real-time cybersecurity awareness. It provides comprehensible knowledge about security, risk, protection, estimation, knowledge and governance. Various emerging standards, models, metrics, continuous updates and tools are described to understand security principals and mitigation mechanism for higher security. The book also explores common vulnerabilities plaguing today's web applications. The book is aimed primarily at advanced undergraduates and graduates studying computer science, artificial intelligence and information technology. Researchers and professionals will also find this book useful. Cover Half Title Title Page Copyright Page Dedication Table of Contents Preface Key Features Organization of the Book Acknowledgments Authors Chapter 1: Software and Security Concepts 1.1 Objectives 1.2 Security: An Overview 1.3 Security: Software Perspective 1.3.1 Security Components 1.3.2 Security Characteristics 1.3.2.1 Ability to Trust 1.3.2.2 Defects Ramifications for Security 1.3.2.3 Pervasive Approach 1.3.2.4 Failure-Free Operations 1.3.2.5 Attack Resilience 1.3.2.6 Conformance: Acting According to Specific Accepted Standards 1.3.2.7 Robustness of Operational Defense 1.3.2.8 Trustworthiness 1.3.2.9 Damage Control 1.3.2.10 Defect Removal 1.3.3 Security Types 1.3.4 Security Myths 1.3.4.1 Security Myth: 1 1.3.4.1.1 No Need to Worry About Security; I Have Exerted Enough Recitation to Control It 1.3.4.2 Security Myth: 2 1.3.4.2.1 Good News! I Have Installed Anti-Virus Software, and I Am Now Free from Viruses 1.3.4.3 Security Myth: 3 1.3.4.3.1 Installing a Software Patch Will Fix All Security Holes 1.3.4.4 Security Myth: 4 1.3.4.4.1 Software Security Is Always a Cryptographic Problem 1.3.4.5 Security Myth: 5 1.3.4.5.1 Software Security Is a Tool to Find out Bugs in Lines of Codes 1.3.4.6 Security Myth: 6 1.3.4.6.1 Secure Only High-Risk Software Applications 1.3.4.7 Security Myth: 7 1.3.4.7.1 We Don’t Have a Software Security Problem 1.3.5 Security Planning 1.4 Software Security Assurance 1.5 Software Security Models 1.6 Software Security Measurement and Metrics 1.7 Conclusion Key Terms Points to Remember Objective-Type Questions Short-Answer Type Questions Descriptive Questions References Useful Links Chapter 2: Software Security Problems 2.1 Objectives 2.2 Major Causes to Software Security 2.2.1 Connectivity 2.2.2 Extensibility 2.2.2.1 Classification of Extensibility Mechanisms 2.2.2.2 White-Box Extensibility 2.2.2.2.1 Open-Box Extensibility 2.2.2.2.2 Glass-Box Extensibility 2.2.2.3 Gray-Boy Extensibility 2.2.2.4 Black-Box Extensibility 2.2.3 Complexity 2.3 Sustainable Factors for Software Security 2.3.1 Risk Management 2.3.2 Point of Interaction 2.3.3 Acquaintance 2.4 Evolution of Risk Management Framework 2.5 Protracted Cigital’s Risk Management Framework 2.5.1 Stage 1: Understanding 2.5.2 Stage 2: Identification 2.5.3 Stage 3: Synthesize 2.5.4 Stage 4: Mitigation 2.5.5 Stage 5: Validation 2.5.6 Stage 6: Review & Revision 2.6 Security Engineering: An Inclusive Approach 2.6.1 Software Security First: Societal Perspective 2.7 Conclusion Key Terms Points to Ponder Objective-Type Questions Short-Answer Type Questions Descriptive Questions References Useful Links Chapter 3: Threats to Security 3.1 Objectives 3.2 Threats 3.2.1 Physical Threat 3.2.2 Non-Physical Threat 3.2.3 Common Threat 3.3 Security Threats 3.3.1 Security Threats Based on Common Security Vulnerability 3.3.2 Security Threats Based on Security Risk 3.3.3 Software Security Risk 3.3.3.1 The CWE Top 25 3.4 Security Threats Classification 3.4.1 Errors 3.4.2 Fraud and Theft 3.4.3 Threat to Privacy 3.5 Threat Impact Analysis 3.6 Protection and Mitigation Strategies 3.6.1 Software Update and Upgrade Daily 3.6.2 Privacy and Privileges Security of Accounts 3.6.3 Security Training in Employees 3.6.4 Hunt for Network Loopholes Frequently 3.6.5 Implementation of Multifactor Authentication 3.7 Conclusion Key Terms Points to Remember Objective-Type Questions Short-Answer Type Questions Descriptive Questions References Useful Links Threat to Security Organizational Threat Threat Impact Secure Development Threat Mitigation Chapter 4: Software Security Metrics 4.1 Objectives 4.2 Software Security Metrics 4.3 Defining Good Security Metrics 4.4 Security Metrics Collection 4.5 Security Metrics Development Process 4.6 Security Metrics Development Framework 4.6.1 Premises 4.6.2 Generic Guidelines 4.6.3 Conceptualization 4.6.4 Planning 4.6.5 Development 4.6.6 Theoretical Validation 4.6.7 Empirical Validation 4.6.8 Packaging 4.7 Conclusion Key Terms Point to Ponder Objective-Type Questions Short-Answer Type Questions Descriptive Questions References Useful Links Chapter 5: Software Security Estimation 5.1 Objectives 5.2 Security Estimation 5.2.1 Software Security Estimation 5.2.2 Security Risk Estimation 5.2.2.1 Significance of Risk Estimation 5.2.2.2 Software Security Risk Estimation 5.2.3 Vulnerability Assessment 5.2.4 Vulnerability Assessment Framework 5.2.4.1 Risk Assessment 5.2.4.2 Risk Minimization or Management 5.2.4.3 Monitoring and Adaptive Management 5.2.4.4 Some Other Security Estimating Procedures 5.3 Security Profiling 5.3.1 Environmental Profiling 5.3.2 Strategic Profiling 5.3.3 Technical Profiling 5.3.4 Operational Profiling 5.4 Operation Ability 5.5 Security Measurement Process 5.5.1 Measures, Metrics, and Indicators 5.5.2 Technical Metrics 5.6 Conclusion Key Terms Point to Remember Review Questions Objective-Type Questions Short-Answer Type Questions Descriptive Questions References Useful Links Secure Development Threat Mitigation Software Engineering Security Engineering Risk Management Software Security Problem Chapter 6: Secure Software Architecture 6.1 Objectives 6.2 Software Architecture 6.2.1 Essential Qualities for Architecture Evaluation 6.3 Security Architecture and Models 6.3.1 Security Models 6.4 Security Architecture Process 6.5 Components of Security Architecture Process 6.6 Software Security Best Practices 6.7 Conclusion Key Terms Points to Remember Review Questions Objective-Type Questions Short-Answer Type Questions Descriptive Questions References Useful Links Chapter 7: Software Security Assurance 7.1 Objectives 7.2 Software Security Assurance 7.2.1 Goals 7.2.2 Responsibilities 7.3 Establishing Software Security Assurance Program 7.3.1 Recognition 7.3.2 Review 7.3.3 Categorization 7.3.4 Estimation 7.3.5 Training and Adaptation 7.4 Information Security Assurance Framework 7.4.1 Risk Management 7.4.2 Resource Management 7.4.3 Incident Management 7.4.3.1 Threat and Vulnerability Responses 7.4.3.2 Collection of Digital Evidence 7.4.4 Training and Awareness Program 7.4.5 Technology Integration 7.4.6 Performance Management 7.5 Cybersecurity Assurance Framework 7.6 Conclusion Key Terms Points to Remember Objective-Type Questions Short-Answer Type Questions Descriptive Questions References Useful Links Chapter 8: Secure Software Development Process 8.1 Objectives 8.2 Secure Development 8.3 Microsoft Secure Development Life Cycle 8.4 OWASP Software Assurance Maturity Model 8.5 An Integrated Secure Development Framework 8.5.1 Securing Requirement Phase 8.5.2 Securing Design Phase 8.5.3 Securing Coding Phase 8.5.4 Securing Testing Phase 8.5.5 Securing Deployment Phase 8.5.6 Secure Maintenance 8.6 Conclusion Key Terms Points to Ponder Objective-Type Questions Short-Answer Type Questions Descriptive Questions References Useful Links Chapter 9: Software Security Testing 9.1 Objectives 9.2 Software Testing 9.3 Security Testing 9.4 Software Security Testing Process 9.5 An Integrated Approach 9.5.1 Security Test Strategy and Test Plan 9.5.2 Designing Security Test Cases 9.5.3 Executing Security Test Cases 9.5.4 Capturing Security Test Result 9.5.5 Capturing Security Test Metrics 9.5.6 Qualitative Assessment 9.5.7 Security Test Closure Reports 9.6 Software Security Testing Tools 9.7 Conclusion Key Terms Point to Remember Objective-Type Questions Short-Answer Type Questions Descriptive Questions References Useful Links Chapter 10: Implementing Security Testing: A Case Study 10.1 Objectives 10.2 Planning for Security Testing 10.3 Security Test Case Optimization Framework 10.3.1 Security Test Plan Specification 10.3.2 Identification of Security Attributes 10.3.3 Evaluation of Security Attributes 10.3.4 Test Case Execution & Capturing the Results 10.3.5 Optimization 10.3.6 Validation 10.3.7 Review and Revision 10.4 Test Case Evaluation 10.4.1 Case Study: Mobile Payment Wallet 10.4.2 Test Case Sampling and its Execution 10.4.2.1 Module-1: Sign In 10.4.2.2 Assumptions for ACO based Algorithm 10.5 Optimization of Security Test Cases 10.5.1 ACO based Algorithm for Optimized Security Test Case 10.5.2 Obtaining the Results through Different Techniques 10.6 Contextual Interpretation 10.7 Automated Security Testing 10.7.1 List of Automation Testing Tools 10.8 Impact and Importance 10.9 Conclusion Key Terms Point to Remember Objective-Type Questions Short-Answer Type Questions Descriptive Questions References Useful Links Chapter 11: Implementing Security: A Case Study 11.1 Objectives 11.2 The Concept 11.3 Implementations Perspective 11.4 An Integrated Approach 11.4.1 Case Study on Vulnerability Perspective 11.4.2 The Process 11.4.3 Framework Implementation 11.4.3.1 Metric-1: Attribute Vulnerability Ratio (AVR) 11.4.3.2 Algorithm Development for Computation of VPF Metric 11.4.3.3 Analysis of AVR 11.4.3.4 Metric-2: Coupling Induced Vulnerability Propagation Factor (CIVPF) 11.4.3.5 Algorithm Development for Computing CIVPF Metric 11.4.3.6 Working of an Algorithm to Compute CIVPF 11.4.3.7 Analysis of CIVPF 11.4.3.8 Metric-3: Vulnerability Confinement Capacity (VCC) of a Class 11.4.3.9 Metric-4: Vulnerability Confinement Capacity of an Object-Oriented Design 11.4.3.10 Analysis of VCC 11.4.3.11 Metric-5: Vulnerable Association of a Method 11.4.3.12 Metric-6: Vulnerable Association of a Class 11.4.3.13 Developing Algorithm for Computing VA Metric 11.4.3.14 Analysis of VA 11.4.3.15 Metric-7: Vulnerable Association of Design 11.4.4 Validation of the Framework 11.4.4.1 Computation of AVR for the Design 11.4.4.2 Computation of CIVPF for the Design 11.4.4.3 Computation of VCC for the Design 11.4.4.4 Computation of VA for the Design 11.4.5 Case Study on CIA Perspective 11.4.5.1 The Framework 11.4.5.2 Premises 11.4.5.3 Generic Guidelines 11.4.5.4 Framework Development 11.4.5.5 Framework Implementation 11.4.5.6 Establishing Correlation between Complexity Factors and Design Constructs 11.4.5.7 Establishing Correlation between Complexity Factors and Security Attributes 11.4.5.8 Model Development 11.4.5.9 Development of Confidentiality Quantification Model for Object Oriented Design (CQM OOD) 11.4.5.10 Development of Integrity Quantification Model for Object Oriented Design (IQM OOD) 11.4.5.11 Development of Availability Quantification Model for Object Oriented Design (AQM OODC) 11.4.5.12 Development of Security Quantification Model for Object Oriented Design (SQM OOD) 11.4.5.13 Validating SQM OOD 11.5 Analyzability: A Case Study 11.5.1 Assessment of Object-Oriented Design 11.5.2 Assessment of Quality Attributes 11.5.3 Mapping Maintainability Properties with Object-Oriented Design Properties 11.5.4 Calculation of Metrics Suit on Class Diagram 11.5.5 An Experimental Validation 11.5.6 Statistical Analysis 11.5.7 Contextual Interpretation 11.6 Assessment Reflection 11.7 Experiences 11.8 Societal Impacts 11.9 Conclusions Key Terms Points to Remember Objective-Type Questions Short-Answer Type Questions Descriptive Questions References Useful Links Chapter 12: Knowledge, Management, and Governance for Higher Security 12.1 Objectives 12.2 Secure Knowledge Management (SKM) 12.2.1 Security Concerns for Knowledge Management System 12.2.2 Importance of Security Knowledge and Expertise 12.3 Security Governance 12.3.1 Effective Security Governance and Management 12.3.2 Effective versus Ineffective Security Governance 12.3.3 Enterprise Software Security Framework 12.4 Secure Project Management 12.4.1 Scope of the Project 12.4.2 Reflection of Project Plan 12.4.3 Tools, Knowledge, and Expertise 12.4.4 To Estimate the Nature and Duration of Required Resources 12.4.5 Project and Product Risks 12.5 Measuring Software Security 12.5.1 Process Measures for Secure Development 12.5.2 Product Measures for Secure Development 12.6 Maturity of Practice 12.7 Protecting Information 12.7.1 Audit’s Role 12.7.2 Operational Resilience and Convergence 12.7.3 A Legal View 12.7.4 A Software Engineering View 12.8 E-governance Framework in India: e-Kranti: National e-Governance Plan (NeGP) 2.0 12.8.1 Vision, Mission, and Objectives 12.8.2 The Objectives of e-Kranti 12.8.3 Principles of e-Kranti 12.9 Digital India Initiatives 12.10 Conclusion Key Terms Points to Remember Objective-Type Questions Short-Answer Type Questions Descriptive Questions References Useful Links Chapter 13: Research Trends in Software Security Estimation 13.1 Objectives 13.2 A Multidimensional Approach 13.3 Research Trends in Security Estimation 13.4 List of Security Research Problem 13.4.1 Trend No. 1: Cyber-Security Mesh 13.4.2 Trend No. 2: Cyber-Savvy Boards 13.4.3 Trend No. 3: Vendor Consolidation 13.4.4 Trend No. 4: Identity-First Security 13.4.5 Trend No. 5: Managing Machine Identities Becoming a Critical Security Capability 13.4.6 Trend No. 6: ‘Remote Work’ Is Now Just ‘Work’ 13.4.7 Trend No. 7: Breach and Attack Simulation 13.4.8 Trend No. 8: Privacy-Enhancing Computation Techniques 13.5 Future Prospects in Security Estimation 13.6 Conclusion Key Terms Point to Remember Objective-Type Questions Short-Answer Type Questions Descriptive Questions References Useful Links Index Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint. Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers.