ABE-IPSABE HOLDINGABE BOOKS
English Polski
On-line access

Bookstore

0.00 PLN
Bookshelf (0) 
Your bookshelf is empty
Core Software Security: Security at the Source

Core Software Security: Security at the Source

Authors
Publisher Taylor & Francis Ltd
Year 09/12/2013
Pages 414
Version hardback
Readership level General/trade
Language English
ISBN 9781466560956
Categories Software Engineering
$163.21 (with VAT)
725.55 PLN / €155.56 / £135.04
Qty:
Delivery to United States

check shipping prices
Product to order
Delivery 5-6 weeks
Add to bookshelf

Book description

"... an engaging book that will empower readers in both large and small software development and engineering organizations to build security into their products. ... Readers are armed with firm solutions for the fight against cyber threats."
-Dr. Dena Haritos Tsamitis. Carnegie Mellon University

"... a must read for security specialists, software developers and software engineers. ... should be part of every security professional's library."
-Dr. Larry Ponemon, Ponemon Institute

"... the definitive how-to guide for software security professionals. Dr. Ransome, Anmol Misra, and Brook Schoenfield deftly outline the procedures and policies needed to integrate real security into the software development process. ...A must-have for anyone on the front lines of the Cyber War ..."
-Cedric Leighton, Colonel, USAF (Ret.), Cedric Leighton Associates

"Dr. Ransome, Anmol Misra, and Brook Schoenfield give you a magic formula in this book - the methodology and process to build security into the entire software development life cycle so that the software is secured at the source! "
-Eric S. Yuan, Zoom Video Communications

There is much publicity regarding network security, but the real cyber Achilles' heel is insecure software. Millions of software vulnerabilities create a cyber house of cards, in which we conduct our digital lives. In response, security people build ever more elaborate cyber fortresses to protect this vulnerable software. Despite their efforts, cyber fortifications consistently fail to protect our digital treasures. Why? The security industry has failed to engage fully with the creative, innovative people who write software.

Core Software Security expounds developer-centric software security, a holistic process to engage creativity for security. As long as software is developed by humans, it requires the human element to fix it. Developer-centric security is not only feasible but also cost effective and operationally relevant. The methodology builds security into software development, which lies at the heart of our cyber infrastructure. Whatever development method is employed, software must be secured at the source.


Book Highlights:








Supplies a practitioner's view of the SDL
Considers Agile as a security enabler
Covers the privacy elements in an SDL
Outlines a holistic business-savvy SDL framework that includes people, process, and technology
Highlights the key success factors, deliverables, and metrics for each phase of the SDL
Examines cost efficiencies, optimized performance, and organizational structure of a developer-centric software security program and PSIRT
Includes a chapter by noted security architect Brook Schoenfield who shares his insights and experiences in applying the book's SDL framework


View the authors' website at http://www.androidinsecurity.com/ First and foremost, Ransome and Misra have made an engaging book that will empower readers in both large and small software development and engineering organizations to build security into their products. This book clarifies to executives the decisions to be made on software security and then provides guidance to managers and developers on process and procedure. Readers are armed with firm solutions for the fight against cyber threats.
-Dr. Dena Haritos Tsamitis, Director, Information Networking Institute and Director of Education, CyLab Carnegie Mellon University

Finally, the definitive how-to guide for software security professionals. Dr. Ransome, Anmol Misra, and Brook Schoenfield deftly outline the procedures and policies needed to integrate real security into the software development process and why security needs to be software and developer-centric if it is to be relevant. A must-have for anyone on the front lines of the Cyber War - especially software developers and those who work with them.
-Cedric Leighton, Colonel, USAF (Ret); Founder & President, Cedric Leighton Associates

In the wake of cloud computing and mobile apps, the issue of software security has never been more important than today. This book is a must read for security specialists, software developers and software engineers. The authors do a brilliant job providing common sense approaches to achieving a strong software security posture.
-Dr. Larry Ponemon, Chairman & Founder, Ponemon Institute

The root of software security lies within the source code developed by software developers. Therefore, security should be developer-centric, focused on the secure development of the source code. Dr. Ransome, Anmol Misra, and Brook Schoenfield give you a magic formula in this book - the methodology and process to build security into the entire software development life cycle so that the software is secured at the source!
-Eric S. Yuan, Founder and CEO, Zoom Video Communications, Inc

Misra and his co-author James Ransome, senior director of product security at McAfee, an Intel Company, reflected on years of lessons learned and experiences with Fortune 500 clients and devised a methodology that builds security into software development. The newly published book Core Software Security, Security at the Source takes an innovative approach that engages the creativity of the developer. ... The book covers embedding security as a part of existing software development methods, and how security can be a business enabler and a competitive differentiator. Throughout the book, the authors describe a modern, holistic framework for software security that includes people, process and technology. The book includes metrics, cost effectiveness, case studies, threat modeling and considerations for mobile software and privacy.
-Sherry Stokes, writing in Carnegie Mellon News, May 2014

Core Software Security: Security at the Source

Table of contents

Introduction

The Importance and Relevance of Software Security

Software Security and the Software Development Lifecycle

Quality Versus Secure Code

The Three Most Important SDL Security Goals

Threat Modeling and Attack Surface Validation

Chapter Summary-What to Expect from This Book

References



The Secure Development Lifecycle

Overcoming Challenges in Making Software Secure

Software Security Maturity Models

ISO/IEC 27034-Information Technology-Security Techniques-Application Security

Other Resources for SDL Best Practices

SAFECode

U.S. Department of Homeland Security

Software Assurance Program

National Institute of Standards and Technology

MITRE Corporation Common Computer Vulnerabilities and Exposures

SANS Institute Top Cyber Security Risks

U.S. Department of Defense Cyber Security and Information Systems Information Analysis Center (CSIAC)

CERT, Bugtraq, and SecurityFocus

Critical Tools and Talent

The Tools

The Talent

Principles of Least Privilege

Privacy

The Importance of Metrics

Mapping the Security Development Lifecycle to the Software Development Lifecycle

Software Development Methodologies

Waterfall Development

Agile Development

Chapter Summary

References



Security Assessment (A1): SDL Activities and Best Practices

Software Security Team Is Looped in Early

Software Security Hosts a Discovery Meeting

Software Security Team Creates an SDL Project Plan

Privacy Impact Assessment (PIA) Plan Initiated

Security Assessment (A1) Key Success Factors and Metrics

Key Success Factors

Deliverables

Metrics

Chapter Summary

References



Architecture (A2): SDL Activities and Best Practices

A2 Policy Compliance Analysis

SDL Policy Assessment and Scoping

Threat Modeling/Architecture Security Analysis

Threat Modeling

Data Flow Diagrams

Architectural Threat Analysis and Ranking of Threats

Risk Mitigation

Open-Source Selection

Privacy Information Gathering and Analysis

Key Success Factors and Metrics

Key Success Factors

Deliverables

Metrics

Chapter Summary

References



Design and Development (A3): SDL Activities and Best Practices

A3 Policy Compliance Analysis

Security Test Plan Composition

Threat Model Updating

Design Security Analysis and Review

Privacy Implementation Assessment

Key Success Factors and Metrics

Key Success Factors

Deliverables

Metrics

Chapter Summary

References



Design and Development (A4): SDL Activities and Best Practices

A4 Policy Compliance Analysis

Security Test Case Execution

Code Review in the SDLC/SDL Process

Security Analysis Tools

Static Analysis

Dynamic Analysis

Fuzz Testing

Manual Code Review

Key Success Factors

Deliverables

Metrics

Chapter Summary

References



Ship (A5): SDL Activities and Best Practices

A5 Policy Compliance Analysis

Vulnerability Scan

Penetration Testing

Open-Source Licensing Review

Final Security Review

Final Privacy Review

Key Success Factors

Deliverables

Metrics

Chapter Summary

References





Post-Release Support (PRSA1-5)

Right-Sizing Your Software Security Group

The Right Organizational Location

The Right People

The Right Process

PRSA1: External Vulnerability Disclosure Response

Post-Release PSIRT Response

Post-Release Privacy Response

Optimizing Post-Release Third-Party Response

PRSA2: Third-Party Reviews

PRSA3: Post-Release Certifications

PRSA4: Internal Review for New Product Combinations or Cloud Deployments

PRSA5: Security Architectural Reviews and Tool-Based Assessments of Current, Legacy, and M&A Products and Solutions

Legacy Code

Mergers and Acquisitions (M&As)

Key Success Factors

Deliverables

Metrics

Chapter Summary

References



Applying the SDL Framework to the Real World

Introduction

Build Software Securely

Produce Secure Code

Manual Code Review

Static Analysis

Determining the Right Activities for Each Project

The Seven Determining Questions

Architecture and Design

Testing

Functional Testing

Dynamic Testing

Attack and Penetration Testing

Independent Testing

Agile: Sprints

Key Success Factors and Metrics

Secure Coding Training Program

Secure Coding Frameworks (APIs)

Manual Code Review

Independent Code Review and Testing (by Experts or Third Parties)

Static Analysis

Risk Assessment Methodology

Integration of SDL with SDLC

Development of Architecture Talent

Metrics

Chapter Summary

References



Pulling It All Together: Using the SDL to Prevent Real-World Threats

Strategic, Tactical, and User-Specific Software Attacks

Strategic Attacks

Tactical Attacks

User-Specific Attacks

Overcoming Organizational and Business Challenges with a Properly Designed, Managed, and Focused SDL

Software Security Organizational Realities and Leverage

Overcoming SDL Audit and Regulatory Challenges with Proper Governance Management

Future Predications for Software Security

The Bad News

The Good News

Conclusion

References



Appendix

Index

We also recommend books

Strony www Białystok Warszawa
801 777 223