Software Security: Building Security In

book cover
Software Security: Building Security In
By Gary McGraw
Publisher: Addison Wesley Professional
Pub Date: January 23, 2006
Print ISBN-10: 0-321-35670-5
Print ISBN-13: 978-0-321-35670-3
Pages: 448

Table of Contents  | Index

"When it comes to software security, the devil is in the details. This book tackles the details." --Bruce Schneier, CTO and founder, Counterpane, and author of Beyond Fear and Secrets and Lies

"McGraw's book shows you how to make the 'culture of security' part of your development lifecycle." --Howard A. Schmidt, Former White House Cyber Security Advisor

"McGraw is leading the charge in software security. His advice is as straightforward as it is actionable. If your business relies on software (and whose doesn't), buy this book and post it up on the lunchroom wall." --Avi Rubin, Director of the NSF ACCURATE Center; Professor, Johns Hopkins University; and coauthor of Firewalls and Internet Security

Beginning where the best-selling book Building Secure Software left off, Software Security teaches you how to put software security into practice.The software security best practices, or touchpoints, described in this book have their basis in good software engineering and involve explicitly pondering security throughout the software development lifecycle. This means knowing and understanding common risks (including implementation bugsand architectural flaws), designing for security, and subjecting all software artifacts to thorough, objective risk analyses and testing.

Software Security is about putting the touchpoints to work for you. Because you can apply these touchpoints to the software artifacts you already produce as you develop software, you can adopt this book's methods without radically changing the way you work. Inside you'll find detailed explanations of

  • Risk management frameworks and processes

  • Code review using static analysis tools

  • Architectural risk analysis

  • Penetration testing

  • Security testing

  • Abuse case development

In addition to the touchpoints, Software Security covers knowledge management, training and awareness, and enterprise-level software security programs.

Now that the world agrees that software security is central to computer security, it is time to put philosophy into practice. Create your own secure development lifecycle by enhancing your existing software development lifecycle with the touchpoints described in this book. Let this expert author show you how to build more secure software by building security in.

book cover
Software Security: Building Security In
By Gary McGraw
Publisher: Addison Wesley Professional
Pub Date: January 23, 2006
Print ISBN-10: 0-321-35670-5
Print ISBN-13: 978-0-321-35670-3
Pages: 448

Table of Contents  | Index

   Advance Praise for Software Security
   Addison-Wesley Software Security Series
      Who This Book Is For
      What This Book Is About
      The Series
      Contacting the Author
   About the Author
    Part I:  Software Security Fundamentals
      Chapter 1.  Defining a Discipline
      The Security Problem
      Security Problems in Software
      Solving the Problem: The Three Pillars of Software Security
      The Rise of Security Engineering
      Chapter 2.  A Risk Management Framework
      Putting Risk Management into Practice
      How to Use This Chapter
      The Five Stages of Activity
      The RMF Is a Multilevel Loop
      Applying the RMF: KillerAppCo's iWare 1.0 Server
      The Importance of Measurement
      The Cigital Workbench
      Risk Management Is a Framework for Software Security
    Part II:  Seven Touchpoints for Software Security
      Chapter 3.  Introduction to Software Security Touchpoints
      Flyover: Seven Terrific Touchpoints
      Black and White: Two Threads Inextricably Intertwined
      Moving Left
      Touchpoints as Best Practices
      Who Should Do Software Security?
      Software Security Is a Multidisciplinary Effort
      Touchpoints to Success
      Chapter 4.  Code Review with a Tool
      Catching Implementation Bugs Early (with a Tool)
      Aim for Good, Not Perfect
      Ancient History
      Approaches to Static Analysis
      Tools from Researchland
      Commercial Tool Vendors
      Touchpoint Process: Code Review
      Use a Tool to Find Security Bugs
      Chapter 5.  Architectural Risk Analysis
      Common Themes among Security Risk Analysis Approaches
      Traditional Risk Analysis Terminology
      Knowledge Requirement
      The Necessity of a Forest-Level View
      A Traditional Example of a Risk Calculation
      Limitations of Traditional Approaches
      Modern Risk Analysis
      Touchpoint Process: Architectural Risk Analysis
      Getting Started with Risk Analysis
      Architectural Risk Analysis Is a Necessity
      Chapter 6.  Software Penetration Testing
      Penetration Testing Today
      Software Penetration Testinga Better Approach
      Incorporating Findings Back into Development
      Using Penetration Tests to Assess the Application Landscape
      Proper Penetration Testing Is Good
      Chapter 7.  Risk-Based Security Testing
      What's So Different about Security?
      Risk Management and Security Testing
      How to Approach Security Testing
      Thinking about (Malicious) Input
      Getting Over Input
      Leapfrogging the Penetration Test
      Chapter 8.  Abuse Cases
      Security Is Not a Set of Features
      What You Can't Do
      Creating Useful Abuse Cases
      Touchpoint Process: Abuse Case Development
      An Abuse Case Example
      Abuse Cases Are Useful
      Chapter 9.  Software Security Meets Security Operations
      Don't Stand So Close to Me
      Kumbaya (for Software Security)
      Come Together (Right Now)
      Future's So Bright, I Gotta Wear Shades
    Part III:  Software Security Grows Up
      Chapter 10.  An Enterprise Software Security Program
      The Business Climate
      Building Blocks of Change
      Building an Improvement Program
      Establishing a Metrics Program
      Continuous Improvement
      What about COTS (and Existing Software Applications)?
      Adopting a Secure Development Lifecycle
      Chapter 11.  Knowledge for Software Security
      Experience, Expertise, and Security
      Security Knowledge: A Unified View
      Security Knowledge and the Touchpoints
      The Department of Homeland Security Build Security In Portal
      Knowledge Management Is Ongoing
      Software Security Now
      Chapter 12.  A Taxonomy of Coding Errors
      On Simplicity: Seven Plus or Minus Two
      The Phyla
      A Complete Example
      Lists, Piles, and Collections
      Go Forth (with the Taxonomy) and Prosper
      Chapter 13.  Annotated Bibliography and References
      Annotated Bibliography: An Emerging Literature
      Software Security Puzzle Pieces
    Part IV:  Appendices
      Appendix A.  Fortify Source Code Analysis Suite Tutorial
      Section 1.  Introducing the Audit Workbench
      Section 2.  Auditing Source Code Manually
      Section 3.  Ensuring a Working Build Environment
      Section 4.  Running the Source Code Analysis Engine
      Section 5.  Exploring the Basic SCA Engine Command Line Arguments
      Section 6.  Understanding Raw Analysis Results
      Section 7.  Integrating with an Automated Build Process
      Section 8.  Using the Audit Workbench
      Section 9.  Auditing Open Source Applications
      Appendix B.  ITS4 Rules
      Appendix C.  An Exercise in Risk Analysis: Smurfware
      SmurfWare SmurfScanner Risk Assessment Case Study
      SmurfWare SmurfScanner Design for Security
      Appendix D.  Glossary