| | Copyright |
| | Advance Praise for Software Security |
| | Addison-Wesley Software Security Series |
| | Foreword |
| | Preface |
| | | Who This Book Is For |
| | | What This Book Is About |
| | | The Series |
| | | Contacting the Author |
| | Acknowledgments |
| | About the Author |
| | Part I: Software Security Fundamentals |
| | | Chapter 1. Defining a Discipline |
| | | The Security Problem |
| | | Security Problems in Software |
| | | Solving the Problem: The Three Pillars of Software Security |
| | | The Rise of Security Engineering |
| | | Chapter 2. A Risk Management Framework |
| | | Putting Risk Management into Practice |
| | | How to Use This Chapter |
| | | The Five Stages of Activity |
| | | The RMF Is a Multilevel Loop |
| | | Applying the RMF: KillerAppCo's iWare 1.0 Server |
| | | The Importance of Measurement |
| | | The Cigital Workbench |
| | | Risk Management Is a Framework for Software Security |
| | Part II: Seven Touchpoints for Software Security |
| | | Chapter 3. Introduction to Software Security Touchpoints |
| | | Flyover: Seven Terrific Touchpoints |
| | | Black and White: Two Threads Inextricably Intertwined |
| | | Moving Left |
| | | Touchpoints as Best Practices |
| | | Who Should Do Software Security? |
| | | Software Security Is a Multidisciplinary Effort |
| | | Touchpoints to Success |
| | | Chapter 4. Code Review with a Tool |
| | | Catching Implementation Bugs Early (with a Tool) |
| | | Aim for Good, Not Perfect |
| | | Ancient History |
| | | Approaches to Static Analysis |
| | | Tools from Researchland |
| | | Commercial Tool Vendors |
| | | Touchpoint Process: Code Review |
| | | Use a Tool to Find Security Bugs |
| | | Chapter 5. Architectural Risk Analysis |
| | | Common Themes among Security Risk Analysis Approaches |
| | | Traditional Risk Analysis Terminology |
| | | Knowledge Requirement |
| | | The Necessity of a Forest-Level View |
| | | A Traditional Example of a Risk Calculation |
| | | Limitations of Traditional Approaches |
| | | Modern Risk Analysis |
| | | Touchpoint Process: Architectural Risk Analysis |
| | | Getting Started with Risk Analysis |
| | | Architectural Risk Analysis Is a Necessity |
| | | Chapter 6. Software Penetration Testing |
| | | Penetration Testing Today |
| | | Software Penetration Testinga Better Approach |
| | | Incorporating Findings Back into Development |
| | | Using Penetration Tests to Assess the Application Landscape |
| | | Proper Penetration Testing Is Good |
| | | Chapter 7. Risk-Based Security Testing |
| | | What's So Different about Security? |
| | | Risk Management and Security Testing |
| | | How to Approach Security Testing |
| | | Thinking about (Malicious) Input |
| | | Getting Over Input |
| | | Leapfrogging the Penetration Test |
| | | Chapter 8. Abuse Cases |
| | | Security Is Not a Set of Features |
| | | What You Can't Do |
| | | Creating Useful Abuse Cases |
| | | Touchpoint Process: Abuse Case Development |
| | | An Abuse Case Example |
| | | Abuse Cases Are Useful |
| | | Chapter 9. Software Security Meets Security Operations |
| | | Don't Stand So Close to Me |
| | | Kumbaya (for Software Security) |
| | | Come Together (Right Now) |
| | | Future's So Bright, I Gotta Wear Shades |
| | Part III: Software Security Grows Up |
| | | Chapter 10. An Enterprise Software Security Program |
| | | The Business Climate |
| | | Building Blocks of Change |
| | | Building an Improvement Program |
| | | Establishing a Metrics Program |
| | | Continuous Improvement |
| | | What about COTS (and Existing Software Applications)? |
| | | Adopting a Secure Development Lifecycle |
| | | Chapter 11. Knowledge for Software Security |
| | | Experience, Expertise, and Security |
| | | Security Knowledge: A Unified View |
| | | Security Knowledge and the Touchpoints |
| | | The Department of Homeland Security Build Security In Portal |
| | | Knowledge Management Is Ongoing |
| | | Software Security Now |
| | | Chapter 12. A Taxonomy of Coding Errors |
| | | On Simplicity: Seven Plus or Minus Two |
| | | The Phyla |
| | | A Complete Example |
| | | Lists, Piles, and Collections |
| | | Go Forth (with the Taxonomy) and Prosper |
| | | Chapter 13. Annotated Bibliography and References |
| | | Annotated Bibliography: An Emerging Literature |
| | | Software Security Puzzle Pieces |
| | Part IV: Appendices |
| | | Appendix A. Fortify Source Code Analysis Suite Tutorial |
| | | Section 1. Introducing the Audit Workbench |
| | | Section 2. Auditing Source Code Manually |
| | | Section 3. Ensuring a Working Build Environment |
| | | Section 4. Running the Source Code Analysis Engine |
| | | Section 5. Exploring the Basic SCA Engine Command Line Arguments |
| | | Section 6. Understanding Raw Analysis Results |
| | | Section 7. Integrating with an Automated Build Process |
| | | Section 8. Using the Audit Workbench |
| | | Section 9. Auditing Open Source Applications |
| | | Appendix B. ITS4 Rules |
| | | Appendix C. An Exercise in Risk Analysis: Smurfware |
| | | SmurfWare SmurfScanner Risk Assessment Case Study |
| | | SmurfWare SmurfScanner Design for Security |
| | | Appendix D. Glossary |
| | | |
| | InsideFrontCover |
| | InsideBackCover |
| | Index |