Merkow, M: Secure and Resilient Software
Autor Lakshmikanth Raghavanen Limba Engleză Hardback – 10 noi 2011
- Pre-developed nonfunctional requirements that can be reused for any software development project
- Documented test cases that go along with the requirements and can be used to develop a Test Plan for the software
- Testing methods that can be applied to the test cases provided
- A CD with all security requirements and test cases as well as MS Word versions of the checklists, requirements, and test cases covered in the book
Some Praise for the Book:
This book pulls together the state of the art in thinking about this important issue in a holistic way with several examples. It takes you through the entire lifecycle from conception to implementation ... .
—Doug Cavit, Chief Security Strategist, Microsoft Corporation
...provides the reader with the tools necessary to jump-start and mature security within the software development lifecycle (SDLC).
—Jeff Weekes, Sr. Security Architect at Terra Verde Services
... full of useful insights and practical advice from two authors who have lived this process. What you get is a tactical application security roadmap that cuts through the noise and is immediately applicable to your projects.
—Jeff Williams, Aspect Security CEO and Volunteer Chair of the OWASP Foundation
Preț: 465.09 lei
Preț vechi: 576.47 lei
-20%
Puncte Express: 698
Preț estimativ în valută:
89.11€ • 96.52$ • 76.41£
89.11€ • 96.52$ • 76.41£
Carte indisponibilă temporar
Doresc să fiu notificat când acest titlu va fi disponibil:
Se trimite...
Preluare comenzi: 021 569.72.76
Specificații
ISBN-13: 9781439866214
ISBN-10: 143986621X
Pagini: 278
Ilustrații: 10 black & white illustrations, 175 black & white tables
Dimensiuni: 242 x 158 x 21 mm
Greutate: 0.58 kg
Editura: Taylor & Francis
ISBN-10: 143986621X
Pagini: 278
Ilustrații: 10 black & white illustrations, 175 black & white tables
Dimensiuni: 242 x 158 x 21 mm
Greutate: 0.58 kg
Editura: Taylor & Francis
Public țintă
Software developers, high-level programmers, software systems analysts, design teams, software testing coordinators, IT managers, and testing teams.Cuprins
Introduction
Secure and Resilient
Bad Design Choices Led to the Vulnerable Internet We Know Today
HTTP Has Its Problems, Too
Design Errors Continue Haunting Us Today
Requirements & Design: The Keys to a Successful Software Project
How Design Flaws Play Out
DNS Vulnerability
The London Stock Exchange
Medical Equipment
Airbus A380
Solutions Are In Sight!
Notes
Nonfunctional Requirements (NFRs) in Context
System Quality Requirements Engineering (SQUARE)
Agree on Definitions
Identify Assets and Security/Quality Goals
Perform Risk Assessments
Elicit Security Requirements
Prioritize Requirements
Characteristics of Good Requirements
Summary
Notes
Resilience and Quality Considerations for Application Software and the Application Runtime Environment
Relationships among Nonfunctional Requirements
Considerations for Developing NFRs for your Applications and Runtime Environment
Checking Your Work
Summary
Notes
Security Requirements for Application Software
Security Control Types
Think Like an Attacker
Detailed Security Requirements
Identification Requirements
Authentication Requirements
Authorization Requirements
Security Auditing Requirements
Confidentiality Requirements
Integrity Requirements
Availability Requirements
Nonrepudiation Requirements
Immunity Requirements
Survivability Requirements
Systems Maintenance Security Requirements
Privacy Requirements
Summary
References
Security Services for the Application Operating Environment
The Open Group Architecture Framework (TOGAF)
Standardizing Tools for an Enterprise Architecture
Security Technical Reference Model (TRM)
Identification and Authentication
System Entry Control
Audit
Access Control
Nonrepudiation
Security Management
Trusted Recovery
Encryption
Trusted Communications
Summary
References
Software Design Considerations for Security and Resilience
Design Issues
Architecture and Design Considerations
Special Security Design Considerations for Payment Applications on Mobile Communications Devices
Designing for Integrity
Architecture and Design Review Checklist
Summary
References
Best Practices for Converting Requirements to Secure Software Designs
Secure Design Approach
Reusable Security APIs/Libraries
Security Frameworks
Establishing and Following Best Practices for Design
Security Requirements
Security Recommendations
What’s an Attack Surface?
What Is Managed Code?
Understanding Business Requirements for Security Design
Summary
References
Security Test Cases
Standardized Testing Policy
Security Test Cases
Test Cases for Identification Requirements
Test Cases for Authentication Requirements
Test Cases for Authorization Requirements
Test Cases for Security Auditing Requirements
Test Cases for Confidentiality Requirements
Test Cases for Integrity Requirements
Test Cases for Availability Requirements
Test Cases for Nonrepudiation Requirements
Test Cases for Immunity Requirements
Test Cases for Survivability Requirements
Test Cases for Systems Maintenance Security Requirements
Summary
Testing Methods and Best Practices
Secure Testing Approach
OWASP’s Application Security Verification Standard (ASVS)
Application Security Verification Levels
Level 1—Automated Verification
Level 2—Manual Verification
Level 3—Design Verification
Level 4—Internal Verification
Security Testing Methods
Manual Source Code Review
Automated Source Code Analysis
Automated Reviews Compared with Manual Reviews
Automated Source Code Analysis Tools—Deployment Strategy
IDE Integration for Developers
Build Integration for Governance
Automated Dynamic Analysis
Limitations of Automated Dynamic Analysis Tools
Automated Dynamic Analysis Tools—Deployment Strategy
Developer Testing
Centralized Quality Assurance Testing
Penetration (Pen) Testing
Gray Box Testing
Summary
References
Connecting the Moving Parts
OpenSAMM
Security Requirements
Security Requirements: Level 1
Security Requirements: Level 2
Security Requirements: Level 3
Security Testing
Security Testing: Level 1
Security Testing: Level 2
Security Testing: Level 3
Wrap-Up
References
Index
Secure and Resilient
Bad Design Choices Led to the Vulnerable Internet We Know Today
HTTP Has Its Problems, Too
Design Errors Continue Haunting Us Today
Requirements & Design: The Keys to a Successful Software Project
How Design Flaws Play Out
DNS Vulnerability
The London Stock Exchange
Medical Equipment
Airbus A380
Solutions Are In Sight!
Notes
Nonfunctional Requirements (NFRs) in Context
System Quality Requirements Engineering (SQUARE)
Agree on Definitions
Identify Assets and Security/Quality Goals
Perform Risk Assessments
Elicit Security Requirements
Prioritize Requirements
Characteristics of Good Requirements
Summary
Notes
Resilience and Quality Considerations for Application Software and the Application Runtime Environment
Relationships among Nonfunctional Requirements
Considerations for Developing NFRs for your Applications and Runtime Environment
Checking Your Work
Summary
Notes
Security Requirements for Application Software
Security Control Types
Think Like an Attacker
Detailed Security Requirements
Identification Requirements
Authentication Requirements
Authorization Requirements
Security Auditing Requirements
Confidentiality Requirements
Integrity Requirements
Availability Requirements
Nonrepudiation Requirements
Immunity Requirements
Survivability Requirements
Systems Maintenance Security Requirements
Privacy Requirements
Summary
References
Security Services for the Application Operating Environment
The Open Group Architecture Framework (TOGAF)
Standardizing Tools for an Enterprise Architecture
Security Technical Reference Model (TRM)
Identification and Authentication
System Entry Control
Audit
Access Control
Nonrepudiation
Security Management
Trusted Recovery
Encryption
Trusted Communications
Summary
References
Software Design Considerations for Security and Resilience
Design Issues
Architecture and Design Considerations
Special Security Design Considerations for Payment Applications on Mobile Communications Devices
Designing for Integrity
Architecture and Design Review Checklist
Summary
References
Best Practices for Converting Requirements to Secure Software Designs
Secure Design Approach
Reusable Security APIs/Libraries
Security Frameworks
Establishing and Following Best Practices for Design
Security Requirements
Security Recommendations
What’s an Attack Surface?
What Is Managed Code?
Understanding Business Requirements for Security Design
Summary
References
Security Test Cases
Standardized Testing Policy
Security Test Cases
Test Cases for Identification Requirements
Test Cases for Authentication Requirements
Test Cases for Authorization Requirements
Test Cases for Security Auditing Requirements
Test Cases for Confidentiality Requirements
Test Cases for Integrity Requirements
Test Cases for Availability Requirements
Test Cases for Nonrepudiation Requirements
Test Cases for Immunity Requirements
Test Cases for Survivability Requirements
Test Cases for Systems Maintenance Security Requirements
Summary
Testing Methods and Best Practices
Secure Testing Approach
OWASP’s Application Security Verification Standard (ASVS)
Application Security Verification Levels
Level 1—Automated Verification
Level 2—Manual Verification
Level 3—Design Verification
Level 4—Internal Verification
Security Testing Methods
Manual Source Code Review
Automated Source Code Analysis
Automated Reviews Compared with Manual Reviews
Automated Source Code Analysis Tools—Deployment Strategy
IDE Integration for Developers
Build Integration for Governance
Automated Dynamic Analysis
Limitations of Automated Dynamic Analysis Tools
Automated Dynamic Analysis Tools—Deployment Strategy
Developer Testing
Centralized Quality Assurance Testing
Penetration (Pen) Testing
Gray Box Testing
Summary
References
Connecting the Moving Parts
OpenSAMM
Security Requirements
Security Requirements: Level 1
Security Requirements: Level 2
Security Requirements: Level 3
Security Testing
Security Testing: Level 1
Security Testing: Level 2
Security Testing: Level 3
Wrap-Up
References
Index
Recenzii
Developing
more
secure
and
resilient
software
has
to
be
an
integral
part
of
the
design
and
the
implementation
of
an
application
and
not
an
afterthought.
The
key
to
better
security
and
resiliency
comes
down
to
education,
continuous
improvement
and
accountability.
This
book
pulls
together
the
state
of
the
art
in
thinking
about
this
important
issue
in
a
holistic
way
with
several
examples.
It
takes
you
through
the
entire
lifecycle
from
conception
to
implementation
and
highlights
where
methodologies
like
the
Microsoft
Security
Development
Lifecycle
can
play
a
significant
role
in
improving
the
security
and
reliability
of
your
software.
—Doug Cavit, Chief Security Strategist, Microsoft Corporation
Demonstrating thorough understanding of the problems facing development organizations today,Secure and Resilient Softwareprovides the reader with the tools necessary to jump-start and mature security within the software development lifecycle (SDLC). The authors bridge the gap between theory and practical application by providing valuable processes, checklists, frameworks, and examples. The material presented fills a gap that was desperately needed and is a must read for anyone participating in requirements gathering, quality assurance, development, and/or application security testing processes.
—Jeff Weekes, Sr. Security Architect at Terra Verde Services
It’s hard to imagine a more difficult and less well understood challenge than developing secure and resilient software. This book is full of useful insights and practical advice from two authors who have lived this process. What you get is a tactical application security roadmap that cuts through the noise and is immediately applicable to your projects. What’s really unique is the way that the book links together different standards to illuminate security across the entire software development process. You’ll learn how security evolves from threats to security requirements, through security services like OWASP ESAPI, into security architecture, and then into security testing and analysis leveraging OWASP ASVS. Highly recommended for anyone who cares about the future of the world’s software.
—Jeff Williams, Aspect Security CEO and Volunteer Chair of the OWASP Foundation
—Doug Cavit, Chief Security Strategist, Microsoft Corporation
Demonstrating thorough understanding of the problems facing development organizations today,Secure and Resilient Softwareprovides the reader with the tools necessary to jump-start and mature security within the software development lifecycle (SDLC). The authors bridge the gap between theory and practical application by providing valuable processes, checklists, frameworks, and examples. The material presented fills a gap that was desperately needed and is a must read for anyone participating in requirements gathering, quality assurance, development, and/or application security testing processes.
—Jeff Weekes, Sr. Security Architect at Terra Verde Services
It’s hard to imagine a more difficult and less well understood challenge than developing secure and resilient software. This book is full of useful insights and practical advice from two authors who have lived this process. What you get is a tactical application security roadmap that cuts through the noise and is immediately applicable to your projects. What’s really unique is the way that the book links together different standards to illuminate security across the entire software development process. You’ll learn how security evolves from threats to security requirements, through security services like OWASP ESAPI, into security architecture, and then into security testing and analysis leveraging OWASP ASVS. Highly recommended for anyone who cares about the future of the world’s software.
—Jeff Williams, Aspect Security CEO and Volunteer Chair of the OWASP Foundation
Notă biografică
Mark
S.
Merkow,
CISSP,
CISM,
CSSLP
works
at
PayPal
Inc.
(an
eBay
company)
in
Scottsdale,
Arizona,
as
Manager
of
Information
Security
Policies,
Standards,
Training,
and
Awareness
in
the
Information
Risk
Management
area.
Mark
has
more
than
35
years
of
experience
in
information
technology
in
a
variety
of
roles,
including
applications
development,
systems
analysis
and
design,
security
engineering,
and
security
management.
Mark
holds
a
masters
degree
in
decision
and
info
systems
from
Arizona
State
University
(ASU),
a
masters
of
education
in
distance
learning
from
ASU,
and
an
undergraduate
degree
in
computer
info
systems
from
ASU.
In
addition
to
his
day
job,
Mark
engages
in
a
number
of
other
extracurricular
activities,
including
consulting,
course
development,
online
course
delivery,
and
writing
columns
and
books
on
information
technology
and
information
security.
Mark has authored or coauthored ten books on IT and is a contributing editor on four others. Mark remains very active within the information security community, working in a variety of roles for the Financial Services Information Sharing and Analysis Center (FS-ISAC), the Financial Services Technology Consortium (FSTC), and the Financial Services Sector Coordinating Council (FSCCC) on Homeland Security and Critical Infrastructure Protection.
He is the chairman of the Education Committee for the FS-ISAC and is a founding member of the Research and Development Committee of the FSSCC.
Lakshmikanth Raghavan,CISM, CRISC (Laksh) works at PayPal Inc. (an eBay company) as Staff Information Security Engineer in the Information Risk Management area, specializing in application security. Laksh has more than ten years of experience in the areas of information security and information risk management, and has provided consulting services to Fortune 500 companies and financial services companies around the world. Laksh holds a bachelor’s degree in electronics and telecommunication engineering from the University of Madras, India. He enjoys writing security-related articles and has spoken on the various dimensions of software security at industry forums and security conferences. This is Laksh’s second book.
Mark has authored or coauthored ten books on IT and is a contributing editor on four others. Mark remains very active within the information security community, working in a variety of roles for the Financial Services Information Sharing and Analysis Center (FS-ISAC), the Financial Services Technology Consortium (FSTC), and the Financial Services Sector Coordinating Council (FSCCC) on Homeland Security and Critical Infrastructure Protection.
He is the chairman of the Education Committee for the FS-ISAC and is a founding member of the Research and Development Committee of the FSSCC.
Lakshmikanth Raghavan,CISM, CRISC (Laksh) works at PayPal Inc. (an eBay company) as Staff Information Security Engineer in the Information Risk Management area, specializing in application security. Laksh has more than ten years of experience in the areas of information security and information risk management, and has provided consulting services to Fortune 500 companies and financial services companies around the world. Laksh holds a bachelor’s degree in electronics and telecommunication engineering from the University of Madras, India. He enjoys writing security-related articles and has spoken on the various dimensions of software security at industry forums and security conferences. This is Laksh’s second book.