Summary

"This bookrs"s broad overview can help an organization choose a set of processes, policies, and techniques that are appropriate for its security maturity, risk tolerance, and development style. This book will help you understand how to incorporate practical security techniques into all phases of the development lifecycle." Steve Riley, senior security strategist, Microsoft Corporation "There are books written on some of the topics addressed in this book, and there are other books on secure systems engineering. Few address the entire life cycle with a comprehensive overview and discussion of emerging trends and topics as well as this one." Ronda Henning, senior scientist-software/security queen, Harris Corporation Software that is developed from the beginning with security in mind will resist, tolerate, and recover from attacks more effectively than would otherwise be possible. While there may be no silver bullet for security, there are practices that project managers will find beneficial. With this management guide, you can select from a number of sound practices likely to increase the security and dependability of your software, both during its development and subsequently in its operation. Software Security Engineeringdraws extensively on the systematic approach developed for theBuild Security In (BSI)Web site. Sponsored by the Department of Homeland Security Software Assurance Program, the BSI site offers a host of tools, guidelines, rules, principles, and other resources to help project managers address security issues in every phase of the software development life cycle (SDLC). The bookrs"s expert authors, themselves frequent contributors to the BSI site, represent two well-known resources in the security world: the CERT Program at the Software Engineering Institute (SEI) and Cigital, Inc., a consulting firm specializing in software security. This book will help you understand why Software security is about more than just eliminating vulnerabilities and conducting penetration tests Network security mechanisms and IT infrastructure security services do not sufficiently protect application software from security risks Software security initiatives should follow a risk-management approach to identify priorities and to define what is "good enough"understanding that software security risks will change throughout the SDLC Project managers and software engineers need to learn to think like an attacker in order to address the range of functions that software should not do, and how software can better resist, tolerate, and recover when under attack

Author Biography

Julia H. Allen, a senior researcher within the CERT Program at the SEI, is the author of The CERT Guide to System and Network Security Practices (Addison-Wesley, 2001) Sean Barnum is a principal consultant at Cigital and technical lead for their federal services practice Robert J. Ellison, Ph.D., is a senior researcher within the CERT Program at the SEI Gary McGraw, Ph.D., is the CTO of Cigital and the author of seven best-selling books, including Software Security (Addison-Wesley, 2006) Nancy R. Mead, Ph.D., is a senior researcher within the CERT Program at the SEI, and is also a faculty member at Carnegie Mellon University

Foreword	p. xi
Preface	p. xiii
About the Authors	p. xxiii
Why Is Security a Software Issue?	p. 1
Introduction	p. 1
The Problem	p. 2
System Complexity: The Context within Which Software Lives	p. 5
Software Assurance and Software Security	p. 6
The Role of Processes and Practices in Software Security	p. 8
Threats to Software Security	p. 9
Sources of Software Insecurity	p. 11
The Benefits of Detecting Software Security Defects Early	p. 13
Making the Business Case for Software Security: Current State	p. 17
Managing Secure Software Development	p. 18
Which Security Strategy Questions Should I Ask?	p. 18
A Risk Management Framework for Software Security	p. 20
Software Security Practices in the Development Life Cycle	p. 20
Summary	p. 23
What Makes Software Secure?	p. 25
Introduction	p. 25
Defining Properties of Secure Software	p. 26
Core Properties of Secure Software	p. 26
Influential Properties of Secure Software	p. 28
How to Influence the Security Properties of Software	p. 36
The Defensive Perspective	p. 37
The Attacker's Perspective	p. 43
How to Assert and Specify Desired Security Properties	p. 61
Building a Security Assurance Case	p. 62
A Security Assurance Case Example	p. 63
Incorporating Assurance Cases into the SDLC	p. 67
Related Security Assurance and Compliance Efforts	p. 68
Maintaining and Benefitting from Assurance Cases	p. 69
Summary	p. 71
Requirements Engineering for Secure Software	p. 73
Introduction	p. 73
The Importance of Requirements Engineering	p. 74
Quality Requirements	p. 75
Security Requirements Engineering	p. 76
Misuse and Abuse Cases	p. 78
Security Is Not a Set of Features	p. 79
Thinking About What You Can't Do	p. 80
Creating Useful Misuse Cases	p. 81
An Abuse Case Example	p. 82
The SQUARE Process Model	p. 84
A Brief Description of SQUARE	p. 88
Tools	p. 90
Expected Results	p. 90
SQUARE Sample Outputs	p. 91
Output from SQUARE Steps	p. 92
SQUARE Final Results	p. 99
Requirements Elicitation	p. 99
Overview of Several Elicitation Methods	p. 100
Elicitation Evaluation Criteria	p. 103
Requirements Prioritization	p. 106
Identify Candidate Prioritization Methods	p. 106
Prioritization Technique Comparison	p. 110
Recommendations for Requirements Prioritization	p. 111
Summary	p. 112
Secure Software Architecture and Design	p. 115
Introduction	p. 115
The Critical Role of Architecture and Design	p. 115
Issues and Challenges	p. 117
Software Security Practices for Architecture and Design: Architectural Risk Analysis	p. 119
Software Characterization	p. 120
Threat Analysis	p. 123
Architectural Vulnerability Assessment	p. 126
Risk Likelihood Determination	p. 130
Risk Impact Determination	p. 132
Risk Mitigation Planning	p. 134
Recapping Architectural Risk Analysis	p. 136
Software Security Knowledge for Architecture and Design: Security Principles, Security Guidelines, and Attack Patterns	p. 137
Security Principles	p. 137
Security Guidelines	p. 143
Attack Patterns	p. 147
Summary	p. 148
Considerations for Secure Coding and Testing	p. 151
Introduction	p. 151
Code Analysis	p. 152
Common Software Code Vulnerabilities	p. 153
Source Code Review	p. 156
Coding Practices	p. 160
Sources of Additional Information on Secure Coding	p. 161
Software Security Testing	p. 163
Contrasting Software Testing and Software Security Testing	p. 165
Functional Testing	p. 167
Risk-Based Testing	p. 169
Security Testing Considerations Throughout the SDLC	p. 173
Unit Testing	p. 174
Testing Libraries and Executable Files	p. 175
Integration Testing	p. 176
System Testing	p. 176
Sources of Additional Information on Software Security Testing	p. 179
Summary	p. 180
Security and Complexity: System Assembly Challenges	p. 183
Introduction	p. 183
Security Failures	p. 186
Categories of Errors	p. 187
Attacker Behavior	p. 188
Functional and Attacker Perspectives for Security Analysis: Two Examples	p. 189
Web Services: Functional Perspective	p. 190
Web Services: Attacker's Perspective	p. 192
Identity Management: Functional Perspective	p. 196
Identity Management: Attacker's Perspective	p. 198
Identity Management and Software Development	p. 201
System Complexity Drivers and Security	p. 203
Wider Spectrum of Failures	p. 205
Incremental and Evolutionary Development	p. 212
Conflicting or Changing Goals Complexity	p. 213
Deep Technical Problem Complexity	p. 215
Summary	p. 217
Governance, and Managing for More Secure Software	p. 221
Introduction	p. 221
Governance and Security	p. 223
Definitions of Security Governance	p. 223
Characteristics of Effective Security Governance and Management	p. 224
Adopting an Enterprise Software Security Framework	p. 226
Common Pitfalls	p. 227
Framing the Solution	p. 230
Define a Roadmap	p. 235
How Much Security Is Enough?	p. 236
Defining Adequate Security	p. 236
A Risk Management Framework for Software Security	p. 238
Security and Project Management	p. 244
Project Scope	p. 245
Project Plan	p. 246
Resources	p. 250
Estimating the Nature and Duration of Required Resources	p. 251
Project and Product Risks	p. 253
Measuring Software Security	p. 254
Maturity of Practice	p. 259
Protecting Information	p. 259
Audit's Role	p. 260
Operational Resilience and Convergence	p. 261
A Legal View	p. 263
A Software Engineering View	p. 263
Exemplars	p. 265
Summary	p. 266
Getting Started	p. 267
Where to Begin	p. 269
In Closing	p. 281
Glossary	p. 283
References	p. 291
Build Security In Web Site References	p. 311
Index	p. 317
Table of Contents provided by Ingram. All Rights Reserved.

Supplemental Materials

What is included with this book?

The New copy of this book will include any supplemental materials advertised. Please check the title of the book to determine if it should include any access cards, study guides, lab manuals, CDs, etc.

The Used, Rental and eBook copies of this book are not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.

Excerpts

The Problem Addressed by This BookSoftware is ubiquitous. Many of the products, services, and processes that organizations use and offer are highly dependent on software to handle the sensitive and high-value data on which people's privacy, livelihoods, and very lives depend. For instance, national securityand by extension citizens' personal safetyrelies on increasingly complex, interconnected, software-intensive information systems that, in many cases, use the Internet or Internet-exposed private networks as their means for communication and transporting data.This ubiquitous dependence on information technology makes software security a key element of business continuity, disaster recovery, incident response, and national security. Software vulnerabilities can jeopardize intellectual property, consumer trust, business operations and services, and a broad spectrum of critical applications and infrastructures, including everything from process control systems to commercial application products.The integrity of critical digital assets (systems, networks, applications, and information) depends on the reliability and security of the software that enables and controls those assets. However, business leaders and informed consumers have growing concerns about the scarcity of practitioners with requisite competencies to address software security Carey 2006. Specifically, they have doubts about suppliers' capabilities to build and deliver secure software that they can use with confidence and without fear of compromise. Application software is the primary gateway to sensitive information. According to a Deloitte survey of 169 major global financial institutions, titled2007 Global Security Survey: The Shifting Security ParadigmDeloitte 2007, current application software countermeasures are no longer adequate. In the survey, Gartner identifies application security as the number one issue for chief information officers (CIOs).The absence of security discipline in today's software development practices often produces software with exploitable weaknesses. Security-enhanced processes and practicesand the skilled people to manage them and perform themare required to build software that can be trusted to operate more securely than software being used today.That said, there is an economic counter-argument, or at least the perception of one: Some business leaders and project managers believe that developing secure software slows the software development process and adds to the cost while not offering any apparent advantage. In many cases, when the decision reduces to "ship now" or "be secure and ship later," "ship now" is almost always the choice made by those who control the money but have no idea of the risks. The opposite side of this argument, including how software security can potentially reduce cost and schedule, is discussed in Chapter 1 (Section 1.6, "The Benefits of Detecting Software Security Defects Early") and Chapter 7 (Section 7.5.3, in the "Knowledge and Expertise" subsection discussing Microsoft's experience with its Security Development Lifecycle) in this book. Software's Vulnerability to AttackThe number of threats specifically targeting software is increasing, and the majority of network- and system-level attacks now exploit vulnerabilities in application-level software. According to CERT analysts at Carnegie Mellon University, 1 most successful attacks result from targeting and exploiting known, unpatched software vulnerabilities and insecure software configurations, a significant number of which are introduced during software design and development.These conditions contribute to the increased risks associated with software-enabled ca