Muutke küpsiste eelistusi

E-raamat: Core Software Security: Security at the Source

3.33/5 (12 hinnangut Goodreads-ist)
(Senior Director, Product Security, McAfee - An Intel Company, Santa Clara California, USA), (Cisco Systems, Inc., San Jose, California, USA)
  • Formaat: 414 pages
  • Ilmumisaeg: 03-Oct-2018
  • Kirjastus: Auerbach
  • ISBN-13: 9781466560963
Teised raamatud teemal:
  • Formaat - PDF+DRM
  • Hind: 58,49 €*
  • * hind on lõplik, st. muud allahindlused enam ei rakendu
  • Lisa ostukorvi
  • Lisa soovinimekirja
  • See e-raamat on mõeldud ainult isiklikuks kasutamiseks. E-raamatuid ei saa tagastada.
Core Software Security: Security at the SourceSuurem pilt
  • Formaat: 414 pages
  • Ilmumisaeg: 03-Oct-2018
  • Kirjastus: Auerbach
  • ISBN-13: 9781466560963
Teised raamatud teemal:

DRM piirangud

  • Kopeerimine (copy/paste):

    ei ole lubatud

  • Printimine:

    ei ole lubatud

  • Kasutamine:

    Digitaalõiguste kaitse (DRM)
    Kirjastus on väljastanud selle e-raamatu krüpteeritud kujul, mis tähendab, et selle lugemiseks peate installeerima spetsiaalse tarkvara. Samuti peate looma endale  Adobe ID Rohkem infot siin. E-raamatut saab lugeda 1 kasutaja ning alla laadida kuni 6'de seadmesse (kõik autoriseeritud sama Adobe ID-ga).

    Vajalik tarkvara
    Mobiilsetes seadmetes (telefon või tahvelarvuti) lugemiseks peate installeerima selle tasuta rakenduse: PocketBook Reader (iOS / Android)

    PC või Mac seadmes lugemiseks peate installima Adobe Digital Editionsi (Seeon tasuta rakendus spetsiaalselt e-raamatute lugemiseks. Seda ei tohi segamini ajada Adober Reader'iga, mis tõenäoliselt on juba teie arvutisse installeeritud )

    Seda e-raamatut ei saa lugeda Amazon Kindle's. 

"This book outlines a step-by-step process for software security that is relevant to today's technical, operational, business, and development environments. The authors focus on what humans can do to control and manage a secure software development process in the form of best practices and metrics. Although security issues will always exist, this book will teach you how to maximize an organizations ability to minimize vulnerabilities in your software products before they are released or deployed by building security into the development process. This book is targeted towards anyone who is interested in learning about software security in an enterprise environment to include product security and quality executives, software security architects, security consultants, software development engineers, enterprise SDLC program managers, chief information security officers, chief technology officers, and chief privacy officers whose companies develop software. If you want to learn about how software security should be implemented in developing enterprise software, this is a book you don't want to skip"--

An important book in the universe of security holes and constantly developing intrusion techniques, this highly usable text by software security professionals presents a paradigm the Secure Development Lifecycle (SDL), that frames the discussion of the specific methods used "at the source" to build security into applications as they are being developed, in an attempt to minimize embarrassing patches and fixes after the product has been rolled out. Organized as a collection of specific activities and best practices, the text covers the entire life-cycle of software development: assessment, architecture, several stages of design and development, shipping and post-release support with specific security development tips and techniques described throughout. The last two chapters describe, in turn, real-world applications including APIs, static analysis and risk assessment methodologies, and a synthesis of information presented in the text together with the discussion of legal issues and an overlook of barely emergent problems that have the potential to affect this methodology and security issues in general in the future. Annotation ©2014 Ringgold, Inc., Portland, OR (protoview.com)

"... an engaging book that will empower readers in both large and small software development and engineering organizations to build security into their products. ... Readers are armed with firm solutions for the fight against cyber threats."
—Dr. Dena Haritos Tsamitis. Carnegie Mellon University

"... a must read for security specialists, software developers and software engineers. ... should be part of every security professional’s library."
—Dr. Larry Ponemon, Ponemon Institute

"... the definitive how-to guide for software security professionals. Dr. Ransome, Anmol Misra, and Brook Schoenfield deftly outline the procedures and policies needed to integrate real security into the software development process. ...A must-have for anyone on the front lines of the Cyber War ..."
—Cedric Leighton, Colonel, USAF (Ret.), Cedric Leighton Associates

"Dr. Ransome, Anmol Misra, and Brook Schoenfield give you a magic formula in this book - the methodology and process to build security into the entire software development life cycle so that the software is secured at the source! "
—Eric S. Yuan, Zoom Video Communications

There is much publicity regarding network security, but the real cyber Achilles’ heel is insecure software. Millions of software vulnerabilities create a cyber house of cards, in which we conduct our digital lives. In response, security people build ever more elaborate cyber fortresses to protect this vulnerable software. Despite their efforts, cyber fortifications consistently fail to protect our digital treasures. Why? The security industry has failed to engage fully with the creative, innovative people who write software.

Core Software Security expounds developer-centric software security, a holistic process to engage creativity for security. As long as software is developed by humans, it requires the human element to fix it. Developer-centric security is not only feasible but also cost effective and operationally relevant. The methodology builds security into software development, which lies at the heart of our cyber infrastructure. Whatever development method is employed, software must be secured at the source.

Book Highlights:

  • Supplies a practitioner's view of the SDL
  • Considers Agile as a security enabler
  • Covers the privacy elements in an SDL
  • Outlines a holistic business-savvy SDL framework that includes people, process, and technology
  • Highlights the key success factors, deliverables, and metrics for each phase of the SDL
  • Examines cost efficiencies, optimized performance, and organizational structure of a developer-centric software security program and PSIRT
  • Includes a chapter by noted security architect Brook Schoenfield who shares his insights and experiences in applying the book’s SDL framework

View the authors' website at http://www.androidinsecurity.com/

Arvustused

First and foremost, Ransome and Misra have made an engaging book that will empower readers in both large and small software development and engineering organizations to build security into their products. This book clarifies to executives the decisions to be made on software security and then provides guidance to managers and developers on process and procedure. Readers are armed with firm solutions for the fight against cyber threats.Dr. Dena Haritos Tsamitis, Director, Information Networking Institute and Director of Education, CyLab Carnegie Mellon University Finally, the definitive how-to guide for software security professionals. Dr. Ransome, Anmol Misra, and Brook Schoenfield deftly outline the procedures and policies needed to integrate real security into the software development process and why security needs to be software and developer-centric if it is to be relevant. A must-have for anyone on the front lines of the Cyber War - especially software developers and those who work with them.Cedric Leighton, Colonel, USAF (Ret); Founder & President, Cedric Leighton Associates

In the wake of cloud computing and mobile apps, the issue of software security has never been more important than today. This book is a must read for security specialists, software developers and software engineers. The authors do a brilliant job providing common sense approaches to achieving a strong software security posture.Dr. Larry Ponemon, Chairman & Founder, Ponemon Institute The root of software security lies within the source code developed by software developers. Therefore, security should be developer-centric, focused on the secure development of the source code. Dr. Ransome, Anmol Misra, and Brook Schoenfield give you a magic formula in this book - the methodology and process to build security into the entire software development life cycle so that the software is secured at the source! Eric S. Yuan, Founder and CEO, Zoom Video Communications, Inc

Misra and his co-author James Ransome, senior director of product security at McAfee, an Intel Company, reflected on years of lessons learned and experiences with Fortune 500 clients and devised a methodology that builds security into software development. The newly published book Core Software Security, Security at the Source takes an innovative approach that engages the creativity of the developer. ... The book covers embedding security as a part of existing software development methods, and how security can be a business enabler and a competitive differentiator. Throughout the book, the authors describe a modern, holistic framework for software security that includes people, process and technology. The book includes metrics, cost effectiveness, case studies, threat modeling and considerations for mobile software and privacy.Sherry Stokes, writing in Carnegie Mellon News, May 2014 First and foremost, Ransome and Misra have made an engaging book that will empower readers in both large and small software development and engineering organizations to build security into their products. This book clarifies to executives the decisions to be made on software security and then provides guidance to managers and developers on process and procedure. Readers are armed with firm solutions for the fight against cyber threats.Dr. Dena Haritos Tsamitis, Director, Information Networking Institute and Director of Education, CyLab Carnegie Mellon University Finally, the definitive how-to guide for software security professionals. Dr. Ransome, Anmol Misra, and Brook Schoenfield deftly outline the procedures and policies needed to integrate real security into the software development process and why security needs to be software and developer-centric if it is to be relevant. A must-have for anyone on the front lines of the Cyber War - especially software developers and those who work with them.Cedric Leighton, Colonel, USAF (Ret); Founder & President, Cedric Leighton Associates

In the wake of cloud computing and mobile apps, the issue of software security has never been more important than today. This book is a must read for security specialists, software developers and software engineers. The authors do a brilliant job providing common sense approaches to achieving a strong software security posture.Dr. Larry Ponemon, Chairman & Founder, Ponemon Institute The root of software security lies within the source code developed by software developers. Therefore, security should be developer-centric, focused on the secure development of the source code. Dr. Ransome, Anmol Misra, and Brook Schoenfield give you a magic formula in this book - the methodology and process to build security into the entire software development life cycle so that the software is secured at the source! Eric S. Yuan, Founder and CEO, Zoom Video Communications, Inc

Misra and his co-author James Ransome, senior director of product security at McAfee, an Intel Company, reflected on years of lessons learned and experiences with Fortune 500 clients and devised a methodology that builds security into software development. The newly published book Core Software Security, Security at the Source takes an innovative approach that engages the creativity of the developer. ... The book covers embedding security as a part of existing software development methods, and how security can be a business enabler and a competitive differentiator. Throughout the book, the authors describe a modern, holistic framework for software security that includes people, process and technology. The book includes metrics, cost effectiveness, case studies, threat modeling and considerations for mobile software and privacy. Sherry Stokes, writing in Carnegie Mellon News, May 2014

Dedication v
Foreword xiii
Howard A. Schmidt
Preface xix
Acknowledgments xxiii
About the Authors xxv
Chapter 1 Introduction
1(18)
1.1 The Importance and Relevance of Software Security
3(3)
1.2 Software Security and the Software Development Lifecycle
6(4)
1.3 Quality Versus Secure Code
10(1)
1.4 The Three Most Important SDL Security Goals
11(2)
1.5 Threat Modeling and Attack Surface Validation
13(2)
1.6
Chapter Summary---What to Expect from This Book
15(4)
References
16(3)
Chapter 2 The Secure Development Lifecycle
19(42)
2.1 Overcoming Challenges in Making Software Secure
20(1)
2.2 Software Security Maturity Models
21(2)
2.3 ISO/IEC 27034---Information Technology---Security Techniques---Application Security
23(2)
2.4 Other Resources for SDL Best Practices
25(6)
2.4.1 SAFECode
25(1)
2.4.2 U.S. Department of Homeland Security Software Assurance Program
26(1)
2.4.3 National Institute of Standards and Technology
27(1)
2.4.4 MITRE Corporation Common Computer Vulnerabilities and Exposures
28(2)
2.4.5 SANS Institute Top Cyber Security Risks
30(1)
2.4.6 U.S. Department of Defense Cyber Security and Information Systems Information Analysis Center (CSIAC)
30(1)
2.4.7 CERT, Bugtraq, and SecurityFocus
31(1)
2.5 Critical Tools and Talent
31(9)
2.5.1 The Tools
32(2)
2.5.2 The Talent
34(6)
2.6 Principles of Least Privilege
40(1)
2.7 Privacy
41(1)
2.8 The Importance of Metrics
42(3)
2.9 Mapping the Security Development Lifecycle to the Software Development Lifecycle
45(5)
2.10 Software Development Methodologies
50(6)
2.10.1 Waterfall Development
51(2)
2.10.2 Agile Development
53(3)
2.3
Chapter Summary
56(5)
References
57(4)
Chapter 3 Security Assessment (A1): SDL Activities and Best Practices
61(20)
3.1 Software Security Team Is Looped in Early
63(1)
3.2 Software Security Hosts a Discovery Meeting
64(2)
3.3 Software Security Team Creates an SDL Project Plan
66(1)
3.4 Privacy Impact Assessment (PIA) Plan Initiated
66(7)
3.5 Security Assessment (A1) Key Success Factors and Metrics
73(6)
3.5.1 Key Success Factors
73(3)
3.5.2 Deliverables
76(2)
3.5.3 Metrics
78(1)
3.6
Chapter Summary
79(2)
References
79(2)
Chapter 4 Architecture (A2): SDL Activities and Best Practices
81(52)
4.1 A2 Policy Compliance Analysis
83(1)
4.2 SDL Policy Assessment and Scoping
84(1)
4.3 Threat Modeling/Architecture Security Analysis
84(40)
4.3.1 Threat Modeling
84(4)
4.3.2 Data Flow Diagrams
88(7)
4.3.3 Architectural Threat Analysis and Ranking of Threats
95(22)
4.3.4 Risk Mitigation
117(7)
4.4 Open-Source Selection
124(1)
4.5 Privacy Information Gathering and Analysis
124(1)
4.6 Key Success Factors and Metrics
125(3)
4.6.1 Key Success Factors
125(1)
4.6.2 Deliverables
126(1)
4.6.3 Metrics
127(1)
4.7
Chapter Summary
128(5)
References
129(4)
Chapter 5 Design and Development (A3): SDL Activities and Best Practices
133(28)
5.1 A3 Policy Compliance Analysis
135(1)
5.2 Security Test Plan Composition
135(11)
5.3 Threat Model Updating
146(1)
5.4 Design Security Analysis and Review
146(4)
5.5 Privacy Implementation Assessment
150(4)
5.6 Key Success Factors and Metrics
154(4)
5.6.1 Key Success Factors
154(2)
5.6.2 Deliverables
156(1)
5.6.3 Metrics
157(1)
5.7
Chapter Summary
158(3)
References
158(3)
Chapter 6 Design and Development (A4): SDL Activities and Best Practices
161(38)
6.1 A4 Policy Compliance Analysis
163(1)
6.2 Security Test Case Execution
164(4)
6.3 Code Review in the SDLC/SDL Process
168(6)
6.4 Security Analysis Tools
174(18)
6.4.1 Static Analysis
177(5)
6.4.2 Dynamic Analysis
182(3)
6.4.3 Fuzz Testing
185(3)
6.4.4 Manual Code Review
188(4)
6.5 Key Success Factors
192(1)
6.6 Deliverables
193(1)
6.7 Metrics
194(1)
6.8
Chapter Summary
195(4)
References
195(4)
Chapter 7 Ship (A5): SDL Activities and Best Practices
199(26)
7.1 A5 Policy Compliance Analysis
201(1)
7.2 Vulnerability Scan
202(3)
7.3 Penetration Testing
205(3)
7.4 Open-Source Licensing Review
208(4)
7.5 Final Security Review
212(4)
7.6 Final Privacy Review
216(1)
7.7 Key Success Factors
217(2)
7.8 Deliverables
219(2)
7.9 Metrics
221(1)
7.10
Chapter Summary
221(4)
References
223(2)
Chapter 8 Post-Release Support (PRSA1--5)
225(30)
8.1 Right-Sizing Your Software Security Group
227(5)
8.1.1 The Right Organizational Location
227(2)
8.1.2 The Right People
229(1)
8.1.3 The Right Process
229(3)
8.2 PRSA1: External Vulnerability Disclosure Response
232(8)
8.2.1 Post-Release PSIRT Response
233(5)
8.2.2 Post-Release Privacy Response
238(1)
8.2.3 Optimizing Post-Release Third-Party Response
239(1)
8.3 PRSA2: Third-Party Reviews
240(2)
8.4 PRSA3: Post-Release Certifications
242(1)
8.5 PRSA4: Internal Review for New Product Combinations or Cloud Deployments
243(1)
8.6 PRSA5: Security Architectural Reviews and Tool-Based Assessments of Current, Legacy, and M&A Products and Solutions
243(5)
8.6.1 Legacy Code
243(4)
8.6.2 Mergers and Acquisitions (M&As)
247(1)
8.7 Key Success Factors
248(3)
8.8 Deliverables
251(1)
8.9 Metrics
252(1)
8.10
Chapter Summary
252(3)
References
253(2)
Chapter 9 Applying the SDL Framework to the Real World
255(70)
9.0 Introduction
256(5)
9.1 Build Software Securely
261(14)
9.1.1 Produce Secure Code
264(5)
9.1.2 Manual Code Review
269(2)
9.1.3 Static Analysis
271(4)
9.2 Determining the Right Activities for Each Project
275(17)
9.2.1 The Seven Determining Questions
275(17)
9.3 Architecture and Design
292(10)
9.4 Testing
302(10)
9.4.1 Functional Testing
303(1)
9.4.2 Dynamic Testing
304(5)
9.4.3 Attack and Penetration Testing
309(2)
9.4.4 Independent Testing
311(1)
9.5 Agile: Sprints
312(5)
9.6 Key Success Factors and Metrics
317(3)
9.6.1 Secure Coding Training Program
317(1)
9.6.2 Secure Coding Frameworks (APIs)
318(1)
9.6.3 Manual Code Review
318(1)
9.6.4 Independent Code Review and Testing (by Experts or Third Parties)
318(1)
9.6.5 Static Analysis
319(1)
9.6.6 Risk Assessment Methodology
319(1)
9.6.7 Integration of SDL with SDLC
319(1)
9.6.8 Development of Architecture Talent
319(1)
9.7 Metrics
320(1)
9.8
Chapter Summary
321(4)
References
323(2)
Chapter 10 Pulling It All Together: Using the SDL to Prevent Real-World Threats
325(26)
10.1 Strategic, Tactical, and User-Specific Software Attacks
326(13)
10.1.1 Strategic Attacks
328(10)
10.1.2 Tactical Attacks
338(1)
10.1.3 User-Specific Attacks
339(1)
10.2 Overcoming Organizational and Business Challenges with a Properly Designed, Managed, and Focused SDL
339(1)
10.3 Software Security Organizational Realities and Leverage
340(2)
10.4 Overcoming SDL Audit and Regulatory Challenges with Proper Governance Management
342(1)
10.5 Future Predications for Software Security
343(2)
10.5.1 The Bad News
343(2)
10.5.2 The Good News
345(1)
10.6 Conclusion
345(6)
References
347(4)
Appendix 351(8)
Index 359
Dr. James Ransome is the Senior Director of Product Security and responsible for all aspects of McAfees Product Security Program, a corporate-wide initiative that supports McAfees business units in delivering best-in-class, secure software products to customers. In this role, James sets program strategy, manages security engagements with McAfee business units, maintains key relationships with McAfee product engineers, and works with other leaders to help define and build product security capabilities. His career has been marked by leadership positions in private and public industries, including three chief information security officer (CISO) and four chief security officer (CSO) roles. Prior to entering the corporate world, James had 23 years of government service in various roles supporting the U.S. intelligence community, federal law enforcement, and the Department of Defense.

James holds a Ph.D. in Information Systems. He developed/tested a security model, architecture, and provided leading practices for converged wired/wireless network security for his doctoral dissertation as part of a NSA/DHS Center of Academic Excellence in Information Assurance Education program. He is the author of several books on information security, and Core Software Security: Security at the Source is his 10th. James is a member of Upsilon Pi Epsilon, the International Honor Society for the Computing and Information Disciplines, and he is a Certified Information Security Manager (CISM), a Certified Information Systems Security Professional (CISSP), and a Ponemon Institute Distinguished Fellow.

Anmol Misra is an author and a security professional with a wide range of experience in the field of information security. His expertise includes mobile and application security, vulnerability management, application and infrastructure security assessments, and security code reviews. He is a Program Manager in Ciscos Information Security group. In this role, he is responsible for developing and implementing security strategy and programs to drive security best practices into all aspects of Ciscos hosted products. Prior to joining Cisco, Anmol was a Senior Consultant with Ernst & Young LLP. In this role, he advised Fortune 500 clients on defining and improving information security programs and practices. He helped corporations to reduce IT security risk and achieve regulatory compliance by improving their security posture.

Anmol is co-author of Android Security: Attacks and Defenses, and is a contributing author of Defending the Cloud: Waging War in Cyberspace. He holds a masters degree in Information Networking from Carnegie Mellon University and a Bachelor of Engineering degree in Computer Engineering. He is based out of San Francisco, California.
Lisainfo e-raamatute kohta Lisainfo e-raamatute kohta
Püsilink: https://www.kriso.ee/db/97814665609632e.html
Märksõnad: