Muutke küpsiste eelistusi

Secure and Resilient Software: Requirements, Test Cases, and Testing Methods [Pehme köide]

(PayPal, San Jose, California, USA), (Technical Security Strategy, Scottsdale, Arizona, USA)
  • Formaat: Paperback / softback, 278 pages, kõrgus x laius: 234x156 mm, kaal: 430 g
  • Ilmumisaeg: 23-Sep-2019
  • Kirjastus: CRC Press
  • ISBN-10: 0367382148
  • ISBN-13: 9780367382148
Teised raamatud teemal:
Secure and Resilient Software: Requirements, Test Cases, and Testing MethodsSuurem pilt
  • Formaat: Paperback / softback, 278 pages, kõrgus x laius: 234x156 mm, kaal: 430 g
  • Ilmumisaeg: 23-Sep-2019
  • Kirjastus: CRC Press
  • ISBN-10: 0367382148
  • ISBN-13: 9780367382148
Teised raamatud teemal:
Püsilink: https://www.kriso.ee/db/9780367382148.html
Märksõnad:
Secure and Resilient Software: Requirements, Test Cases, and Testing Methods provides a comprehensive set of requirements for secure and resilient software development and operation. It supplies documented test cases for those requirements as well as best practices for testing nonfunctional requirements for improved information assurance. This resource-rich book includes:



















Pre-developed nonfunctional requirements that can be reused for any software development project





Documented test cases that go along with the requirements and can be used to develop a Test Plan for the software





Testing methods that can be applied to the test cases provided





Downloadable resources with all security requirements and test cases as well as MS Word versions of the checklists, requirements, and test cases covered in the book











Offering ground-level, already-developed software nonfunctional requirements and corresponding test cases and methods, this book will help to ensure that your software meets its nonfunctional requirements for security and resilience. The accompanying downloadable resources filled with helpful checklists and reusable documentation provides you with the tools needed to integrate security into the requirements analysis, design, and testing phases of your software development lifecycle.





Some Praise for the Book:





This book pulls together the state of the art in thinking about this important issue in a holistic way with several examples. It takes you through the entire lifecycle from conception to implementation ... .Doug Cavit, Chief Security Strategist, Microsoft Corporation





...provides the reader with the tools necessary to jump-start and mature security within the software development lifecycle (SDLC). Jeff Weekes, Sr. Security Architect at Terra Verde Services ... full of useful insights and practical advice from two au
Preface xi
How This Book Is Organized xii
What's On the CD? xv
About the Authors xvii
Acknowledgements xix
From Mark Merkow xvii
From Laksh Raghava xviii
Chapter 1 Introduction
1(14)
1.1 Secure and Resilient
1(1)
1.2 Bad Design Choices Led to the Vulnerable Internet We Know Today
2(2)
1.3 HTTP Has Its Problems, Too
4(2)
1.4 Design Errors Continue Haunting Us Today
6(1)
1.5 Requirements & Design: The Keys to a Successful Software Project
7(3)
1.6 How Design Flaws Play Out
10(2)
1.6.1 DNS Vulnerability
10(1)
1.6.2 The London Stock Exchange
10(1)
1.6.3 Medical Equipment
11(1)
1.6.4 Airbus A380
12(1)
1.7 Solutions Are In Sight!
12(1)
1.8 Notes
13(2)
Chapter 2 Nonfunctional Requirements (NFRs) in Context
15(10)
2.1 System Quality Requirements Engineering (SQUARE)
15(6)
2.1.1 Agree on Definitions
16(1)
2.1.2 Identify Assets and Security/Quality Goals
17(1)
2.1.3 Perform Risk Assessments
17(1)
2.1.4 Elicit Security Requirements
18(2)
2.1.5 Prioritize Requirements
20(1)
2.2 Characteristics of Good Requirements
21(1)
2.3 Summary
22(1)
2.4 Notes
23(2)
Chapter 3 Resilience and Quality Considerations for Application Software and the Application Runtime Environment
25(30)
3.1 Relationships among Nonfunctional Requirements
26(1)
3.2 Considerations for Developing NFRs for your Applications and Runtime Environment
26(25)
3.3 Checking Your Work
51(1)
3.4 Summary
52(1)
3.5 Notes
52(3)
Chapter 4 Security Requirements for Application Software
55(82)
4.1 Security Control Types
55(1)
4.2 Think Like an Attacker
56(1)
4.3 Detailed Security Requirements
57(1)
4.4 Identification Requirements
57(4)
4.5 Authentication Requirements
61(10)
4.6 Authorization Requirements
71(8)
4.7 Security Auditing Requirements
79(6)
4.8 Confidentiality Requirements
85(6)
4.9 Integrity Requirements
91(5)
4.10 Availability Requirements
96(1)
4.11 Nonrepudiation Requirements
97(2)
4.12 Immunity Requirements
99(3)
4.13 Survivability Requirements
102(2)
4.14 Systems Maintenance Security Requirements
104(6)
4.15 Privacy Requirements
110(24)
4.16 Summary
134(1)
4.17 References
135(2)
Chapter 5 Security Services for the Application Operating Environment
137(10)
5.1 The Open Group Architecture Framework (TOGAF)
138(1)
5.2 Standardizing Tools for an Enterprise Architecture
139(1)
5.3 Security Technical Reference Model (TRM)
140(6)
5.3.1 Identification and Authentication
141(1)
5.3.2 System Entry Control
141(1)
5.3.3 Audit
142(1)
5.3.4 Access Control
143(1)
5.3.5 Nonrepudiation
143(1)
5.3.6 Security Management
144(1)
5.3.7 Trusted Recovery
144(1)
5.3.8 Encryption
144(1)
5.3.9 Trusted Communications
145(1)
5.4 Summary
146(1)
5.5 References
146(1)
Chapter 6 Software Design Considerations for Security and Resilience
147(20)
6.1 Design Issues
147(3)
6.2 Architecture and Design Considerations
150(4)
6.3 Special Security Design Considerations for Payment Applications on Mobile Communications Devices
154(1)
6.4 Designing for Integrity
155(1)
6.5 Architecture and Design Review Checklist
156(9)
6.6 Summary
165(1)
6.7 References
165(2)
Chapter 7 Best Practices for Converting Requirements to Secure Software Designs
167(10)
7.1 Secure Design Approach
167(1)
7.2 Reusable Security APIs/Libraries
168(1)
7.3 Security Frameworks
168(1)
7.4 Establishing and Following Best Practices for Design
169(1)
7.5 Security Requirements
169(1)
7.6 Security Recommendations
170(1)
7.7 What's an Attack Surface?
171(2)
7.8 What Is Managed Code?
173(2)
7.9 Understanding Business Requirements for Security Design
175(1)
7.10 Summary
176(1)
7.11 References
176(1)
Chapter 8 Security Test Cases
177(40)
8.1 Standardized Testing Policy
177(1)
8.2 Security Test Cases
178(11)
8.2.1 Test Cases for Identification Requirements
179(2)
8.2.2 Test Cases for Authentication Requirements
181(8)
8.3 Test Cases for Authorization Requirements
189(26)
8.3.1 Test Cases for Security Auditing Requirements
195(4)
8.3.2 Test Cases for Confidentiality Requirements
199(4)
8.3.3 Test Cases for Integrity Requirements
203(3)
8.3.4 Test Cases for Availability Requirements
206(1)
8.3.5 Test Cases for Nonrepudiation Requirements
207(2)
8.3.6 Test Cases for Immunity Requirements
209(1)
8.3.7 Test Cases for Survivability Requirements
210(2)
8.3.8 Test Cases for Systems Maintenance Security Requirements
212(3)
8.4 Summary
215(2)
Chapter 9 Testing Methods and Best Practices
217(18)
9.1 Secure Testing Approach
217(1)
9.2 OWASP's Application Security Verification Standard (ASVS)
217(7)
9.2.1 Application Security Verification Levels
219(1)
9.2.2 Level 1---Automated Verification
220(1)
9.2.3 Level 2---Manual Verification
220(1)
9.2.4 Level 3---Design Verification
221(1)
9.2.5 Level 4---Internal Verification
222(2)
9.2.6 Security Testing Methods
224(1)
9.3 Manual Source Code Review
224(1)
9.4 Automated Source Code Analysis
225(6)
9.4.1 Automated Reviews Compared with Manual Reviews
226(1)
9.4.2 Automated Source Code Analysis Tools---Deployment Strategy
226(1)
9.4.3 IDE Integration for Developers
227(1)
9.4.4 Build Integration for Governance
227(1)
9.4.5 Automated Dynamic Analysis
228(1)
9.4.6 Limitations of Automated Dynamic Analysis Tools
229(1)
9.4.7 Automated Dynamic Analysis Tools---Deployment Strategy
229(1)
9.4.8 Developer Testing
230(1)
9.4.9 Centralized Quality Assurance Testing
230(1)
9.5 Penetration (Pen) Testing
231(1)
9.5.1 Gray Box Testing
232(1)
9.6 Summary
232(1)
9.7 References
232(3)
Chapter 10 Connecting the Moving Parts
235(16)
10.1 OpenSAMM
236(2)
10.2 Security Requirements
238(5)
10.2.1 Security Requirements: Level 1
239(2)
10.2.2 Security Requirements: Level 2
241(1)
10.2.3 Security Requirements: Level 3
242(1)
10.3 Security Testing
243(6)
10.3.1 Security Testing: Level 1
245(1)
10.3.2 Security Testing: Level 2
246(1)
10.3.3 Security Testing: Level 3
247(2)
10.4 Wrap-Up
249(1)
10.5 References
249(2)
Index 251
Mark S. Merkow, CISSP, CISM, CSSLP works at PayPal Inc. (an eBay company) in Scottsdale, Arizona, as Manager of Information Security Policies, Standards, Training, and Awareness in the Information Risk Management area. Mark has more than 35 years of experience in information technology in a variety of roles, including applications development, systems analysis and design, security engineering, and security management. Mark holds a masters degree in decision and info systems from Arizona State University (ASU), a masters of education in distance learning from ASU, and an undergraduate degree in computer info systems from ASU. In addition to his day job, Mark engages in a number of other extracurricular activities, including consulting, course development, online course delivery, and writing columns and books on information technology and information security.





Mark has authored or coauthored ten books on IT and is a contributing editor on four others. Mark remains very active within the information security community, working in a variety of roles for the Financial Services Information Sharing and Analysis Center (FS-ISAC), the Financial Services Technology Consortium (FSTC), and the Financial Services Sector Coordinating Council (FSCCC) on Homeland Security and Critical Infrastructure Protection.





He is the chairman of the Education Committee for the FS-ISAC and is a founding member of the Research and Development Committee of the FSSCC.





Lakshmikanth Raghavan, CISM, CRISC (Laksh) works at PayPal Inc. (an eBay company) as Staff Information Security Engineer in the Information Risk Management area, specializing in application security. Laksh has more than ten years of experience in the areas of information security and information risk management, and has provided consulting services to Fortune 500 companies and financial services companies around the world. Laksh holds a bachelors degree in electronics and t