Muutke küpsiste eelistusi

E-raamat: Security Software Development: Assessing and Managing Security Risks

  • Formaat: 321 pages
  • Ilmumisaeg: 23-Oct-2008
  • Kirjastus: Auerbach
  • Keel: eng
  • ISBN-13: 9781420063813
Teised raamatud teemal:
  • Formaat - PDF+DRM
  • Hind: 77,99 €*
  • * hind on lõplik, st. muud allahindlused enam ei rakendu
  • Lisa ostukorvi
  • Lisa soovinimekirja
  • See e-raamat on mõeldud ainult isiklikuks kasutamiseks. E-raamatuid ei saa tagastada.
Security Software Development: Assessing and Managing Security RisksSuurem pilt
  • Formaat: 321 pages
  • Ilmumisaeg: 23-Oct-2008
  • Kirjastus: Auerbach
  • Keel: eng
  • ISBN-13: 9781420063813
Teised raamatud teemal:

DRM piirangud

  • Kopeerimine (copy/paste):

    ei ole lubatud

  • Printimine:

    ei ole lubatud

  • Kasutamine:

    Digitaalõiguste kaitse (DRM)
    Kirjastus on väljastanud selle e-raamatu krüpteeritud kujul, mis tähendab, et selle lugemiseks peate installeerima spetsiaalse tarkvara. Samuti peate looma endale  Adobe ID Rohkem infot siin. E-raamatut saab lugeda 1 kasutaja ning alla laadida kuni 6'de seadmesse (kõik autoriseeritud sama Adobe ID-ga).

    Vajalik tarkvara
    Mobiilsetes seadmetes (telefon või tahvelarvuti) lugemiseks peate installeerima selle tasuta rakenduse: PocketBook Reader (iOS / Android)

    PC või Mac seadmes lugemiseks peate installima Adobe Digital Editionsi (Seeon tasuta rakendus spetsiaalselt e-raamatute lugemiseks. Seda ei tohi segamini ajada Adober Reader'iga, mis tõenäoliselt on juba teie arvutisse installeeritud )

    Seda e-raamatut ei saa lugeda Amazon Kindle's. 

Threats to application security continue to evolve just as quickly as the systems that protect against cyber-threats. In many instances, traditional firewalls and other conventional controls can no longer get the job done. The latest line of defense is to build security features into software as it is being developed.





Drawing from the authors extensive experience as a developer, Secure Software Development: Assessing and Managing Security Risks illustrates how software application security can be best, and most cost-effectively, achieved when developers monitor and regulate risks early on, integrating assessment and management into the development life cycle. This book identifies the two primary reasons for inadequate security safeguards: Development teams are not sufficiently trained to identify risks; and developers falsely believe that pre-existing perimeter security controls are adequate to protect newer software. Examining current trends, as well as problems that have plagued software security for more than a decade, this useful guide:



















Outlines and compares various techniques to assess, identify, and manage security risks and vulnerabilities, with step-by-step instruction on how to execute each approach













Explains the fundamental terms related to the security process













Elaborates on the pros and cons of each method, phase by phase, to help readers select the one that best suits their needs











Despite decades of extraordinary growth in software development, many open-source, government, regulatory, and industry organizations have been slow to adopt new application safety controls, hesitant to take on the added expense. This book improves understanding of the security environment and the need for safety measures. It shows readers how to analyze relevant threats to their applications and then implement time- and money-saving techniques
Preface xiii
Acknowledgments xv
Author Biography xvii
Current Trends in Application Security
1(18)
Recent Data Security Breaches
1(2)
Definition
3(1)
Legislative and Regulatory Requirements Affecting Application Security
4(2)
Industry Standards Requiring or Affecting Application Security
6(4)
Risks Associated with Current Trends
10(4)
Introduction to Test Case That Relates to Current Trends
14(4)
Conclusion
18(1)
References
18(1)
Security Risk Assessment Methodologies
19(22)
Definitions
20(1)
Quantitative Risk Assessment Methodologies
21(4)
Exposure Factor
21(1)
Single Loss Expectancy
21(1)
Annualized Rate of Occurrence
22(1)
Annualized Loss Expectancy
23(1)
Cost-Benefit Analysis
23(2)
Qualitative Risk Assessment Methodologies
25(6)
Likelihood of Occurrence
26(1)
Magnitude of Impact
27(1)
Risk Level
28(3)
Published Methodologies
31(3)
Software Engineering Institute's OCTAVE
31(1)
Stride
31(1)
Dread
32(1)
Trick
33(1)
Australian/New Zealand Standard 4360:2004
34(1)
Common Vulnerability Scoring System (CVSS)
34(1)
Automated Risk Assessment Tools
34(1)
Tips in Selecting a Methodology
35(2)
Selecting a Methodology for the Test Case
37(2)
Arguments for Using a Quantitative Risk Analysis Method in the Test Case
38(1)
Arguments against Using a Quantitative Risk Analysis Method in the Test Case
38(1)
Arguments for Using a Qualitative Risk Analysis Method in the Test Case
39(1)
Arguments against Using a Qualitative Risk Analysis Method in the Test Case
39(1)
Checklist for Deciding on a Security Risk Assessment Methodology
39(1)
Conclusions
40(1)
Identifying Assets
41(18)
Definition
42(1)
Types of Assets Typically Found in Software Development
43(6)
Information Assets
44(1)
External Databases
44(2)
Business Rules
46(1)
Services and Functions
46(1)
Software
46(1)
Proprietary Formulas
47(1)
Encryption Software and Encryption Keys
48(1)
People
48(1)
Accounts, Transactions, and Calculations
49(1)
How to Identify Assets in Application Development
49(3)
Business and User Management Involvement
49(1)
Review of Organizational Documentation
50(1)
Other Methods of Identifying Assets
50(2)
Determining Assets for the Test Case
52(3)
Asset Checklist
55(1)
Summary
56(3)
Identifying Security Threats
59(50)
Definition
60(1)
Information Security Threats to Software Development
61(12)
Business Threats
61(1)
System Threats
62(1)
Human Threats
63(3)
Technical Threats
66(4)
Environmental Threats
70(2)
Natural Threats
72(1)
How to Identify Security Threats
73(4)
Attack Histories
73(1)
Current Headlines
73(1)
Internet Sites
74(1)
Threat Modeling
75(2)
Test Case Threats
77(27)
Test Case Business Objectives
78(1)
Test Case User Roles
78(1)
Test Case Use Cases
79(17)
Test Case Components
96(1)
Test Case Architecture
97(4)
Test Case Threats
101(3)
Conclusion
104(1)
Threat Identification Checklists
104(5)
Typical Threats (the ``Usual Suspects'')
104(2)
Sources of Threat Identification
106(1)
Threat Modeling
106(3)
Identifying Vulnerabilities
109(36)
Definition
109(1)
The Importance of Identifying Vulnerabilities
110(1)
Identifying Vulnerabilities
111(2)
Common Vulnerabilities
113(5)
Buffer Overflows
113(1)
Injection Flaws
113(2)
Information Leakage and Improper Error Handling
115(1)
Cross-Site Scripting
116(1)
Nontechnical Vulnerabilities
117(1)
Methods of Detecting Vulnerabilities during Software Development
118(17)
Review of Current Controls
119(1)
Code Reviews
119(1)
Testing
120(1)
Static Code Scanning
120(1)
Dynamic Code Scanning
121(1)
Web Application Scanning
121(1)
Network Vulnerability Scanning
121(1)
Review of Best Practice Standards
122(13)
Secure Coding Techniques to Avoid Vulnerabilities
135(3)
Validate Input
135(1)
Validate Output to Be Displayed on Browsers
135(1)
Keep It Simple
136(1)
Follow the Principle of Least Privilege
136(1)
Practice Defense in Depth
136(1)
Practice Quality Assurance
137(1)
Adopt Coding Standards
137(1)
Define Security Requirements
137(1)
Practice Threat Modeling
137(1)
Vulnerabilities Associated with the Test Case
138(2)
Conclusion
140(1)
Checklists
140(5)
Sources of Education about Software Vulnerabilities
140(1)
OWASP Top 10 (2007)
141(1)
SANS Top 20 for 2007
141(1)
Methods for Finding Vulnerabilities
142(1)
Secure Coding Practices to Avoid Vulnerabilities
143(2)
Analyzing Security Risks
145(56)
Threat---Vulnerability Pairs
146(1)
Risk Likelihood or Probability
147(5)
Control Analysis
152(2)
Impact or Severity of Threat Actions
154(4)
Impact on Confidentiality
155(1)
Impact on Integrity
155(1)
Impact on Availability
156(2)
Determining Risk Levels
158(2)
Sources of Scales and Tables
160(1)
Determining Security Risks for the Test Case
160(9)
Human Threats
161(1)
Technical Threats
161(1)
Vulnerabilities
162(1)
Threat-Action Statements
162(2)
Likelihood of Occurrence
164(1)
Control Analysis
164(2)
Magnitude of Impact
166(2)
Risk Levels
168(1)
Conclusion
169(1)
Common Risk Scales and Tables
169(7)
Likelihood of Occurrence Scales
169(1)
Magnitude of Impact Scales
170(1)
Risk Matrixes
170(2)
Risk Assessment Reporting Template
172(3)
Alternate Risk Assessment Reporting Template
175(1)
Risk Assessment Summary
176(25)
Overview
176(1)
OCTAVE Risk Assessment Methodology
177(1)
Identified Assets
177(1)
Critical Assets
177(1)
Vulnerability Assessment
178(1)
Security Requirements
178(2)
Sources and Potential Impacts of Threats
180(2)
Impact Descriptions
182(2)
Current Protection Strategies
184(2)
Risk Analysis
186(1)
Risk Mitigation Plans
186(1)
Summary
187(14)
Managing Security Risks
201(16)
Definitions
202(1)
Risk Mitigation Strategies
202(5)
Risk Assumption
203(1)
Risk Transference
203(2)
Risk Avoidance
205(1)
Risk Limitation
206(1)
Protection Strategies
207(2)
Mitigating Risks in the Test Case
209(2)
Conclusion
211(1)
Risk Mitigation Checklists
212(1)
Risk Mitigation Reporting Template
213(4)
Risk Mitigation Documentation
213(1)
Risk Mitigation Options
213(1)
Risk Mitigation Strategy
214(1)
Control Implementation Approach
215(2)
Risk Assessment and Risk Mitigation Activities in the SDLC
217(16)
Requirements Gathering and Analysis
218(2)
Design
220(1)
Development
221(1)
Test
222(1)
Production and Maintenance
223(1)
Risk Management Activities within the Test Case
223(7)
Test Case Assets
224(1)
Test Case Threats
225(2)
Test Case Vulnerabilities
227(1)
Test Case Risks and Mitigation Efforts
228(2)
Conclusion
230(1)
Risk Assessment and Risk Mitigation Activity Checklist
230(3)
Maintaining a Security Risk Assessment and Risk Management Process
233(66)
Definitions
234(1)
Risk Management Plans
235(3)
Supporting Risk Management Practices
238(16)
Top-Down Support
238(2)
Support from Policies and Procedures
240(1)
Legislative, Regulatory, or Compliance Support
241(1)
Certification and Accrediation Support
242(12)
Support from Change Management
254(1)
Continuous Evaluation and Improvement
254(7)
System Security Plan Scope
255(2)
Identifying Key Infrastructure
257(1)
Identification of Key personnel
257(1)
Determining System Boundaries
258(1)
Physical Inspections and Walkthroughs
259(1)
Interview Key Personnel
259(1)
Incidental Documentation
259(1)
Prepare Documentation
260(1)
Discuss SSP with Management
260(1)
Finalize Documentation
261(1)
Risk Management Policy
261(1)
Conclusions
261(1)
Risk Management Plan Template
262(10)
Purpose
262(1)
Objective
262(1)
References
263(1)
Legal Basis
263(1)
Definitions
263(1)
Risk Management Overview
264(1)
Importance of Risk Management
264(1)
Integration of Risk Management into the System Development Life Cycle (SDLC)
264(1)
Key Roles
264(2)
Risk Assessment
266(1)
Preparing to Assess Risks
266(1)
Build Asset-Based Threat Profiles
267(1)
Identify Infrastructure Vulnerabilities
267(1)
Develop Security Strategy and Plans
268(1)
Risk Mitigation
268(1)
Risk Mitigation Options
269(1)
Risk Mitigation Strategy
269(1)
Control Implementation Approach
270(1)
Evaluation and Assessment
271(1)
Risk Management Policy Template
272(9)
Purpose
272(1)
Overview
272(1)
Scope
273(1)
Statutory Authority
273(1)
Compliance
273(1)
Updates
273(1)
Definitions
273(1)
Policy Details: Risk Management
274(1)
Integration of Risk Management into the System Development Life Cycle (SDLC)
274(1)
Key Roles
275(1)
Risk Assessment
276(1)
Risk Mitigation
277(1)
Risk Mitigation Options
278(1)
Risk Mitigation Strategy
278(1)
Control Implementation Approach
279(1)
Evaluation and Assessment
280(1)
System Security Plan Template
281(18)
System Identification
281(3)
Management Controls
284(1)
Operational Controls
285(3)
Technical Controls
288(1)
Appendices and Attachments
289(1)
Secure Product Development Policy Template
290(9)
Index 299
Ashbaugh, CISSP
Lisainfo e-raamatute kohta Lisainfo e-raamatute kohta
Püsilink: https://www.kriso.ee/db/97814200638132e.html
Märksõnad: