Building in Security at Agile Speed
- Length: 346 pages
- Edition: 1
- Language: English
- Publisher: Auerbach Publications
- Publication Date: 2021-04-21
- ISBN-10: 0367433265
- ISBN-13: 9780367433260
- Sales Rank: #4288812 (See Top 100 Books)
Today’s high-speed and rapidly changing development environments demand equally high-speed security practices. Still, achieving security remains a human endeavor, a core part of designing, generating and verifying software. Dr. James Ransome and Brook S.E. Schoenfield have built upon their previous works to explain that security starts with people; ultimately, humans generate software security. People collectively act through a particular and distinct set of methodologies, processes, and technologies that the authors have brought together into a newly designed, holistic, generic software development lifecycle facilitating software security at Agile, DevOps speed.
―Eric. S. Yuan, Founder and CEO, Zoom Video Communications, Inc.
It is essential that we embrace a mantra that ensures security is baked in throughout any development process. Ransome and Schoenfield leverage their abundance of experience and knowledge to clearly define why and how we need to build this new model around an understanding that the human element is the ultimate key to success.
―Jennifer Sunshine Steffens, CEO of IOActive
Both practical and strategic, Building in Security at Agile Speed is an invaluable resource for change leaders committed to building secure software solutions in a world characterized by increasing threats and uncertainty. Ransome and Schoenfield brilliantly demonstrate why creating robust software is a result of not only technical, but deeply human elements of agile ways of working.
―Jorgen Hesselberg, author of Unlocking Agility and Cofounder of Comparative Agility
The proliferation of open source components and distributed software services makes the principles detailed in Building in Security at Agile Speed more relevant than ever. Incorporating the principles and detailed guidance in this book into your SDLC is a must for all software developers and IT organizations. ―George K Tsantes, CEO of Cyberphos, former partner at Accenture and Principal at EY
Detailing the people, processes, and technical aspects of software security, Building in Security at Agile Speed emphasizes that the people element remains critical because software is developed, managed, and exploited by humans. This book presents a step-by-step process for software security that uses today’s technology, operational, business, and development methods with a focus on best practice, proven activities, processes, tools, and metrics for any size or type of organization and development practice.
Cover Half Title Title Page Copyright Page Dedications Table of Contents Foreword Preface Acknowledgments About the Authors Chapter 1: Setting the Stage 1.1 Introduction 1.2 Current Events 1.3 The State of Software Security 1.4 What Is Secure Software? 1.5 Developing an SDL Model That Can Work with Any Development Methodology 1.5.1 Our Previous Secure Development Lifecycle Design and Methodology 1.5.2 Mapping the Security Development Lifecycle (SDL) to the Software Development Life Cycle (SDLC) 1.5.3 Software Development Methodologies 1.6 The Progression from Waterfall and Agile to Scrum_ A Management Perspective 1.6.1 DevOps and CI/CD 1.6.2 Cloud Services 1.6.3 Platform Services 1.6.4 Automation 1.6.5 General Testing and Quality Assurance 1.6.6 Security Testing 1.6.7 DevSecOps 1.6.8 Education 1.6.10 Pulling It All Together Using Visual Analogies 1.6.11 DevOps Best Practices 1.6.12 Optimizing Your Team Size 1.7 Chapter Summary Chapter 2: Software Development Security Management in an Agile World 2.1 Introduction 2.2 Building and Managing the DevOps Software Security Organization 2.2.1 Use of the Term DevSecOps 2.2.2 Product Security Organizational Structure 2.2.3 Software Security Program Management 2.2.4 Software Security Organizational Realities and Leverage 2.2.5 Software Security Organizational and People Management Tips 2.3 Security Tools, Automation, and Vendor Management 2.3.1 Security Tools and Automation 2.3.2 DevOps Tools: Going Beyond the SDL 2.3.3 Vendor Management 2.4 DevOps Security Incident Response 2.4.1 Internal Response to Defects and Security Vulnerabilities in Your Source Code 2.4.2 External Response to Security Vulnerabilities Discovered in Your Product Source Code 2.4.3 Post-Release PSIRT Response 2.4.4 Optimizing Post-Release Third-Party Response 2.4.5 Key Success Factors 2.5 Security Training Management 2.6 Security Budget Management 2.6.1 Preparing and Delivering the Budget Message 2.6.2 Other Things to Consider When Preparing Your Budget 2.7 Security Governance, Risk, and Compliance (GRC) Management 2.7.1 SDL Coverage of Relevant Regulations, Certifications, and Compliance Frameworks 2.7.2 Third-Party Reviews 2.7.3 Post-Release Certifications 2.7.4 Privacy 2.8 Security Metrics Management 2.8.1 The Importance of Metrics 2.8.2 SDLSpecific Metrics 2.8.3 Additional Security Metrics Focused on Optimizing Your DevOps Environment 2.9 Mergers and Acquisitions (M&A) Management 2.9.1 Open Source M&A Considerations 2.10 Legacy Code Management 2.11 Chapter Summary Chapter 3: A Generic Security Development Lifecycle (SDL) 3.1 Introduction 3.2 Build Software Securely 3.2.1 Produce Secure Code 3.2.2 Manual Code Review 3.2.3 Static Analysis 3.2.4 Third-Party Code Assessment 3.2.5 Patch (Upgrade or Fix) Issues Identified in Third-Party Code 3.3 Determining the Right Activities for Each Project 3.3.1 The SDL Determining Questions 3.4 Architecture and Design 3.5 Testing 3.5.1 Functional Testing 3.5.2 Dynamic Testing 3.5.3 Attack and Penetration Testing 3.5.4 Independent Testing 3.6 Assess and Threat Model Build/Release/Deploy/Operate Chain 3.7 Agile: Sprints 3.8 Key Success Factors and Metrics 3.8.1 Secure Coding Training Program 3.8.2 Secure Coding Frameworks (APIs) 3.8.3 Manual Code Review 3.8.4 Independent Code Review and Testing (by Experts or Third Parties) 3.8.5 Static Analysis 3.8.6 Risk Assessment Methodology 3.8.7 Integration of SDL with SDLC 3.8.8 Development of Architecture Talent 3.8.9 Metrics 3.9 Chapter Summary Chapter 4: Secure Design through Threat Modeling 4.1 Threat Modeling Is Foundational 4.2 Secure Design Primer 4.3 Analysis Technique 4.3.1 Before the Threat Model 4.3.2 Pre-Analysis Knowledge 4.3.3 ATASM Process 4.3.4 Target System Discovery 4.4 A Short “How To” Primer 4.4.1 Enumerate CAV 4.4.2 Structure, Detail, and Abstraction 4.4.3 Rating Risk 4.4.4 Identifying Defenses 4.5 Threat Model Automation 4.6 Chapter Summary Chapter 5: Enhancing Software Development Security Management in an Agile World 5.1 Introduction 5.2 Building and Managing the DevOps Software Security Organization 5.2.1 Continuous and Integrated Security 5.2.2 Security Mindset versus Dedicated Security Organization 5.2.3 Optimizing Security to Prevent Real-World Threats 5.3 Security Tools, Automation, and Vendor Management 5.3.1 Static Application Security Testing (SAST) 5.3.2 Dynamic Analysis Security Testing (DAST) 5.3.3 Fuzzing and Continuous Delivery 5.3.4 Unit and Functional Testing 5.3.5 Integration Testing 5.3.6 Automate Red Team Testing 5.3.7 Automate Pen Testing 5.3.8 Vulnerability Management 5.3.9 Automated Configuration Management 5.3.10 Software Composition Analysis 5.3.11 Bug Bounty Programs 5.3.12 Securing Your Continuous Delivery Pipeline 5.3.13 Vendor Management 5.4 DevOps Security Incident Response 5.4.1 Organizational Structure 5.4.2 Proactive Hunting 5.4.3 Continuous Detection and Response 5.4.4 Software Bill of Materials 5.4.5 Organizational Management 5.5 Security Training Management 5.5.1 People 5.5.2 Process 5.5.3 Technology 5.6 Security Budget Management 5.7 Security Governance, Risk, and Compliance (GRC) Management 5.8 Security Metrics Management 5.9 Mergers and Acquisitions (M&A) Management 5.10 Legacy Code Management 5.10.1 Security Issues 5.10.2 Legal and Compliance Issues 5.11 Chapter Summary Chapter 6: Culture Hacking 6.1 Introduction 6.2 Culture Must Shift 6.3 Hack All Levels 6.3.1 Executive Support 6.3.2 Mid-Management Make or Break 6.3.3 Accept All Help 6.4 Trust Developers 6.5 Build a Community of Practice 6.6 Threat Model Training Is for Everyone 6.7 Audit and Security Are Not the Same Thing 6.8 An Organizational Management Perspective 6.8.1 Security Cultural Change 6.8.2 Security Incident Response 6.8.3 Security Training 6.8.4 Security Technical Debt (Legacy Software) 6.9 Summary/Conclusion Appendix A: The Generic Security Development Lifecycle Index
Donate to keep this site alive
1. Disable the AdBlock plugin. Otherwise, you may not get any links.
2. Solve the CAPTCHA.
3. Click download link.
4. Lead to download server to download.