Practical Core Software Security: A Reference Framework

by Anmol, James F Ransome, Mark S. Merkow

Length: 262 pages
Edition: 1
Language: English
Publisher: Auerbach Pub
Publication Date: 2022-08-02
ISBN-10: 1032276037
ISBN-13: 9781032276038
Sales Rank: #0 (See Top 100 Books)

As long as humans write software, the key to successful software security is making the software development program process more efficient and effective. Although the approach of this textbook includes people, process, and technology approaches to software security, Practical Core Software Security: A Reference Architecture stresses the people element of software security, which is still the most important part to manage as software is developed, controlled, and exploited by humans.

The text outlines a step-by-step process for software security that is relevant to today’s technical, operational, business, and development environments. It focuses on what humans can do to control and manage a secure software development process using best practices and metrics. Although security issues will always exist, students learn how to maximize an organization’s ability to minimize vulnerabilities in software products before they are released or deployed by building security into the development process.

The authors have worked with Fortune 500 companies and have often seen examples of the breakdown of security development lifecycle (SDL) practices. The text takes an experience-based approach to apply components of the best available SDL models in dealing with the problems described above. We present software security best practices, an SDL model, and framework in the book. Starting with an overview of the SDL, the text outlines a model for mapping SDL best practices to the software development life cycle (SDLC). It explains how to use this model to build and manage a mature SDL program. Exercises and an in-depth case study aid students in mastering the SDL model.

Professionals skilled in secure software development and related tasks are in tremendous demand today. The industry continues to experience exponential demand that should continue to grow for the foreseeable future. This book can benefit professionals as much as students. As they integrate the book’s ideas into their software security practices, their value increases to their organizations, management teams, community, and industry.

About the Authors

Dr. James Ransome, PhD, CISSP, CISM is a veteran of numerous chief information security officer (CISO). chief security officer (CSO), and chief production security officer (CPSO) roles, as well as an author and co-author of numerous cyber security books.

Anmol Misra is an accomplished leader, researcher, author, and security expert, with over 16

years of experience in technology and cybersecurity.

Mark S. Merkow, CISSP, CISM, CSSLP has over 25 years of experience in corporate information security and 17 years in the AppSec space helping to establish and lead application security initiatives to success and sustainment.

Cover
Half Title
Title Page
Copyright Page
Dedications
Table of Contents
List of Figures
List of Tables
Preface
	About the Book
	Audience
	Support
	Structure
	Assumptions
Acknowledgments
About the Authors
Chapter 1: Introduction
	Chapter Overview
	Chapter Take-Aways
	1.1 The Importance and Relevance of Software Security
	1.2 Software Security and the Software Development Life Cycle
	1.3 Quality Versus Secure Code
	1.4 The Three Most Important SDL Security Goals
	1.5 Threat Modeling and Attack Surface Validation
	1.6 Summary
	Chapter Quick-Check
	Exercises
	References
Chapter 2: The Security Development Lifecycle
	Chapter Overview
	Chapter Take-Aways
	2.1 Overcoming Challenges in Making Software Secure
	2.2 Software Security Maturity Models
	2.3 ISO/IEC 27034—Information Technology—Security Techniques—Application Security
	2.4 Other Resources for SDL Best Practices
		2.4.1 SAFECode
		2.4.2 U.S. Department of Homeland Security Software Assurance Program
		2.4.3 National Institute of Standards and Technology
		2.4.4 Common Computer Vulnerabilities and Exposures
		2.4.5 SANS Institute Top Cyber Security Risks
		2.4.6 U.S. Department of Defense Cyber Security and Information Systems Information Analysis Center (CSIAC)
		2.4.7 CERT, Bugtraq®, and SecurityFocus
	2.5 Critical Tools and Talent
		2.5.1 The Tools
		2.5.2 The Talent
	2.6 Principles of Least Privilege
	2.7 Privacy
	2.8 The Importance of Metrics
	2.9 Mapping the Security Development Lifecycle to the Software Development Life Cycle
	2.10 Software Development Methodologies
		2.10.1 Waterfall Development
		2.10.2 Agile Development
	2.11 Summary
	Chapter Quick-Check
	Exercises
	References
Chapter 3: Security Assessment (A1): SDL Activities and Best Practices
	Chapter Overview
	Chapter Take-Aways
	3.1 Software Security Team Is Looped in Early
	3.2 Software Security Hosts a Discovery Meeting
	3.3 Software Security Team Creates an SDL Project Plan
	3.4 Privacy Impact Assessment (PIA) Plan Initiated
	3.5 Security Assessment (A1) Key Success Factors and Metrics
		3.5.1 Key Success Factors
		3.5.2 Deliverables
		3.5.3 Metrics
	3.6 Summary
	Chapter Quick-Check
	Exercises
	References
Chapter 4: Architecture (A2): SDL Activities and Best Practices
	Chapter Overview
	Chapter Take-Aways
	4.1 A2 Policy Compliance Analysis
	4.2 SDL Policy Assessment and Scoping
	4.3 Threat Modeling/Architecture Security Analysis
		4.3.1 Threat Modeling
		4.3.2 Data Flow Diagrams
		4.3.3 Architectural Threat Analysis and Ranking of Threats
		4.3.4 Risk Mitigation
	4.4 Open-Source Selection
	4.5 Privacy Information Gathering and Analysis
	4.6 Key Success Factors and Metrics
		4.6.1 Key Success Factors
		4.6.2 Deliverables
		4.6.3 Metrics
	4.7 Summary
	Chapter Quick-Check
	Exercises
	References
Chapter 5: Design and Development (A3): SDL Activities and Best Practices
	Chapter Overview
	Chapter Take-Aways
	5.1 A3 Policy Compliance Analysis
	5.2 Security Test Plan Composition
	5.3 Threat Model Updating
	5.4 Design Security Analysis and Review
	5.5 Privacy Implementation Assessment
	5.6 Key Success Factors and Metrics
		5.6.1 Key Success Factors
		5.6.2 Deliverables
		5.6.3 Metrics
	5.7 Summary
	Chapter Quick-Check
	Exercises
	References
Chapter 6: Design and Development (A4): SDL Activities and Best Practices
	Chapter Overview
	Chapter Take-Aways
	6.1 A4 Policy Compliance Analysis
	6.2 Security Test Case Execution
	6.3 Code Review in the SDLC/SDL Process
	6.4 Security Analysis Tools
		6.4.1 Static Analysis
		6.4.2 Dynamic Analysis
		6.4.3 Fuzz Testing
		6.4.4 Manual Code Review
	6.5 Key Success Factors
	6.6 Deliverables
	6.7 Metrics
	6.8 Summary
	Chapter Quick-Check
	Exercises
	References
Chapter 7: Ship (A5): SDL Activities and Best Practices
	Chapter Overview
	Chapter Take-Aways
	7.1 A5 Policy Compliance Analysis
	7.2 Vulnerability Scan
	7.3 Code-Assisted Penetration Testing
	7.4 Open-Source Licensing Review
	7.5 Final Security Review
	7.6 Final Privacy Review
	7.7 Key Success Factors
	7.8 Deliverables
	7.9 Metrics
	7.10 Summary
	Chapter Quick-Check
	Exercises
	References
Chapter 8: Post-Release Support (PRSA1–5)
	Chapter Overview
	Chapter Take-Aways
	8.1 Right-Sizing Your Software Security Group
		8.1.1 The Right Organizational Location
		8.1.2 The Right People
		8.1.3 The Right Process
	8.2 PRSA1: External Vulnerability Disclosure Response
		8.2.1 Post-Release PSIRT Response
		8.2.2 Post-Release Privacy Response
		8.2.3 Optimizing Post-Release Third-Party Response
	8.3 PRSA2: Third-Party Reviews
	8.4 PRSA3: Post-Release Certifications
	8.5 PRSA4: Internal Review for New Product Combinations or Cloud Deployments
	8.6 PRSA5: Security Architectural Reviews and Tool-Based Assessments of Current, Legacy, and M&A Products and Solutions
		8.6.1 Legacy Code
		8.6.2 Mergers and Acquisitions (M&As)
	8.7 Key Success Factors
	8.8 Deliverables
	8.9 Metrics
	8.10 Summary
	Chapter Quick-Check
	Exercises
	References
Chapter 9: Adapting Our Reference Framework to Your Environment
	Chapter Overview
	Chapter Take-Aways
	9.1 Overview of the Top Four Environments in Which You Are Likely to Deploy Your SDL
		9.1.1 Agile
		9.1.2 DevOps
		9.1.3 Cloud
		9.1.4 Digital Enterprise
	9.2 Key Success Factors, Deliverables, and Metrics for Each Phase of Our SDL Reference Framework
	9.3 Software Security Maturity Models and the SDL
		9.3.1 Maturity Models for Security and Resilience
		9.3.2 Software Assurance Maturity Model—OpenSAMM
	9.4 The Building Security In Maturity Model (BSIMM)
		9.4.1 BSIMM Organization
		9.4.2 BSIMM Software Security Framework
		9.4.3 Deployment
		9.4.4 BSIMM’s 12 Practice Areas
		9.4.5 Measuring Results with BSIMM
		9.4.6 The BSIMM Community
		9.4.7 Conducting a BSIMM Assessment
		9.4.8 Section Summary
	9.5 Enhancing Your Threat Modeling Practice As Part of the SDL
		9.5.1 Practical Threat and Application Risk Modeling
		9.5.2 MITRE ATT&CK® and MITRE D3FEND®
	9.6 Pulling It All Together
	9.7 Overcoming Organizational and Business Challenges with a Properly Designed, Managed, and Focused SDL
	9.8 Software Security Organizational Realities and Leverage
	9.9 Future Predictions for Software Security
		9.9.1 The Bad News
		9.9.2 The Good News
	9.10 Comprehensive SDL Review
	9.11 Conclusion
	References
Appendix A: Case Study for Chapters 3 Through 8 Exercises
Appendix B: Answers to Chapter Quick-Check Questions
Glossary
Index