Book description
This book is written with a contemporary view on securing all types of software development practices or methodologies with in-depth, practical, and accessible advice. It is complete with successful secure, resilient, and agile software development practices that meet or exceed the demands of today’s increasingly digital world.
Table of contents
- Cover
- Half Title
- Title Page
- Copyright Page
- Dedication
- Table of Contents
- Preface
- About the Author
- Chapter 1: Today’s Software Development Practices Shatter Old Security Practices
- Chapter 2: Deconstructing Agile and Scrum
-
Chapter 3: Learning Is FUNdamental!
- 3.1 Education Provides Context and Context Is Key
- 3.2 Principles for Software Security Education
- 3.3 Getting People’s Attention
- 3.4 Awareness versus Education
- 3.5 Moving into the Education Phase
- 3.6 Strategies for Rolling Out Training
- 3.7 Encouraging Training Engagement and Completion
- 3.8 Measuring Success
- 3.9 Keeping the Drumbeat Alive
- 3.10 Create and Mature a Security Champion Network
- 3.11 A Checklist for Establishing a Software Security Education, Training, and Awareness Program
- 3.12 Summary
- References
-
Chapter 4: Product Backlog Development— Building Security In
- 4.1 Chapter Overview
- 4.2 Functional versus Nonfunctional Requirements
- 4.3 Testing NFRs
- 4.4 Families of Nonfunctional Requirements
- 4.5 Capacity
- 4.6 Efficiency
- 4.7 Interoperability
- 4.8 Manageability
- 4.9 Maintainability
- 4.10 Performance
- 4.11 Portability
- 4.12 Privacy
- 4.13 Recoverability
- 4.14 Reliability
- 4.15 Scalability
- 4.16 Security
- 4.17 Serviceability/Supportability
- 4.18 Characteristics of Good Requirements
- 4.19 Eliciting Nonfunctional Requirements
- 4.20 NFRs as Acceptance Criteria and Definition of Done
- 4.21 Summary
- References
-
Chapter 5: Secure Design Considerations
- 5.1 Chapter Overview
- 5.2 Essential Concepts
- 5.3 The Security Perimeter
- 5.4 Attack Surface
-
5.5 Application Security and Resilience Principles
- 5.5.1 Practice 1: Apply Defense in Depth
- 5.5.2 Practice 2: Use a Positive Security Model
- 5.5.3 Practice 3: Fail Securely
- 5.5.4 Practice 4: Run with Least Privilege
- 5.5.5 Practice 5: Avoid Security by Obscurity
- 5.5.6 Practice 6: Keep Security Simple
- 5.5.7 Practice 7: Detect Intrusions
- 5.5.8 Practice 8: Don’t Trust Infrastructure
- 5.5.9 Practice 9: Don’t Trust Services
- 5.5.10 Practice 10: Establish Secure Defaults
- 5.6 Mapping Best Practices to Nonfunctional Requirements (NFRs) as Acceptance Criteria
- 5.7 Summary
- References
-
Chapter 6: Security in the Design Sprint
- 6.1 Chapter Overview
- 6.2 Design Phase Recommendations
- 6.3 Modeling Misuse Cases
- 6.4 Conduct Security Design and Architecture Reviews in Design Sprint
- 6.5 Perform Threat and Application Risk Modeling
- 6.6 Risk Analysis and Assessment
- 6.7 Don’t Forget These Risks!
- 6.8 Rules of Thumb for Defect Removal or Mitigation
- 6.9 Further Needs for Information Assurance
- 6.10 Countering Threats through Proactive Controls
- 6.11 Architecture and Design Review Checklist
- 6.12 Summary
- References
-
Chapter 7: Defensive Programming
- 7.1 Chapter Overview
- 7.2 The Evolution of Attacks
- 7.3 Threat and Vulnerability Taxonomies
- 7.4 Failure to Sanitize Inputs is the Scourge of Software Development
- 7.5 Input Validation and Handling
- 7.6 Common Examples of Attacks Due to Improper Input Handling
- 7.7 Best Practices in Validating Input Data
- 7.8 OWASP’s Secure Coding Practices
- 7.9 Summary
- References
-
Chapter 8: Testing Part 1: Static Code Analysis
- 8.1 Chapter Overview
- 8.2 Fixing Early versus Fixing Later
- 8.3 Testing Phases
- 8.4 Static Source Code Analysis
- 8.5 Automated Reviews Compared with Manual Reviews
- 8.6 Peeking Inside SAST Tools
- 8.7 SAST Policies
- 8.8 Using SAST in Development Sprints
- 8.9 Software Composition Analysis (SCA)
- 8.10 SAST is NOT for the Faint of Heart!
- 8.11 Commercial and Free SAST Tools
- 8.12 Summary
- References
-
Chapter 9: Testing Part 2: Penetration Testing/Dynamic Analysis/IAST/RASP
- 9.1 Chapter Overview
- 9.2 Penetration (Pen) Testing
- 9.3 Open Source Security Testing Methodology Manual (OSSTMM)
- 9.4 OWASP’s ASVS
- 9.5 Penetration Testing Tools
- 9.6 Automated Pen Testing with Black Box Scanners
- 9.7 Deployment Strategies
- 9.8 Gray Box Testing
- 9.9 Limitations and Constraints of Pen Testing
- 9.10 Interactive Application Security Testing (IAST)
- 9.11 Runtime Application Self-Protection (RASP)
- 9.12 Summary
- References
- Chapter 10: Securing DevOps
-
Chapter 11: Metrics and Models for AppSec Maturity
- 11.1 Chapter Overview
- 11.2 Maturity Models for Security and Resilience
- 11.3 Software Assurance Maturity Model—OpenSAMM
- 11.4 Levels of Maturity
- 11.5 Using OpenSAMM to Assess Maturity Levels
- 11.6 The Building Security In Maturity Model (BSIMM)
- 11.7 BSIMM Organization
- 11.8 BSIMM Software Security Framework
- 11.9 BSIMM’s 12 Practice Areas
- 11.10 Measuring Results with BSIMM
- 11.11 The BSIMM Community
- 11.12 Conducting a BSIMM Assessment
- 11.13 Summary
- References
-
Chapter 12: Frontiers for AppSec
- 12.1 Internet of Things (IoT)
- 12.2 Blockchain
- 12.3 Microservices and APIs
- 12.4 Containers
- 12.5 Autonomous Vehicles
- 12.6 Web Application Firewalls (WAFs)
- 12.7 Machine Learning/Artificial Intelligence
-
12.8 Big Data
- 12.8.1 Vulnerability to Fake Data Generation
- 12.8.2 Potential Presence of Untrusted Mappers
- 12.8.3 Lack of Cryptographic Protection
- 12.8.4 Possibility of Sensitive Information Mining
- 12.8.5 Problems with Granularity of Access Controls
- 12.8.6 Data Provenance Difficulties
- 12.8.7 High Speed of NoSQL Databases’ Evolution and Lack of Security Focus
- 12.8.8 Absent Security Audits
- 12.9 Summary
- References
- Chapter 13: AppSec Is a Marathon— Not a Sprint!
- Appendix A: Sample Acceptance Criteria for Security Controls
-
Appendix B: Resources for AppSec
- Training
- Cyber Ranges
- Requirements Management Tools
- Threat Modeling
- Static Code Scanners: Open Source
- Static Code Scanners: Commercial
- Dynamic Code Scanners: Open Source
- Dynamic Code Scanners: Commercial
- Maturity Models
- Software Composition Analysis
- IAST Tools
- API Security Testing
- Runtime Application Self-Protection (RASP)
- Web Application Firewalls (WAFs)
- Browser-centric Protection
- Index
Product information
- Title: Secure, Resilient, and Agile Software Development
- Author(s):
- Release date: December 2019
- Publisher(s): Auerbach Publications
- ISBN: 9781000041750
You might also like
book
Secure and Resilient Software Development
Many of the software books available clearly highlight the problems with current software development but don't …
book
Agile Application Security
Agile continues to be the most adopted software development methodology among organizations worldwide, but it generally …
book
Designing Secure Software
Designing Secure Software consolidates Loren Kohnfelder's more than twenty years of experience into a concise, elegant …
book
Agile Software Development
AGILE SOFTWARE DEVELOPMENT A unique title that introduces the whole range of agile software development processes …