Security-Driven Software Development

Security-Driven Software Development

by Aspen Olmsted
Released March 2024
Publisher(s): Packt Publishing
ISBN: 9781835462836

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Trace security requirements through each development phase, mitigating multiple-layer attacks with practical examples, and emerge equipped with the skills to build resilient applications

Key Features

  • Explore the practical application of secure software development methodologies
  • Model security vulnerabilities throughout the software development lifecycle (SDLC)
  • Develop the skills to trace requirements, from requirements gathering through to implementation
  • Purchase of the print or Kindle book includes a free PDF eBook

Book Description

Extend your software development skills to integrate security into every aspect of your projects. Perfect for any programmer or developer working on mission-critical applications, this hands-on guide helps you adopt secure software development practices. Explore core concepts like security specifi cation, modeling, and threat mitigation with the iterative approach of this book that allows you to trace security requirements through each phase of software development. You won’t stop at the basics; you’ll delve into multiple-layer att acks and develop the mindset to prevent them. Through an example application project involving an entertainment ticketing software system, you’ll look at high-profi le security incidents that have aff ected popular music stars and performers. Drawing from the author’s decades of experience building secure applications in this domain, this book off ers comprehensive techniques where problem-solving meets practicality for secure development.

By the end of this book, you’ll have gained the expertise to systematically secure software projects, from crafting robust security specifi cations to adeptly mitigating multifaceted threats, ensuring your applications stand resilient in the face of evolving cybersecurity challenges.

What you will learn

  • Find out non-functional requirements crucial for software security, performance, and reliability
  • Develop the skills to identify and model vulnerabilities in software design and analysis
  • Analyze and model various threat vectors that pose risks to software applications
  • Acquire strategies to mitigate security threats specific to web applications
  • Address threats to the database layer of an application
  • Trace non-functional requirements through secure software design

Who this book is for

Many software development jobs require developing, maintaining, enhancing, administering, and defending software applications, websites, and scripts. This book is designed for software developers and web developers seeking to excel in these roles, offering concise explanations and applied example use-cases.

Table of contents

  1. Security-Driven Software Development
  2. Contributors
  3. About the author
  4. About the reviewer
  5. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
    4. Conventions used
    5. Get in touch
    6. Share your thoughts
    7. Download a free PDF copy of this book
  6. Part 1: Modeling a Secure Application
  7. Chapter 1: Security Principles
    1. What could go wrong?
    2. Principles
    3. Open Web Application Security Project
    4. NIST’s Secure Software Development Framework
    5. MITRE frameworks
    6. Software development lifecycles
    7. Microsoft’s Security Development Lifecycle
    8. Confidentiality, integrity, and availability
    9. Summary
    10. Self-assessment questions
    11. Answers
  8. Chapter 2: Designing a Secure Functional Model
    1. Requirements gathering and specification
    2. Non-functional requirements and security
    3. Capturing scenarios
    4. Textual use cases and misuse cases
    5. Graphical use cases and misuse cases
      1. Graphical use case diagram
      2. Graphical misuse case diagram
    6. Example enterprise secure functional model
      1. Purchase of tickets via self-service
      2. Trying to purchase tickets beyond the patron limit
    7. Summary
    8. Self-assessment questions
    9. Answers
  9. Chapter 3: Designing a Secure Object Model
    1. Identify objects and relationships
    2. Class diagrams
    3. Stereotypes
    4. Invariants
    5. Example of the enterprise secure object model
    6. Summary
    7. Self-assessment questions
    8. Answers
  10. Chapter 4: Designing a Secure Dynamic Model
    1. Technical requirements
    2. Object behavior
    3. Modeling interactions between objects
      1. UML sequence diagrams
      2. UML activity diagrams
    4. Constraints
    5. Example of the enterprise secure dynamic model
    6. Summary
    7. Self-assessment questions
    8. Answers
  11. Chapter 5: Designing a Secure System Model
    1. Partitions
    2. Modeling interactions between partitions
    3. UML component diagrams
    4. Patterns
    5. Example – developing an enterprise secure system model
    6. Summary
    7. Self-assessment questions
    8. Answers
  12. Chapter 6: Threat Modeling
    1. Threat model overview
      1. The STRIDE threat model
      2. The DREAD threat model
    2. Attack trees
    3. Mitigations
    4. Microsoft Threat Modeling Tool
    5. Example of an enterprise threat model
    6. Summary
    7. Self-assessment questions
    8. Answers
  13. Part 2: Mitigating Risks in Implementation
  14. Chapter 7: Authentication and Authorization
    1. Authentication
    2. Authorization
    3. Security Models
    4. Single sign-on and open authorization
      1. Single sign-on (SSO)
      2. Open authorization (OAuth)
    5. Implementing SSO and OAuth with Google
    6. Example of enterprise implementation
    7. Summary
    8. Self-assessment questions
    9. Answers
  15. Chapter 8: Input Validation and Sanitization
    1. Input validation
    2. Input sanitization
    3. Language-specific defenses
    4. Buffer overflows
    5. Example of the enterprise input validation and sanitization
    6. Summary
    7. Self-assessment questions
    8. Answers
  16. Chapter 9: Standard Web Application Vulnerabilities
    1. Injection attacks
    2. Broken authentication and session management
    3. Request forgery
    4. Language-specific defenses
    5. Example of enterprise web defenses
    6. Summary
    7. Self-assessment questions
    8. Answers
  17. Chapter 10: Database Security
    1. Overview of SQL
    2. SQL injection
    3. Maintaining database correctness
    4. Managing activity concurrency
    5. Language-specific defenses
    6. RBAC security in DBMS
    7. Encryption in DBMS
    8. An example of enterprise DB security
    9. Summary
    10. Self-assessment questions
    11. Answers
  18. Part 3: Security Validation
  19. Chapter 11: Unit Testing
    1. The principles of unit testing
    2. The advantages of unit testing
    3. Unit testing frameworks
    4. An example of enterprise threat model
      1. PHPUnit
      2. JUnit
      3. PyUnit
    5. Summary
    6. Self-assessment questions
    7. Answers
  20. Chapter 12: Regression Testing
    1. Regression testing overview
      1. Key concepts
      2. Process
      3. Benefits
    2. Robotic process automation
      1. The intersection of RPA and regression testing
    3. Regression testing tools
    4. Load testing
      1. Integration and complementarity
    5. UI.Vision RPA
    6. Example of the enterprise regression tests
    7. Summary
    8. Self-assessment questions
    9. Answers
  21. Chapter 13: Integration, System, and Acceptance Testing
    1. Types of integration tests
    2. Mocks
    3. Stubs
    4. Examples of enterprise integration testing
    5. System testing
    6. Acceptance testing
    7. Summary
    8. Self-assessment questions
    9. Answers
  22. Chapter 14: Software Penetration Testing
    1. Types of tests
    2. Phases
    3. Tools
      1. Information gathering and reconnaissance
      2. Vulnerability analysis and exploitation
      3. Post-exploitation and privilege escalation
      4. Network sniffing
      5. Forensics and monitoring
      6. Reporting and documentation
    4. An example of an enterprise penetration test report
      1. High-level summary
      2. Host analysis
    5. Summary
    6. Self-assessment questions
    7. Answers
  23. Index
    1. Why subscribe?
  24. Other Books You May Enjoy
    1. Packt is searching for authors like you
    2. Share your thoughts
    3. Download a free PDF copy of this book

Product information

  • Title: Security-Driven Software Development
  • Author(s): Aspen Olmsted
  • Release date: March 2024
  • Publisher(s): Packt Publishing
  • ISBN: 9781835462836