Core Software Security: Security at the Source

"... an engaging book that will empower readers in both large and small software development and engineering organizations to build security into their products. ... Readers are armed with firm solutions for the fight against cyber threats."
—Dr. Dena Haritos Tsamitis. Carnegie Mellon University

"... a must read for security specialists, software developers and software engineers. ... should be part of every security professional’s library."
—Dr. Larry Ponemon, Ponemon Institute

"... the definitive how-to guide for software security professionals. Dr. Ransome, Anmol Misra, and Brook Schoenfield deftly outline the procedures and policies needed to integrate real security into the software development process. ...A must-have for anyone on the front lines of the Cyber War ..."
—Cedric Leighton, Colonel, USAF (Ret.), Cedric Leighton Associates

"Dr. Ransome, Anmol Misra, and Brook Schoenfield give you a magic formula in this book - the methodology and process to build security into the entire software development life cycle so that the software is secured at the source! "
—Eric S. Yuan, Zoom Video Communications

There is much publicity regarding network security, but the real cyber Achilles’ heel is insecure software. Millions of software vulnerabilities create a cyber house of cards, in which we conduct our digital lives. In response, security people build ever more elaborate cyber fortresses to protect this vulnerable software. Despite their efforts, cyber fortifications consistently fail to protect our digital treasures. Why? The security industry has failed to engage fully with the creative, innovative people who write software.

Core Software Security expounds developer-centric software security, a holistic process to engage creativity for security. As long as software is developed by humans, it requires the human element to fix it. Developer-centric security is not only feasible but also cost effective and operationally relevant. The methodology builds security into software development, which lies at the heart of our cyber infrastructure. Whatever development method is employed, software must be secured at the source.

Book Highlights:

  • Supplies a practitioner's view of the SDL
  • Considers Agile as a security enabler
  • Covers the privacy elements in an SDL
  • Outlines a holistic business-savvy SDL framework that includes people, process, and technology
  • Highlights the key success factors, deliverables, and metrics for each phase of the SDL
  • Examines cost efficiencies, optimized performance, and organizational structure of a developer-centric software security program and PSIRT
  • Includes a chapter by noted security architect Brook Schoenfield who shares his insights and experiences in applying the book’s SDL framework

View the authors' website at http://www.androidinsecurity.com/

1115662615
Core Software Security: Security at the Source

"... an engaging book that will empower readers in both large and small software development and engineering organizations to build security into their products. ... Readers are armed with firm solutions for the fight against cyber threats."
—Dr. Dena Haritos Tsamitis. Carnegie Mellon University

"... a must read for security specialists, software developers and software engineers. ... should be part of every security professional’s library."
—Dr. Larry Ponemon, Ponemon Institute

"... the definitive how-to guide for software security professionals. Dr. Ransome, Anmol Misra, and Brook Schoenfield deftly outline the procedures and policies needed to integrate real security into the software development process. ...A must-have for anyone on the front lines of the Cyber War ..."
—Cedric Leighton, Colonel, USAF (Ret.), Cedric Leighton Associates

"Dr. Ransome, Anmol Misra, and Brook Schoenfield give you a magic formula in this book - the methodology and process to build security into the entire software development life cycle so that the software is secured at the source! "
—Eric S. Yuan, Zoom Video Communications

There is much publicity regarding network security, but the real cyber Achilles’ heel is insecure software. Millions of software vulnerabilities create a cyber house of cards, in which we conduct our digital lives. In response, security people build ever more elaborate cyber fortresses to protect this vulnerable software. Despite their efforts, cyber fortifications consistently fail to protect our digital treasures. Why? The security industry has failed to engage fully with the creative, innovative people who write software.

Core Software Security expounds developer-centric software security, a holistic process to engage creativity for security. As long as software is developed by humans, it requires the human element to fix it. Developer-centric security is not only feasible but also cost effective and operationally relevant. The methodology builds security into software development, which lies at the heart of our cyber infrastructure. Whatever development method is employed, software must be secured at the source.

Book Highlights:

  • Supplies a practitioner's view of the SDL
  • Considers Agile as a security enabler
  • Covers the privacy elements in an SDL
  • Outlines a holistic business-savvy SDL framework that includes people, process, and technology
  • Highlights the key success factors, deliverables, and metrics for each phase of the SDL
  • Examines cost efficiencies, optimized performance, and organizational structure of a developer-centric software security program and PSIRT
  • Includes a chapter by noted security architect Brook Schoenfield who shares his insights and experiences in applying the book’s SDL framework

View the authors' website at http://www.androidinsecurity.com/

59.95 In Stock
Core Software Security: Security at the Source

Core Software Security: Security at the Source

by James Ransome, Anmol Misra
Core Software Security: Security at the Source

Core Software Security: Security at the Source

by James Ransome, Anmol Misra

eBook

$59.95 

Available on Compatible NOOK devices, the free NOOK App and in My Digital Library.
WANT A NOOK?  Explore Now

Related collections and offers


Overview

"... an engaging book that will empower readers in both large and small software development and engineering organizations to build security into their products. ... Readers are armed with firm solutions for the fight against cyber threats."
—Dr. Dena Haritos Tsamitis. Carnegie Mellon University

"... a must read for security specialists, software developers and software engineers. ... should be part of every security professional’s library."
—Dr. Larry Ponemon, Ponemon Institute

"... the definitive how-to guide for software security professionals. Dr. Ransome, Anmol Misra, and Brook Schoenfield deftly outline the procedures and policies needed to integrate real security into the software development process. ...A must-have for anyone on the front lines of the Cyber War ..."
—Cedric Leighton, Colonel, USAF (Ret.), Cedric Leighton Associates

"Dr. Ransome, Anmol Misra, and Brook Schoenfield give you a magic formula in this book - the methodology and process to build security into the entire software development life cycle so that the software is secured at the source! "
—Eric S. Yuan, Zoom Video Communications

There is much publicity regarding network security, but the real cyber Achilles’ heel is insecure software. Millions of software vulnerabilities create a cyber house of cards, in which we conduct our digital lives. In response, security people build ever more elaborate cyber fortresses to protect this vulnerable software. Despite their efforts, cyber fortifications consistently fail to protect our digital treasures. Why? The security industry has failed to engage fully with the creative, innovative people who write software.

Core Software Security expounds developer-centric software security, a holistic process to engage creativity for security. As long as software is developed by humans, it requires the human element to fix it. Developer-centric security is not only feasible but also cost effective and operationally relevant. The methodology builds security into software development, which lies at the heart of our cyber infrastructure. Whatever development method is employed, software must be secured at the source.

Book Highlights:

  • Supplies a practitioner's view of the SDL
  • Considers Agile as a security enabler
  • Covers the privacy elements in an SDL
  • Outlines a holistic business-savvy SDL framework that includes people, process, and technology
  • Highlights the key success factors, deliverables, and metrics for each phase of the SDL
  • Examines cost efficiencies, optimized performance, and organizational structure of a developer-centric software security program and PSIRT
  • Includes a chapter by noted security architect Brook Schoenfield who shares his insights and experiences in applying the book’s SDL framework

View the authors' website at http://www.androidinsecurity.com/


Product Details

ISBN-13: 9781466560963
Publisher: CRC Press
Publication date: 10/03/2018
Sold by: Barnes & Noble
Format: eBook
Pages: 414
File size: 5 MB

About the Author

Dr. James Ransome is the Senior Director of Product Security and responsible for all aspects of McAfee’s Product Security Program, a corporate-wide initiative that supports McAfee’s business units in delivering best-in-class, secure software products to customers. In this role, James sets program strategy, manages security engagements with McAfee business units, maintains key relationships with McAfee product engineers, and works with other leaders to help define and build product security capabilities. His career has been marked by leadership positions in private and public industries, including three chief information security officer (CISO) and four chief security officer (CSO) roles. Prior to entering the corporate world, James had 23 years of government service in various roles supporting the U.S. intelligence community, federal law enforcement, and the Department of Defense.

James holds a Ph.D. in Information Systems. He developed/tested a security model, architecture, and provided leading practices for converged wired/wireless network security for his doctoral dissertation as part of a NSA/DHS Center of Academic Excellence in Information Assurance Education program. He is the author of several books on information security, and Core Software Security: Security at the Source is his 10th. James is a member of Upsilon Pi Epsilon, the International Honor Society for the Computing and Information Disciplines, and he is a Certified Information Security Manager (CISM), a Certified Information Systems Security Professional (CISSP), and a Ponemon Institute Distinguished Fellow.

Anmol Misra is an author and a security professional with a wide range of experience in the field of information security. His expertise includes mobile and application security, vulnerability management, application and infrastructure security assessments, and security code reviews. He is a Program Manager in Cisco’s Information Security group. In this role, he is responsible for developing and implementing security strategy and programs to drive security best practices into all aspects of Cisco’s hosted products. Prior to joining Cisco, Anmol was a Senior Consultant with Ernst & Young LLP. In this role, he advised Fortune 500 clients on defining and improving information security programs and practices. He helped corporations to reduce IT security risk and achieve regulatory compliance by improving their security posture.

Anmol is co-author of Android Security: Attacks and Defenses, and is a contributing author of Defending the Cloud: Waging War in Cyberspace. He holds a master’s degree in Information Networking from Carnegie Mellon University and a Bachelor of Engineering degree in Computer Engineering. He is based out of San Francisco, California.

Table of Contents

Introduction
The Importance and Relevance of Software Security
Software Security and the Software Development Lifecycle
Quality Versus Secure Code
The Three Most Important SDL Security Goals
Threat Modeling and Attack Surface Validation
Chapter Summary—What to Expect from This Book
References

The Secure Development Lifecycle
Overcoming Challenges in Making Software Secure
Software Security Maturity Models
ISO/IEC 27034—Information Technology—Security Techniques—Application Security
Other Resources for SDL Best Practices
     SAFECode 
     U.S. Department of Homeland Security
Software Assurance Program 
     National Institute of Standards and Technology
     MITRE Corporation Common Computer Vulnerabilities and Exposures
     SANS Institute Top Cyber Security Risks 
     U.S. Department of Defense Cyber Security and Information Systems Information Analysis Center (CSIAC) 
     CERT, Bugtraq, and SecurityFocus
Critical Tools and Talent 
     The Tools
     The Talent
Principles of Least Privilege
Privacy
The Importance of Metrics
Mapping the Security Development Lifecycle to the Software Development Lifecycle
Software Development Methodologies 
     Waterfall Development 
     Agile Development
Chapter Summary
References

Security Assessment (A1): SDL Activities and Best Practices
Software Security Team Is Looped in Early
Software Security Hosts a Discovery Meeting
Software Security Team Creates an SDL Project Plan
Privacy Impact Assessment (PIA) Plan Initiated
Security Assessment (A1) Key Success Factors and Metrics 
     Key Success Factors
     Deliverables 
     Metrics
Chapter Summary
References

Architecture (A2): SDL Activities and Best Practices
A2 Policy Compliance Analysis
SDL Policy Assessment and Scoping
Threat Modeling/Architecture Security Analysis 
     Threat Modeling 
     Data Flow Diagrams 
     Architectural Threat Analysis and Ranking of Threats 
     Risk Mitigation
Open-Source Selection
Privacy Information Gathering and Analysis
Key Success Factors and Metrics 
     Key Success Factors 
     Deliverables 
     Metrics
Chapter Summary
References

Design and Development (A3): SDL Activities and Best Practices
A3 Policy Compliance Analysis
Security Test Plan Composition
Threat Model Updating
Design Security Analysis and Review
Privacy Implementation Assessment
Key Success Factors and Metrics
     Key Success Factors
     Deliverables 
     Metrics
Chapter Summary
References

Design and Development (A4): SDL Activities and Best Practices
A4 Policy Compliance Analysis
Security Test Case Execution
Code Review in the SDLC/SDL Process
Security Analysis Tools 
     Static Analysis
     Dynamic Analysis 
     Fuzz Testing 
     Manual Code Review
Key Success Factors
Deliverables
Metrics
Chapter Summary
References

Ship (A5): SDL Activities and Best Practices
A5 Policy Compliance Analysis
Vulnerability Scan
Penetration Testing
Open-Source Licensing Review
Final Security Review
Final Privacy Review
Key Success Factors
Deliverables
Metrics
Chapter Summary
References

Post-Release Support (PRSA1–5)
Right-Sizing Your Software Security Group 
     The Right Organizational Location 
     The Right People 
     The Right Process
PRSA1: External Vulnerability Disclosure Response
     Post-Release PSIRT Response 
     Post-Release Privacy Response 
     Optimizing Post-Release Third-Party Response
PRSA2: Third-Party Reviews
PRSA3: Post-Release Certifications
PRSA4: Internal Review for New Product Combinations or Cloud Deployments
PRSA5: Security Architectural Reviews and Tool-Based Assessments of Current, Legacy, and M&A Products and Solutions 
     Legacy Code 
     Mergers and Acquisitions (M&As)
Key Success Factors
Deliverables
Metrics
Chapter Summary
References

Applying the SDL Framework to the Real World
Introduction
Build Software Securely 
     Produce Secure Code
     Manual Code Review 
     Static Analysis
Determining the Right Activities for Each Project 
     The Seven Determining Questions
Architecture and Design
Testing 
     Functional Testing 
     Dynamic Testing 
     Attack and Penetration Testing
     Independent Testing
Agile: Sprints
Key Success Factors and Metrics
     Secure Coding Training Program 
     Secure Coding Frameworks (APIs) 
     Manual Code Review 
     Independent Code Review and Testing (by Experts or Third Parties) 
     Static Analysis
     Risk Assessment Methodology 
      Integration of SDL with SDLC 
     Development of Architecture Talent
Metrics
Chapter Summary
References

Pulling It All Together: Using the SDL to Prevent Real-World Threats
Strategic, Tactical, and User-Specific Software Attacks
     Strategic Attacks 
     Tactical Attacks 
     User-Specific Attacks
Overcoming Organizational and Business Challenges with a Properly Designed, Managed, and Focused SDL
Software Security Organizational Realities and Leverage
Overcoming SDL Audit and Regulatory Challenges with Proper Governance Management
Future Predications for Software Security 
     The Bad News 
     The Good News
Conclusion
References

Appendix
Index

From the B&N Reads Blog

Customer Reviews