Secure and Resilient Software Development / Edition 1

Secure and Resilient Software Development / Edition 1

by Mark S. Merkow, Lakshmikanth Raghavan

ISBN-10: 143982696X

ISBN-13: 9781439826966

Pub. Date: 06/14/2010

Publisher: Taylor & Francis

Although many software books highlight open problems in secure software development, few provide easily actionable, ground-level solutions. Breaking the mold, Secure and Resilient Software Development teaches you how to apply best practices and standards for consistent and secure software development. It details specific quality software development

…  See more details below


Although many software books highlight open problems in secure software development, few provide easily actionable, ground-level solutions. Breaking the mold, Secure and Resilient Software Development teaches you how to apply best practices and standards for consistent and secure software development. It details specific quality software development strategies and practices that stress resilience requirements with precise, actionable, and ground-level inputs.

Providing comprehensive coverage, the book illustrates all phases of the secure software development life cycle. It shows developers how to master non-functional requirements including reliability, security, and resilience. The authors provide expert-level guidance through all phases of the process and supply many best practices, principles, testing practices, and design methodologies.

For updates to this book and ongoing activities of interest to the secure and resilient software community, please visit:

"Secure and Resilient Software Development provides a strong foundation for anyone getting started in application security. Most application security books fall into two categories: business-oriented and vague or ridiculously super technical. Mark and Laksh draw on their extensive experience to bridge this gap effectively. The book consistently links important technical concepts back to the business reasons for application security with interesting stories about real companies dealing with application security issues."

—Jeff Williams, Chair, The OWASP Foundation

Product Details

Taylor & Francis
Publication date:
Sales rank:
Product dimensions:
6.40(w) x 9.40(h) x 1.00(d)

Table of Contents

How Does Software Fail Thee? Let Us Count the Ways
Vulnerabilities Abound
Security Flaws Are Omnipresent
Cars Have Their Share of Computer Problems Too
Tracing the Roots of Defective Software
What Are the True Costs of Insecure Software to Global Enterprises?
Addressing Security Questions Addresses Resilience

Characteristics of Secure and Resilient Software

Functional Versus Nonfunctional Requirements
Testing Nonfunctional Requirements
Families of Nonfunctional Requirements
Characteristics of Good Requirements
Eliciting Nonfunctional Requirements
Documenting Nonfunctional Requirements

Security and Resilience in the Software Development Life Cycle

Resilience and Security Begin from Within
Requirements Gathering and Analysis
Systems Design and Detailed Design
Functional Decomposition
Categorizing Threats
Ranking Threats
Mitigation Planning
Design Reviews
Development (Coding) Phase
Static Analysis
Peer Review
Unit Testing
Security Training

Proven Best Practices for Resilient Applications

Critical Concepts
|The Security Perimeter
Attack Surface
Mapping the Attack Surface
Side Channel Attacks
Application Security and Resilience Principles
Practice 1: Apply Defense in Depth
Practice 2: Use a Positive Security Model
Practice 3: Fail Securely
Practice 4: Run with Least Privilege
Practice 5: Avoid Security by Obscurity
Practice 6: Keep Security Simple
Practice 7: Detect Intrusions
Log All Security-Relevant Information
Ensure That the Logs Are Monitored Regularly
Respond to Intrusions
Practice 8: Don’t Trust Infrastructure
Practice 9: Don’t Trust Services
Practice 10: Establish Secure Defaults
Mapping Best Practices to Nonfunctional Requirements

Designing Applications for Security and Resilience

Design Phase Recommendations
Misuse Case Modeling
Security Design and Architecture Review
Threat and Risk Modeling
Risk Analysis and Modeling
Security Requirements and Test Case Generation
Design to Meet Nonfunctional Requirements
Design Patterns
Architecting for the Web
Architecture and Design Review Checklist

Programming Best Practices

The Evolution of Software Attacks
The OWASP Top 10
A1: Injection
A2: Cross-Site Scripting
A3: Broken Authentication and Session Management
A4: Insecure Direct Object References
A5: Cross-Site Request Forgery
A6: Security Misconfiguration
A7: Failure to Restrict URL Access
A8: Unvalidated Redirects and Forwards
A9: Insecure Cryptographic Storage
A10: Insufficient Transport Layer Protection
OWASP Enterprise Security API (ESAPI)
Input Validation and Handling
Client-Side Versus Server-Side Validation
Input Sanitization
Examples of Attacks due to Improper Input Handling
Approaches to Validating Input Data
Handling Bad Input
ESAPI Interfaces
Cross-Site Scripting
Same Origin Policy
Attacks Through XSS
Prevention of Cross-Site Scripting
ESAPI Interfaces
Injection Attacks
SQL Injection
Stored Procedures
Identifying SQL Injection and Exploitation
Defending Against SQL Injection
Creating SQL Queries
Additional Controls to Prevent SQLInjection Attacks
ESAPI Interfaces
Authentication and Session Management
Attacking Log-in Functionality
Attacking Password Resets
Attacking Sensitive Transactions
Cross-Site Request Forgery
CSRF Mitigation
Session Management
Attacking Log-out Functionality
Defenses Against Log-out Attacks
Defenses Against Cookie Attacks
Session Identifiers
ESAPI Interfaces
Access Control
Avoiding Security Through Obscurity
Access Control Issues
Testing for Broken Access Control
Defenses Against Access Control Attacks
Administrator Interfaces
Protecting Administrator Interfaces
ESAPI Interfaces
Hashing and Password Security
Attacking the Hash
Precomputed Attacks
Message Authentication Code (MAC)
Home-Grown Algorithms
Randomness and Pseudo-Randomness
ESAPI Interfaces
Error Handling
User Error Messages
Log-in Error Messages—A Case Study
Error Message Differentiation
Developer Error Messages
Information to Be Kept Private
Structured Exception Handling
ESAPI Interfaces
Ajax and Flash
AJAX Application Traffic
AJAX Client Requests
Server Responses
Typical Attacks Against AJAX Applications
Security Recommendations for AJAX Applications
Adobe Flash—Sandbox Security Model
Cross-Domain Policy
Restrict SWF Files Embedded in HTML
Attacking Flash Applications
Securing Flash Applications
Additional Best Practices for Software Resilience
Externalize Variables
EncryptedProperties—Method Summary
Initialize Variables Properly
Do Not Ignore Values Returned by Functions
Avoid Integer Overflows
Top Secure Coding Practices
Fifty Questions to Improve Software Security

Special Considerations for Embedded Systems, Cloud Computing, and Mobile Computing Devices
Embedded Systems
Bad Assumptions About Embedded Systems Programming
New Mantras
The Framework
Distributed Applications/Cloud Computing
Representational State Transfer (REST)
REST Stateless Authentication
Attacking Distributed APIs
Securing Distributed APIs
Mobile Applications
Windows Mobile
Mobile Application Security

Security Testing of Custom Software Applications
Fixing Early Versus Fixing After Release
Testing Phases
Unit Testing
Manual Source Code Review
The Code Review Process
Automated Source Code Analysis
Automated Reviews Compared with Manual Reviews
Commercial and Free Source Code Analyzers
Fortify 360
Acquiring Commercial or Open-Source Analysis Tools
Deployment Strategy
IDE Integration for Developers
Build Integration for Governance
Regulatory Compliance
Benefits of Using Source Code Analyzers
Penetration (Pen) Testing
Penetration Testing Tools
Automated Black Box Scanning
Deployment Strategy
Gray Box Testing
Limitations and Constraints of Pen Testing Tools

Testing Commercial off-the-Shelf Systems

The Problems with Shrink-Wrapped Software
The Common Criteria for Information Technology Security Evaluation
Harmonizing Evaluation Criteria
Key Concepts of the Common Criteria
The Security Framework
The Common Criteria Approach
The Security Environment
The Common Criteria Portal
Criticisms of the CC
The Commercial Community Responds
The BITS/FSTC Security Assurance Initiative
Evaluation Methodology
Certification Criteria
ICSA Labs Testing and Certification Process
Veracode’s VerAfied Software Assurance
Ratings Methodology
Assessing Software for the VerAfied Mark

Implementing Security and Resilience Using CLASP

Comprehensive, Lightweight Application Security Process (CLASP)
CLASP Concepts
Overview of the CLASP Process
CLASP Key Best Practices
Best Practice 1: Institute Awareness Programs
Best Practice 2: Perform Application Assessments
Best Practice 3: Capture Security Requirements
Best Practice 4: Implement Secure Development Practices
Best Practice 5: Build Vulnerability Remediation Procedures
Best Practice 6: Define and Monitor Metrics
Best Practice 7: Publish Operational Security Guidelines
CLASP Security Activities to Augment Software Development Processes
Applying CLASP Security Activities to Roles
Re-engineering Your SDLC for CLASP
Business Objectives
Process Milestones
Process Evaluation Criteria
Forming the Process Re-engineering Team
Sample CLASP Implementation Roadmaps
Green-Field Roadmap
Legacy Roadmap

Metrics and Models for Security and Resilience Maturity

Maturity Models for Security and Resilience
Software Assurance Maturity Model—OpenSAMM
Core Practice Areas
Levels of Maturity
The Building Security In Maturity Model (BSIMM)
BSIMM Software Security Framework
BSIMM Activities
Governance: Strategy and Metrics
Governance: Compliance and Policy
Governance: Training
Intelligence: Attack Models
Intelligence: Security Features and Design
Intelligence: Standards and Requirements
SSDL Touchpoints : Architecture Analysis
SSDL Touchpoints: Code Review
SSDL Touchpoints: Security Testing
Deployment: Penetration Testing
Deployment: Software Environment
Deployment: Configuration Management and Vulnerability Management Measuring Results with BSIMM
Helpful Resources For Implementing BSIMM
Applying BSIMM to the Financial Services Domain
Working Group Methodology

Taking It to the Streets
Getting Educated
DEVELOPER 530: Defending Web Applications
DEVELOPER 530: Essential Secure Coding in Java/JEE
DEVELOPER 541: Secure Coding in Java/JEE: Developing Defensible Applications
DEVELOPER 542: Web App Penetration Testing and Ethical Hacking
DEVELOPER 544: Secure Coding in .NET: Developing Defensible Applications
DEVELOPER 545: Secure Coding in PHP: Developing Defensible Applications
DEVELOPER 534: Secure Code Review for Java Web Apps
DEVELOPER 543: Secure Coding in C/C++: Developing Defensible Applications
Aspect Security Inc.
CERT Software Engineering Institute (SEI)
SEI Secure Coding in C and C++ Course
Getting Certified
Certified Secure Software Lifecycle Professional (CSSLP)
Why Obtain the CSSLP?
Benefits of Certification to the Professional
Benefits of Certification to the Enterprise
Getting Involved
Web Application Security Consortium
Reaching Out for Research
DHS Research Program Areas
The U.S. Treasury and the FSSCC
Last Call

Appendix A 20CWE/SANS Top Most Dangerous Programming Errors

A.1 Brief Listing of the Top
A.1.1 Insecure Interaction Between Components
A.1.2 Risky Resource Management
A.1.3 Porous Defenses
A.2 Detailed CWE Descriptions
A.2.1 CWE-79: Failure to Preserve Web Page Structure (“Cross-Site Scripting”)
A.2.2 CWE-89: Improper Sanitization of Special Elements Used in an SQL Command (“SQL Injection”)
A.2.3 CWE-120: Buffer Copy Without Checking Size of Input (“Classic Buffer Overflow”)
A.2.4 CWE-352: Cross-Site Request Forgery (CSRF)
A.2.5 CWE-285: Improper Access Control (Authorization)
A.2.6 CWE-807: Reliance on Un-trusted Inputs in a Security Decision
A.2.7 CWE-22: Improper Limitation of a Pathname to a Restricted Directory (“Path Traversal”)
A.2.8 CWE-434: Unrestricted Upload of File with Dangerous Type
A.2.9 CWE-78: Improper Sanitization of Special Elements Used in an OS Command (“OS Command Injection”)
A.2.10 CWE-311: Missing Encryption of Sensitive Data
A.2.11 CWE-798: Use of Hard-Coded Credentials
A.2.12 CWE-805: Buffer Access with Incorrect Length Value
A.2.13 CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program (“PHP File Inclusion”)
A.2.14 CWE-129: Improper Validation of Array Index
A.2.15 CWE-754: Improper Check for Unusual or Exceptional Conditions
A.2.16 CWE-209: Information Exposure Through an Error Message
A.2.17 CWE-190: Integer Overflow or Wraparound A.2.18 CWE-131: Incorrect Calculation of Buffer Size
A.2.19 CWE-306: Missing Authentication for Critical Function
A.2.20 CWE-494: Download of Code Without Integrity Check
A.2.21 CWE-732: Incorrect Permission Assignment for Critical Resource
A.2.22 CWE-770: Allocation of Resources Without Limits or Throttling
A.2.23 CWE-601: URL Redirection to Site (“Open Redirect”) Cryptographic Algorithm
A.2.25 CWE-362: Race Condition

Appendix B Enterprise Security API
B.1 Interface Encoder
B.2 Interface User
B.3 Interface Authenticator
B.4 Interface AccessController
B.5 Interface AccessReferenceMap
B.6 Interface Encryptor
B.7 Interface HTTPUtilities
B.8 Interface Logger


Each chapter concludes with a "References" Section

Customer Reviews

Average Review:

Write a Review

and post it to your social network


Most Helpful Customer Reviews

See all customer reviews >