Enterprise Software Security - Kenneth R. van Wyk, Mark G. Graff, Dan S. Peters, Diana L. Burley

Enterprise Software Security

A Confluence of Disciplines
Buch | Softcover
320 Seiten
2014
Addison-Wesley Educational Publishers Inc (Verlag)
978-0-321-60411-8 (ISBN)
42,70 inkl. MwSt
  • Titel ist leider vergriffen;
    keine Neuauflage
  • Artikel merken
STRENGTHEN SOFTWARE SECURITY BY HELPING DEVELOPERS AND SECURITY EXPERTS WORK TOGETHER

 

Traditional approaches to securing software are inadequate. The solution: Bring software engineering and network security teams together in a new, holistic approach to protecting the entire enterprise. Now, four highly respected security experts explain why this “confluence” is so crucial, and show how to implement it in your organization.

 

Writing for all software and security practitioners and leaders, they show how software can play a vital, active role in protecting your organization. You’ll learn how to construct software that actively safeguards sensitive data and business processes and contributes to intrusion detection/response in sophisticated new ways. The authors cover the entire development lifecycle, including project inception, design, implementation, testing, deployment, operation, and maintenance. They also provide a full chapter of advice specifically for Chief Information Security Officers and other enterprise security executives.


Whatever your software security responsibilities, Enterprise Software Security delivers indispensable big-picture guidance–and specific, high-value recommendations you can apply right now.

 

COVERAGE INCLUDES:


• Overcoming common obstacles to collaboration between developers and IT security professionals
• Helping programmers design, write, deploy, and operate more secure software
• Helping network security engineers use application output more effectively
• Organizing a software security team before you’ve even created requirements
• Avoiding the unmanageable complexity and inherent flaws of layered security
• Implementing positive software design practices and identifying security defects in existing designs
• Teaming to improve code reviews, clarify attack scenarios associated with vulnerable code, and validate positive compliance
• Moving beyond pentesting toward more comprehensive security testing
• Integrating your new application with your existing security infrastructure
• “Ruggedizing” DevOps by adding infosec to the relationship between development and operations
• Protecting application security during maintenance

Kenneth R. van Wyk is a career security guy, having started with Carnegie Mellon University’s CERT/CC in the late 1980s and subsequently worked for the United States Department of Defense and in several senior technologist roles in the commercial sector. He is the co-author of two popular O’Reilly and Associates books on incident response and secure coding. He now owns and runs KRvW Associates, LLC, a software security consulting and training practice in Virginia, USA. Mark G. Graff is the CISO of NASDAQ OMX. Formerly the chief cybersecurity strategist at Lawrence Livermore National Laboratory, he has appeared as an expert witness on computer security before Congress and analyzed electronic voting machine software security for the state of California. A past chairman of the International Forum of Incident Response and Security Teams (FIRST), Graff has lectured on risk analysis, the future of cyber security, and privacy before the American Academy for the Advancement of Science, the Federal Communications Commission (FCC), the Pentagon, and many U.S. national security facilities and think tanks. Dan S. Peters has been involved with security for longer than he had first expected when he stumbled into this field out of curiosity while making a good living as a consultant and a commercial software developer. Many security disciplines are exciting to him, but mobile security has been the most intriguing topic as of late. Before working on this book, Dan repeatedly shared his passion for security in conference presentations and numerous publications. Diana L. Burley, Ph.D., is an award-winning cyber-security workforce expert who has been honored by the U.S. Federal CIO Council and was named the CISSE 2014 Cybersecurity Educator of the Year. As a professor, researcher, and consultant on IT use and workforce development for nearly 20 years, she passionately promotes a holistic view of cyber security to influence education, policy, and practice from her home in the Washington, D.C., region.

Preface   xiii


1 Introduction to the Problem 1


Our Shared Predicament Today 2
Why Are We in This Security Mess?   5
Ancient History   7
All Together Now   11
The Status Quo: A Great Divide   15
What’s Wrong with This Picture?   20
Wait, It Gets Worse   25
Stressing the Positive   27
Summing Up   30
Endnotes   31


2 Project Inception   33


Without a Formal Software Security Process–The Norm Today 34
The Case for a Project Security Team   42
Tasks for the Project Security Team   43
Putting Together the Project Security Team   50
Roles to Cover on the Security Team   51
Some Final Practical Considerations about Project Security Teams   64
Summing Up   67
Endnotes   68


3 Design Activities 71


Security Tiers   72
On Confluence   76
Requirements   78
Specifications   98
Design and Architecture 100
It’s Already Designed   112
Deployment and Operations Planning   115
Summing Up   121
Endnotes   121


4 Implementation Activities 123


Confluence   123
Stress the Positive and Strike the Balance 124
Security Mechanisms and Controls   126
Code Reuse   146
Coding Resources   148
Implementing Security Tiers 152
Code Reviews   154
A Day in the Life of a Servlet 157
Summing Up   167
Endnotes   167


5 Testing Activities 169


A Few Questions about Security Testing 170
Tools of the Trade   180
Security Bug Life Cycle   185
Summing Up   191
Endnotes   192


6 Deployment and Integration 193


How Does Deployment Relate to Confluence?   194
A Road Map   194
Advanced Topics in Deployment 198
Integrating with the Security Operations Infrastructure 200
Third-Generation Log Analysis Tools   213
Retrofitting Legacy and Third-Party Components   216
Notes for Small Shops or Individuals   217
Summing Up   219
Endnotes   220


7 Operating Software Securely   221


Adjusting Security Thresholds   222
Dealing with IDS in Operations   230
Identifying Critical Applications   236
CSIRT Utilization   237
Notes for Small Shops or Individuals 238
Summing Up   240


8 Maintaining Software Securely 241


Common Pitfalls   243
How Does Maintaining Software Securely Relate to Confluence?   248
Learning from History   249
Evolving Threats   251
The Security Patch   254
Special Cases   256
How Does Maintaining Software Securely Fit into Security SDLCs?   259
Summing Up   261
Endnotes   262


9 The View from the Center 263


Ideas for Encouraging Confluent Application Development 265
Toward a Confluent Network   269
Security Awareness and Training   273
Policies, Standards, and Guidelines   274
The Role of Other Departments and Corporate Entities 275
Resource Budgeting and Strategic Planning for Confluence   277
Assessment Tools and Techniques   279
Mobile Plans–Postmortem Interviews   289
Notes for Small Shops or Individuals   292
Summing Up   292
Endnotes   293


Index 295

Verlagsort New Jersey
Sprache englisch
Maße 180 x 231 mm
Gewicht 514 g
Themenwelt Mathematik / Informatik Informatik Datenbanken
Informatik Netzwerke Sicherheit / Firewall
Informatik Office Programme Outlook
ISBN-10 0-321-60411-3 / 0321604113
ISBN-13 978-0-321-60411-8 / 9780321604118
Zustand Neuware
Haben Sie eine Frage zum Produkt?
Mehr entdecken
aus dem Bereich
Das Lehrbuch für Konzepte, Prinzipien, Mechanismen, Architekturen und …

von Norbert Pohlmann

Buch | Softcover (2022)
Springer Vieweg (Verlag)
34,99
Management der Informationssicherheit und Vorbereitung auf die …

von Michael Brenner; Nils gentschen Felde; Wolfgang Hommel

Buch (2024)
Carl Hanser (Verlag)
69,99

von Chaos Computer Club

Buch | Softcover (2024)
KATAPULT Verlag
28,00