Sinopsis
Welcome to our book about what we believe to be the most important topic in information security for the foreseeable future: software security. In the following sections, we will cover five major topics that highlight the need, value, and challenges of software security. This will set the stage for the remainder of the book, where we describe our model for software security: building security into your software using an operationally relevant and manageable security development lifecycle (SDL) that is applicable to all software development lifecycles (SDLCs). The topics and reasons for including them in this introductory chapter are listed below.
- The importance and relevance of software security. Software is critical to everything we do in the modern world and is behind our most critical systems. As such, it is imperative that it be secure by design. Most information technology (IT)-related security solutions have been developed to mitigate the risk caused by insecure software. To justify a software security program, the importance and relevance of the monetary costs and other risks for not building security into your software must be known, as well as the importance, relevance, and costs for building security in. At the end of the day, software security is as much a business decision as it is about avoiding security risks.
- Software security and the software development lifecycle. It is important to know the difference between what are generally known in software development as software security and application security. Although these terms are often used interchangeably, we differentiate between them because we believe there is a distinct difference in managing programs for these two purposes. In our model, software security is about building security into the software through a SDL in an SDLC, whereas application security is about protecting the software and the systems on which it runs after release.
- Quality versus secure code. Although secure code is not necessarily quality code, and quality code is not necessarily secure code, the development process for producing software is based on the principles of both quality and secure code. You cannot have quality code without security or security without quality, and their attributes complement each other. At a minimum, quality and software security programs should be collaborating closely during the development process; ideally, they should be part of the same organization and both part of the software development engineering department. We will discuss this organizational and operational perspective later in the book.
- The three most important SDL security goals. At the core of all software security analysis and implementation are three core elements of security: confidentiality, integrity, and availability, also known as the C.I.A. model. To ensure high confidence that the software being developed is secure, these three attributes must be adhered to as key components throughout the SDL.
- Threat modeling and attack surface validation. The most timeconsuming and misunderstood part of the SDL is threat modeling and attack surface validation. In today’s world of Agile development, you must get this right or you will likely fail to make your software secure. Threat modeling and attack surface validation throughout the SDL will maximize your potential to alleviate post-release discovery of security vulnerabilities in your software product. We believe this function to be so important that we have dedicated a SDL section and a separate chapter to this topic.
Content
- Introduction
- The Secure Development Lifecycle
- Security Assessment (A1): SDL Activities and Best Practices
- Architecture (A2): SDL Activities and Best Practices
- Design and Development (A3): SDL Activities and Best Practices
- Design and Development (A4): SDL Activities and Best Practices
- Ship (A5): SDL Activities and Best Practices
- Post-Release Support (PRSA1–5)
- Applying the SDL Framework to the Real World
- Pulling It All Together: Using the SDL to Prevent Real-World Threats
.jpg)
0 komentar:
Posting Komentar