- ホーム
- > 洋書
- > 英文書
- > Computer / General
Full Description
STRENGTHEN SOFTWARE SECURITY BY HELPING DEVELOPERS AND SECURITY EXPERTS WORK TOGETHER Traditional approaches to securing software are inadequate. The solution: Bring software engineering and network security teams together in a new, holistic approach to protecting the entire enterprise. Now, four highly respected security experts explain why this "confluence" is so crucial, and show how to implement it in your organization. Writing for all software and security practitioners and leaders, they show how software can play a vital, active role in protecting your organization. You'll learn how to construct software that actively safeguards sensitive data and business processes and contributes to intrusion detection/response in sophisticated new ways. The authors cover the entire development lifecycle, including project inception, design, implementation, testing, deployment, operation, and maintenance. They also provide a full chapter of advice specifically for Chief Information Security Officers and other enterprise security executives. Whatever your software security responsibilities, Enterprise Software Security delivers indispensable big-picture guidance-and specific, high-value recommendations you can apply right now. COVERAGE INCLUDES: * Overcoming common obstacles to collaboration between developers and IT security professionals * Helping programmers design, write, deploy, and operate more secure software * Helping network security engineers use application output more effectively * Organizing a software security team before you've even created requirements * Avoiding the unmanageable complexity and inherent flaws of layered security * Implementing positive software design practices and identifying security defects in existing designs * Teaming to improve code reviews, clarify attack scenarios associated with vulnerable code, and validate positive compliance * Moving beyond pentesting toward more comprehensive security testing * Integrating your new application with your existing security infrastructure * "Ruggedizing" DevOps by adding infosec to the relationship between development and operations * Protecting application security during maintenance
Contents
Preface xiii 1 Introduction to the Problem 1 Our Shared Predicament Today 2 Why Are We in This Security Mess? 5 Ancient History 7 All Together Now 11 The Status Quo: A Great Divide 15 What's Wrong with This Picture? 20 Wait, It Gets Worse 25 Stressing the Positive 27 Summing Up 30 Endnotes 31 2 Project Inception 33 Without a Formal Software Security Process-The Norm Today 34 The Case for a Project Security Team 42 Tasks for the Project Security Team 43 Putting Together the Project Security Team 50 Roles to Cover on the Security Team 51 Some Final Practical Considerations about Project Security Teams 64 Summing Up 67 Endnotes 68 3 Design Activities 71 Security Tiers 72 On Confluence 76 Requirements 78 Specifications 98 Design and Architecture 100 It's Already Designed 112 Deployment and Operations Planning 115 Summing Up 121 Endnotes 121 4 Implementation Activities 123 Confluence 123 Stress the Positive and Strike the Balance 124 Security Mechanisms and Controls 126 Code Reuse 146 Coding Resources 148 Implementing Security Tiers 152 Code Reviews 154 A Day in the Life of a Servlet 157 Summing Up 167 Endnotes 167 5 Testing Activities 169 A Few Questions about Security Testing 170 Tools of the Trade 180 Security Bug Life Cycle 185 Summing Up 191 Endnotes 192 6 Deployment and Integration 193 How Does Deployment Relate to Confluence? 194 A Road Map 194 Advanced Topics in Deployment 198 Integrating with the Security Operations Infrastructure 200 Third-Generation Log Analysis Tools 213 Retrofitting Legacy and Third-Party Components 216 Notes for Small Shops or Individuals 217 Summing Up 219 Endnotes 220 7 Operating Software Securely 221 Adjusting Security Thresholds 222 Dealing with IDS in Operations 230 Identifying Critical Applications 236 CSIRT Utilization 237 Notes for Small Shops or Individuals 238 Summing Up 240 8 Maintaining Software Securely 241 Common Pitfalls 243 How Does Maintaining Software Securely Relate to Confluence? 248 Learning from History 249 Evolving Threats 251 The Security Patch 254 Special Cases 256 How Does Maintaining Software Securely Fit into Security SDLCs? 259 Summing Up 261 Endnotes 262 9 The View from the Center 263 Ideas for Encouraging Confluent Application Development 265 Toward a Confluent Network 269 Security Awareness and Training 273 Policies, Standards, and Guidelines 274 The Role of Other Departments and Corporate Entities 275 Resource Budgeting and Strategic Planning for Confluence 277 Assessment Tools and Techniques 279 Mobile Plans-Postmortem Interviews 289 Notes for Small Shops or Individuals 292 Summing Up 292 Endnotes 293 Index 295
