MARC details
| 000 -LEADER |
|---|
| fixed length control field |
08052cam a2200373 i 4500 |
| 001 - CONTROL NUMBER |
|---|
| control field |
16178380 |
| 005 - DATE AND TIME OF LATEST TRANSACTION |
|---|
| control field |
20210427094150.0 |
| 008 - FIXED-LENGTH DATA ELEMENTS--GENERAL INFORMATION |
|---|
| fixed length control field |
100408s2010 flua b 001 0 eng |
| 010 ## - LIBRARY OF CONGRESS CONTROL NUMBER |
|---|
| LC control number |
2010013383 |
| 020 ## - INTERNATIONAL STANDARD BOOK NUMBER |
|---|
| International Standard Book Number |
9781439826966 (hardcover : alk. paper) |
| 020 ## - INTERNATIONAL STANDARD BOOK NUMBER |
|---|
| International Standard Book Number |
143982696X (hardcover : alk. paper) |
| 040 ## - CATALOGING SOURCE |
|---|
| Original cataloging agency |
DLC |
| Transcribing agency |
DLC |
| Modifying agency |
YDX |
| -- |
BTCTA |
| -- |
YDXCP |
| -- |
BWX |
| -- |
CDX |
| -- |
DLC |
| Description conventions |
rda |
| 050 00 - LIBRARY OF CONGRESS CALL NUMBER |
|---|
| Classification number |
QA76.76.D47 |
| Item number |
M466 2010 |
| 082 00 - DEWEY DECIMAL CLASSIFICATION NUMBER |
|---|
| Classification number |
005.8 |
| Edition number |
22 |
| Item number |
M.M.S |
| 100 1# - MAIN ENTRY--PERSONAL NAME |
|---|
| Personal name |
Merkow, Mark S. |
| 245 10 - TITLE STATEMENT |
|---|
| Title |
Secure and resilient software development / |
| Statement of responsibility, etc |
Mark S. Merkow, Lakshmikanth Raghavan. |
| 264 #1 - PUBLICATION, DISTRIBUTION, ETC. (IMPRINT) |
|---|
| Place of publication, distribution, etc |
Boca Raton, FL : |
| Name of publisher, distributor, etc |
CRC Press, |
| Date of publication, distribution, etc |
c2010. |
| 300 ## - PHYSICAL DESCRIPTION |
|---|
| Extent |
xxiv, 368 pages. : |
| Other physical details |
illustrations. ; |
| Dimensions |
25 cm. |
| 336 ## - CONTENT TYPE |
|---|
| Source |
rdacontent |
| Content type term |
text |
| 337 ## - MEDIA TYPE |
|---|
| Source |
rdamedia |
| Media type term |
unmediated |
| 338 ## - CARRIER TYPE |
|---|
| Source |
rdacarrier |
| Carrier type term |
volume |
| 504 ## - BIBLIOGRAPHY, ETC. NOTE |
|---|
| Bibliography, etc |
Includes bibliographical references and index. |
| 505 0# - FORMATTED CONTENTS NOTE |
|---|
| Formatted contents note |
Chapter 1 How Does Software Fail Thee? Let Us Count the Ways<br/>Chapter Overview<br/>1.1 Vulnerabilities Abound<br/>1.1.1 Security Flaws Are Omnipresent<br/>1.1.2 Cars Have their Share of Computer Problems Too<br/>1.2 Tracing the Roots of Defective Software<br/>1.3 What Are the True Costs of Insecure Software to Global Enterprises?<br/>1.4 Addressing Security Questions Addresses Resilience |
| 505 0# - FORMATTED CONTENTS NOTE |
|---|
| Formatted contents note |
Chapter 2 Characteristics of Secure and Resilient Software<br/>Chapter Overview<br/>2.1 Functional Versus Nonfunctional Requirements<br/>2.2 Testing Nonfunctional Requirements<br/>2.3 Families of Nonfunctional Requirements<br/>2.4 Availability<br/>Availability Levels and Measurements<br/>2.5 Capacity<br/>2.6 Efficiency<br/>2.7 Interoperability<br/>2.8 Manageability<br/>2.9 Cohesion<br/>2.10 Coupling<br/>2.11 Maintainability<br/>2.12 Performance<br/>2.13 Portability<br/>2.14 Privacy<br/>2.15 Recoverability<br/>2.16 Reliability<br/>2.17 Scalability<br/>2.18 Security<br/>2.19 Serviceability/Supportability<br/>2.20 Characteristics of Good Requirements<br/>2.21 Eliciting Nonfunctional Requirements<br/>2.22 Documenting Nonfunctional Requirements |
| 505 0# - FORMATTED CONTENTS NOTE |
|---|
| Formatted contents note |
Figure 2.1<br/>Table 2.1<br/>Table 2.2<br/>Table 2.3<br/>Chapter 3 Security and Resilience in the Software Development Life Cycle<br/>Chapter Overview<br/>3.1 Resilience and Security Begin from Within<br/>3.2 Requirements Gathering and Analysis<br/>3.3 Systems Design and Detailed Design<br/>3.3.1 Functional Decomposition<br/>3.3.2 Categorizing Threats<br/>3.3.3 Ranking Threats<br/>3.3.4 Mitigation Planning<br/>3.4 Design Reviews<br/>3.5 Development (Coding) Phase<br/>3.5.1 Static Analysis<br/>3.5.2 Peer Review<br/>3.5.3 Unit Testing<br/>3.6 Testing<br/>3.7 Deployment<br/>3.8 Security Training<br/>Summary<br/>3.9 References<br/>Figure 3.1<br/>Figure 3.2<br/>Figure 3.3<br/>Figure 3.4<br/>Figure 3.5<br/>Figure 3.6<br/>Chapter 4 Proven Best Practices for Resilient Applications<br/>Chapter Overview<br/>4.1 Critical Concepts<br/>4.2 The Security Perimeter<br/>4.3 Attack Surface<br/>4.3.1 Mapping the Attack Surface<br/>4.3.2 Side Channel Attacks<br/>4.4 Application Security and Resilience Principles<br/>4.5 Practice 1: Apply Defense in Depth<br/>4.6 Practice 2: Use a Positive Security Model<br/>4.7 Practice 3: Fail Securely<br/>4.8 Practice 4: Run with Least Privilege<br/>4.9 Practice 5: Avoid Security by Obscurity<br/>4.10 Practice 6: Keep Security Simple<br/>4.11 Practice 7: Detect Intrusions<br/>4.11.1 Log All Security-Relevant Information<br/>4.11.2 Ensure That the Logs Are Monitored Regularly<br/>4.11.3 Respond to Intrusions<br/>4.12 Practice 8: Don’t Trust Infrastructure<br/>4.13 Practice 9: Don’t Trust Services<br/>4.14 Practice 10: Establish Secure Defaults<br/>4.15 Mapping Best Practices to Nonfunctional Requirements<br/>Summary |
| 505 0# - FORMATTED CONTENTS NOTE |
|---|
| Formatted contents note |
4.16 References<br/>Figure 4.1<br/>Figure 4.2<br/>Table 4.1<br/>Chapter 5 Designing Applications for Security and Resilience<br/>Overview<br/>5.1 Design Phase Recommendations<br/>5.1.1 Misuse Case Modeling<br/>5.1.2 Security Design and Architecture Review<br/>5.1.3 Threat and Risk Modeling<br/>5.1.4 Risk Analysis and Modeling<br/>5.1.5 Security Requirements and Test Case Generation<br/>5.2 Design to Meet Nonfunctional Requirements<br/>5.3 Design Patterns<br/>5.4 Architecting for the Web<br/>5.5 Architecture and Design Review Checklist<br/>Summary<br/>5.6 References<br/>Figure 5.1<br/>Table 5.1<br/>Table 5.2<br/>Chapter 6 Programming Best Practices<br/>Chapter Overview<br/>6.1 The Evolution of Software Attacks<br/>6.2 The OWASP Top 10<br/>6.2.1 A1: Injection<br/>6.2.2 A2: Cross-Site Scripting<br/>6.2.3 A3: Broken Authentication and Session Management<br/>6.2.4 A4: Insecure Direct Object References<br/>6.2.5 A5: Cross-Site Request Forgery<br/>6.2.6 A6: Security Misconfiguration<br/>6.2.7 A7: Failure to Restrict URL Access<br/>6.2.8 A8: Unvalidated Redirects and Forwards<br/>6.2.9 A9: Insecure Cryptographic Storage<br/>6.2.10 A10: Insufficient Transport Layer Protection<br/>6.3 OWASP Enterprise Security API (ESAPI)<br/>6.3.1 Input Validation and Handling<br/>6.3.2 Client-Side Versus Server-Side Validation<br/>6.3.3 Input Sanitization<br/>6.3.4 Canonicalization<br/>6.3.5 Examples of Attacks due to Improper Input Handling<br/>6.3.5.1 Buffer Overflow<br/>6.3.5.2 OS Commanding<br/>6.3.6 Approaches to Validating Input Data<br/>6.3.6.1 Exact Match Validation<br/>6.3.6.2 Known Good Validation<br/>6.3.6.3 Known Bad Validation<br/>6.3.7 Handling Bad Input<br/>6.3.8 ESAPI Interfaces<br/>6.4 Cross-Site Scripting<br/>6.4.1 Same Origin Policy<br/>6.4.2 Attacks Through XSS<br/>6.4.2.1 Persistent Attacks<br/>6.4.2.2 Nonpersistent Attacks<br/>6.4.2.3 DOM-Based Attacks<br/>6.4.3 Prevention of Cross-Site Scripting<br/>6.4.4 ESAPI Interfaces<br/>6.5 Injection Attacks<br/>6.5.1 SQL Injection<br/>6.5.2 Stored Procedures<br/>6.5.3 Identifying SQL Injection and Exploitation<br/>6.5.3.1 SQL Injection<br/>6.5.3.2 Blind SQL Injection<br/>6.5.4 Defending Against SQL Injection<br/>6.5.5 Creating SQL Queries<br/>6.5.6 Additional Controls to Prevent SQL Injection Attacks<br/>6.5.7 ESAPI Interfaces<br/>6.6 Authentication and Session Management<br/>6.6.1 Attacking Log-in Functionality<br/>6.6.2 Attacking Password Resets<br/>6.6.3 Attacking Sensitive Transactions<br/>6.7 Cross-Site Request Forgery<br/>6.7.1 CSRF Mitigation<br/>6.8 Session Management<br/>6.8.1 Attacking Log-out Functionality<br/>6.8.2 Defenses Against Log-out Attacks<br/>6.8.3 Defenses Against Cookie Attacks<br/>6.8.4 Session Identifiers<br/>6.8.4.1 Attacking a Session Identifier<br/>6.8.4.2 Defenses Against Session ID Attacks<br/>6.8.5 ESAPI Interfaces<br/>6.9 Access Control<br/>6.9.1 Avoiding Security Through Obscurity<br/>6.9.2 Access Control Issues<br/>6.9.3 Testing for Broken Access Control<br/>6.9.4 Defenses Against Access Control Attacks<br/>6.9.5 Administrator Interfaces<br/>6.9.6 Protecting Administrator Interfaces<br/>6.9.7 ESAPI Interfaces<br/>6.10 Cryptography<br/>6.10.1 Hashing and Password Security<br/>6.10.2 Attacking the Hash<br/>6.10.3 Precomputed Attacks<br/>6.10.4 Message Authentication Code (MAC)<br/>6.10.5 Home-Grown Algorithms<br/>6.10.6 Randomness and Pseudo-Randomness<br/>6.10.7 ESAPI Interfaces<br/>6.11 Error Handling<br/>6.11.1 User Error Messages<br/>6.11.2 Log-in Error Messages—A Case Study<br/>6.11.3 Error Message Differentiation<br/>6.11.4 Developer Error Messages<br/>6.11.5 Information to Be Kept Private<br/>6.11.6 Structured Exception Handling<br/>6.11.7 ESAPI Interfaces<br/>6.12 Ajax and Flash<br/>6.12.1 AJAX Application Traffic<br/>6.12.2 AJAX Client Requests<br/>6.12.3 Server Responses<br/>6.12.4 Typical Attacks Against AJAX Applications<br/>6.12.5 Security Recommendations for AJAX Applications<br/>6.12.6 Adobe Flash—Sandbox Security Model<br/>6.12.7 Cross-Domain Policy<br/>6.12.8 Restrict SWF Files Embedded in HTML<br/>6.12.9 Attacking Flash Applications<br/>6.12.10 Securing Flash Applications<br/>6.13 Additional Best Practices for Software Resilience<br/>6.13.1 Externalize Variables<br/>6.13.2 EncryptedProperties—Method Summary<br/>6.13.3 Initialize Variables Properly<br/>6.13.4 Do Not Ignore Values Returned by Functions<br/>6.13.5 Avoid Integer Overflows<br/>6.14 Top 10 Secure Coding Practices<br/>6.15 Fifty Questions to Improve Software Security<br/>Summary<br/>6.16 References<br/>Figure 6.1<br/>Figure 6.2<br/>Figure 6.3<br/>Figure 6.4<br/>Figure 6.5<br/>Figure 6.6<br/>Figure 6.7<br/>Table 6.1<br/>Table 6.2<br/>Table 6.3<br/>Table 6.4<br/>Table 6.5<br/>Table 6.6<br/>Table 6.7<br/>Table 6.8 |
| 650 #0 - SUBJECT ADDED ENTRY--TOPICAL TERM |
|---|
| Topical term or geographic name as entry element |
Computer software |
| General subdivision |
Development. |
| 650 #0 - SUBJECT ADDED ENTRY--TOPICAL TERM |
|---|
| Topical term or geographic name as entry element |
Computer software |
| General subdivision |
Reliability. |
| 650 #0 - SUBJECT ADDED ENTRY--TOPICAL TERM |
|---|
| Topical term or geographic name as entry element |
Computer security. |
| 700 1# - ADDED ENTRY--PERSONAL NAME |
|---|
| Personal name |
Raghavan, Lakshmikanth. |
| 942 ## - ADDED ENTRY ELEMENTS (KOHA) |
|---|
| Koha item type |
Books |
| Source of classification or shelving scheme |
Dewey Decimal Classification |