Secure and resilient software development / Mark S. Merkow, Lakshmikanth Raghavan.

By:

Merkow, Mark S

Contributor(s):

Raghavan, Lakshmikanth

Material type: Text

TextPublisher: Boca Raton, FL : CRC Press, c2010Description: xxiv, 368 pages. : illustrations. ; 25 cmContent type:

text

Media type:

unmediated

Carrier type:

volume

ISBN:

9781439826966 (hardcover : alk. paper)
143982696X (hardcover : alk. paper)

Subject(s):

DDC classification:

005.8 22 M.M.S

LOC classification:

QA76.76.D47 M466 2010

Contents:

Chapter 1 How Does Software Fail Thee? Let Us Count the Ways Chapter Overview 1.1 Vulnerabilities Abound 1.1.1 Security Flaws Are Omnipresent 1.1.2 Cars Have their Share of Computer Problems Too 1.2 Tracing the Roots of Defective Software 1.3 What Are the True Costs of Insecure Software to Global Enterprises? 1.4 Addressing Security Questions Addresses Resilience

Chapter 2 Characteristics of Secure and Resilient Software Chapter Overview 2.1 Functional Versus Nonfunctional Requirements 2.2 Testing Nonfunctional Requirements 2.3 Families of Nonfunctional Requirements 2.4 Availability Availability Levels and Measurements 2.5 Capacity 2.6 Efficiency 2.7 Interoperability 2.8 Manageability 2.9 Cohesion 2.10 Coupling 2.11 Maintainability 2.12 Performance 2.13 Portability 2.14 Privacy 2.15 Recoverability 2.16 Reliability 2.17 Scalability 2.18 Security 2.19 Serviceability/Supportability 2.20 Characteristics of Good Requirements 2.21 Eliciting Nonfunctional Requirements 2.22 Documenting Nonfunctional Requirements

Figure 2.1 Table 2.1 Table 2.2 Table 2.3 Chapter 3 Security and Resilience in the Software Development Life Cycle Chapter Overview 3.1 Resilience and Security Begin from Within 3.2 Requirements Gathering and Analysis 3.3 Systems Design and Detailed Design 3.3.1 Functional Decomposition 3.3.2 Categorizing Threats 3.3.3 Ranking Threats 3.3.4 Mitigation Planning 3.4 Design Reviews 3.5 Development (Coding) Phase 3.5.1 Static Analysis 3.5.2 Peer Review 3.5.3 Unit Testing 3.6 Testing 3.7 Deployment 3.8 Security Training Summary 3.9 References Figure 3.1 Figure 3.2 Figure 3.3 Figure 3.4 Figure 3.5 Figure 3.6 Chapter 4 Proven Best Practices for Resilient Applications Chapter Overview 4.1 Critical Concepts 4.2 The Security Perimeter 4.3 Attack Surface 4.3.1 Mapping the Attack Surface 4.3.2 Side Channel Attacks 4.4 Application Security and Resilience Principles 4.5 Practice 1: Apply Defense in Depth 4.6 Practice 2: Use a Positive Security Model 4.7 Practice 3: Fail Securely 4.8 Practice 4: Run with Least Privilege 4.9 Practice 5: Avoid Security by Obscurity 4.10 Practice 6: Keep Security Simple 4.11 Practice 7: Detect Intrusions 4.11.1 Log All Security-Relevant Information 4.11.2 Ensure That the Logs Are Monitored Regularly 4.11.3 Respond to Intrusions 4.12 Practice 8: Don’t Trust Infrastructure 4.13 Practice 9: Don’t Trust Services 4.14 Practice 10: Establish Secure Defaults 4.15 Mapping Best Practices to Nonfunctional Requirements Summary

4.16 References Figure 4.1 Figure 4.2 Table 4.1 Chapter 5 Designing Applications for Security and Resilience Overview 5.1 Design Phase Recommendations 5.1.1 Misuse Case Modeling 5.1.2 Security Design and Architecture Review 5.1.3 Threat and Risk Modeling 5.1.4 Risk Analysis and Modeling 5.1.5 Security Requirements and Test Case Generation 5.2 Design to Meet Nonfunctional Requirements 5.3 Design Patterns 5.4 Architecting for the Web 5.5 Architecture and Design Review Checklist Summary 5.6 References Figure 5.1 Table 5.1 Table 5.2 Chapter 6 Programming Best Practices Chapter Overview 6.1 The Evolution of Software Attacks 6.2 The OWASP Top 10 6.2.1 A1: Injection 6.2.2 A2: Cross-Site Scripting 6.2.3 A3: Broken Authentication and Session Management 6.2.4 A4: Insecure Direct Object References 6.2.5 A5: Cross-Site Request Forgery 6.2.6 A6: Security Misconfiguration 6.2.7 A7: Failure to Restrict URL Access 6.2.8 A8: Unvalidated Redirects and Forwards 6.2.9 A9: Insecure Cryptographic Storage 6.2.10 A10: Insufficient Transport Layer Protection 6.3 OWASP Enterprise Security API (ESAPI) 6.3.1 Input Validation and Handling 6.3.2 Client-Side Versus Server-Side Validation 6.3.3 Input Sanitization 6.3.4 Canonicalization 6.3.5 Examples of Attacks due to Improper Input Handling 6.3.5.1 Buffer Overflow 6.3.5.2 OS Commanding 6.3.6 Approaches to Validating Input Data 6.3.6.1 Exact Match Validation 6.3.6.2 Known Good Validation 6.3.6.3 Known Bad Validation 6.3.7 Handling Bad Input 6.3.8 ESAPI Interfaces 6.4 Cross-Site Scripting 6.4.1 Same Origin Policy 6.4.2 Attacks Through XSS 6.4.2.1 Persistent Attacks 6.4.2.2 Nonpersistent Attacks 6.4.2.3 DOM-Based Attacks 6.4.3 Prevention of Cross-Site Scripting 6.4.4 ESAPI Interfaces 6.5 Injection Attacks 6.5.1 SQL Injection 6.5.2 Stored Procedures 6.5.3 Identifying SQL Injection and Exploitation 6.5.3.1 SQL Injection 6.5.3.2 Blind SQL Injection 6.5.4 Defending Against SQL Injection 6.5.5 Creating SQL Queries 6.5.6 Additional Controls to Prevent SQL Injection Attacks 6.5.7 ESAPI Interfaces 6.6 Authentication and Session Management 6.6.1 Attacking Log-in Functionality 6.6.2 Attacking Password Resets 6.6.3 Attacking Sensitive Transactions 6.7 Cross-Site Request Forgery 6.7.1 CSRF Mitigation 6.8 Session Management 6.8.1 Attacking Log-out Functionality 6.8.2 Defenses Against Log-out Attacks 6.8.3 Defenses Against Cookie Attacks 6.8.4 Session Identifiers 6.8.4.1 Attacking a Session Identifier 6.8.4.2 Defenses Against Session ID Attacks 6.8.5 ESAPI Interfaces 6.9 Access Control 6.9.1 Avoiding Security Through Obscurity 6.9.2 Access Control Issues 6.9.3 Testing for Broken Access Control 6.9.4 Defenses Against Access Control Attacks 6.9.5 Administrator Interfaces 6.9.6 Protecting Administrator Interfaces 6.9.7 ESAPI Interfaces 6.10 Cryptography 6.10.1 Hashing and Password Security 6.10.2 Attacking the Hash 6.10.3 Precomputed Attacks 6.10.4 Message Authentication Code (MAC) 6.10.5 Home-Grown Algorithms 6.10.6 Randomness and Pseudo-Randomness 6.10.7 ESAPI Interfaces 6.11 Error Handling 6.11.1 User Error Messages 6.11.2 Log-in Error Messages—A Case Study 6.11.3 Error Message Differentiation 6.11.4 Developer Error Messages 6.11.5 Information to Be Kept Private 6.11.6 Structured Exception Handling 6.11.7 ESAPI Interfaces 6.12 Ajax and Flash 6.12.1 AJAX Application Traffic 6.12.2 AJAX Client Requests 6.12.3 Server Responses 6.12.4 Typical Attacks Against AJAX Applications 6.12.5 Security Recommendations for AJAX Applications 6.12.6 Adobe Flash—Sandbox Security Model 6.12.7 Cross-Domain Policy 6.12.8 Restrict SWF Files Embedded in HTML 6.12.9 Attacking Flash Applications 6.12.10 Securing Flash Applications 6.13 Additional Best Practices for Software Resilience 6.13.1 Externalize Variables 6.13.2 EncryptedProperties—Method Summary 6.13.3 Initialize Variables Properly 6.13.4 Do Not Ignore Values Returned by Functions 6.13.5 Avoid Integer Overflows 6.14 Top 10 Secure Coding Practices 6.15 Fifty Questions to Improve Software Security Summary 6.16 References Figure 6.1 Figure 6.2 Figure 6.3 Figure 6.4 Figure 6.5 Figure 6.6 Figure 6.7 Table 6.1 Table 6.2 Table 6.3 Table 6.4 Table 6.5 Table 6.6 Table 6.7 Table 6.8

Tags from this library: No tags from this library for this title. Log in to add tags.

Average rating: 0.0 (0 votes)

Holdings
Item type	Current library	Collection	Call number	Status	Date due	Barcode
Books	Main library A2	Computers & Information Technology ( Computer Science )	005.8 M.M.S (Browse shelf(Opens below))	Available		00009312

Browsing Main library shelves, Shelving location: A2 Close shelf browser (Hides shelf browser)

Previous					No cover image available			Next
Previous	005.8 K.R.C Cloud security : a comprehensive guide to secure cloud computing /	005.8 M A multidisciplinary introduction to information security /	005.8 M Managing information security /	005.8 M.M.S Secure and resilient software development /	005.8 M.N.S System assurance : beyond detecting vulnerabilities /	005.8 N Network security fundamentals /	005.8 O.S.H Hacker techniques, tools, and incident handling /	Next

Includes bibliographical references and index.

Chapter 1 How Does Software Fail Thee? Let Us Count the Ways
Chapter Overview
1.1 Vulnerabilities Abound
1.1.1 Security Flaws Are Omnipresent
1.1.2 Cars Have their Share of Computer Problems Too
1.2 Tracing the Roots of Defective Software
1.3 What Are the True Costs of Insecure Software to Global Enterprises?
1.4 Addressing Security Questions Addresses Resilience

Chapter 2 Characteristics of Secure and Resilient Software
Chapter Overview
2.1 Functional Versus Nonfunctional Requirements
2.2 Testing Nonfunctional Requirements
2.3 Families of Nonfunctional Requirements
2.4 Availability
Availability Levels and Measurements
2.5 Capacity
2.6 Efficiency
2.7 Interoperability
2.8 Manageability
2.9 Cohesion
2.10 Coupling
2.11 Maintainability
2.12 Performance
2.13 Portability
2.14 Privacy
2.15 Recoverability
2.16 Reliability
2.17 Scalability
2.18 Security
2.19 Serviceability/Supportability
2.20 Characteristics of Good Requirements
2.21 Eliciting Nonfunctional Requirements
2.22 Documenting Nonfunctional Requirements

Figure 2.1
Table 2.1
Table 2.2
Table 2.3
Chapter 3 Security and Resilience in the Software Development Life Cycle
Chapter Overview
3.1 Resilience and Security Begin from Within
3.2 Requirements Gathering and Analysis
3.3 Systems Design and Detailed Design
3.3.1 Functional Decomposition
3.3.2 Categorizing Threats
3.3.3 Ranking Threats
3.3.4 Mitigation Planning
3.4 Design Reviews
3.5 Development (Coding) Phase
3.5.1 Static Analysis
3.5.2 Peer Review
3.5.3 Unit Testing
3.6 Testing
3.7 Deployment
3.8 Security Training
Summary
3.9 References
Figure 3.1
Figure 3.2
Figure 3.3
Figure 3.4
Figure 3.5
Figure 3.6
Chapter 4 Proven Best Practices for Resilient Applications
Chapter Overview
4.1 Critical Concepts
4.2 The Security Perimeter
4.3 Attack Surface
4.3.1 Mapping the Attack Surface
4.3.2 Side Channel Attacks
4.4 Application Security and Resilience Principles
4.5 Practice 1: Apply Defense in Depth
4.6 Practice 2: Use a Positive Security Model
4.7 Practice 3: Fail Securely
4.8 Practice 4: Run with Least Privilege
4.9 Practice 5: Avoid Security by Obscurity
4.10 Practice 6: Keep Security Simple
4.11 Practice 7: Detect Intrusions
4.11.1 Log All Security-Relevant Information
4.11.2 Ensure That the Logs Are Monitored Regularly
4.11.3 Respond to Intrusions
4.12 Practice 8: Don’t Trust Infrastructure
4.13 Practice 9: Don’t Trust Services
4.14 Practice 10: Establish Secure Defaults
4.15 Mapping Best Practices to Nonfunctional Requirements
Summary

4.16 References
Figure 4.1
Figure 4.2
Table 4.1
Chapter 5 Designing Applications for Security and Resilience
Overview
5.1 Design Phase Recommendations
5.1.1 Misuse Case Modeling
5.1.2 Security Design and Architecture Review
5.1.3 Threat and Risk Modeling
5.1.4 Risk Analysis and Modeling
5.1.5 Security Requirements and Test Case Generation
5.2 Design to Meet Nonfunctional Requirements
5.3 Design Patterns
5.4 Architecting for the Web
5.5 Architecture and Design Review Checklist
Summary
5.6 References
Figure 5.1
Table 5.1
Table 5.2
Chapter 6 Programming Best Practices
Chapter Overview
6.1 The Evolution of Software Attacks
6.2 The OWASP Top 10
6.2.1 A1: Injection
6.2.2 A2: Cross-Site Scripting
6.2.3 A3: Broken Authentication and Session Management
6.2.4 A4: Insecure Direct Object References
6.2.5 A5: Cross-Site Request Forgery
6.2.6 A6: Security Misconfiguration
6.2.7 A7: Failure to Restrict URL Access
6.2.8 A8: Unvalidated Redirects and Forwards
6.2.9 A9: Insecure Cryptographic Storage
6.2.10 A10: Insufficient Transport Layer Protection
6.3 OWASP Enterprise Security API (ESAPI)
6.3.1 Input Validation and Handling
6.3.2 Client-Side Versus Server-Side Validation
6.3.3 Input Sanitization
6.3.4 Canonicalization
6.3.5 Examples of Attacks due to Improper Input Handling
6.3.5.1 Buffer Overflow
6.3.5.2 OS Commanding
6.3.6 Approaches to Validating Input Data
6.3.6.1 Exact Match Validation
6.3.6.2 Known Good Validation
6.3.6.3 Known Bad Validation
6.3.7 Handling Bad Input
6.3.8 ESAPI Interfaces
6.4 Cross-Site Scripting
6.4.1 Same Origin Policy
6.4.2 Attacks Through XSS
6.4.2.1 Persistent Attacks
6.4.2.2 Nonpersistent Attacks
6.4.2.3 DOM-Based Attacks
6.4.3 Prevention of Cross-Site Scripting
6.4.4 ESAPI Interfaces
6.5 Injection Attacks
6.5.1 SQL Injection
6.5.2 Stored Procedures
6.5.3 Identifying SQL Injection and Exploitation
6.5.3.1 SQL Injection
6.5.3.2 Blind SQL Injection
6.5.4 Defending Against SQL Injection
6.5.5 Creating SQL Queries
6.5.6 Additional Controls to Prevent SQL Injection Attacks
6.5.7 ESAPI Interfaces
6.6 Authentication and Session Management
6.6.1 Attacking Log-in Functionality
6.6.2 Attacking Password Resets
6.6.3 Attacking Sensitive Transactions
6.7 Cross-Site Request Forgery
6.7.1 CSRF Mitigation
6.8 Session Management
6.8.1 Attacking Log-out Functionality
6.8.2 Defenses Against Log-out Attacks
6.8.3 Defenses Against Cookie Attacks
6.8.4 Session Identifiers
6.8.4.1 Attacking a Session Identifier
6.8.4.2 Defenses Against Session ID Attacks
6.8.5 ESAPI Interfaces
6.9 Access Control
6.9.1 Avoiding Security Through Obscurity
6.9.2 Access Control Issues
6.9.3 Testing for Broken Access Control
6.9.4 Defenses Against Access Control Attacks
6.9.5 Administrator Interfaces
6.9.6 Protecting Administrator Interfaces
6.9.7 ESAPI Interfaces
6.10 Cryptography
6.10.1 Hashing and Password Security
6.10.2 Attacking the Hash
6.10.3 Precomputed Attacks
6.10.4 Message Authentication Code (MAC)
6.10.5 Home-Grown Algorithms
6.10.6 Randomness and Pseudo-Randomness
6.10.7 ESAPI Interfaces
6.11 Error Handling
6.11.1 User Error Messages
6.11.2 Log-in Error Messages—A Case Study
6.11.3 Error Message Differentiation
6.11.4 Developer Error Messages
6.11.5 Information to Be Kept Private
6.11.6 Structured Exception Handling
6.11.7 ESAPI Interfaces
6.12 Ajax and Flash
6.12.1 AJAX Application Traffic
6.12.2 AJAX Client Requests
6.12.3 Server Responses
6.12.4 Typical Attacks Against AJAX Applications
6.12.5 Security Recommendations for AJAX Applications
6.12.6 Adobe Flash—Sandbox Security Model
6.12.7 Cross-Domain Policy
6.12.8 Restrict SWF Files Embedded in HTML
6.12.9 Attacking Flash Applications
6.12.10 Securing Flash Applications
6.13 Additional Best Practices for Software Resilience
6.13.1 Externalize Variables
6.13.2 EncryptedProperties—Method Summary
6.13.3 Initialize Variables Properly
6.13.4 Do Not Ignore Values Returned by Functions
6.13.5 Avoid Integer Overflows
6.14 Top 10 Secure Coding Practices
6.15 Fifty Questions to Improve Software Security
Summary
6.16 References
Figure 6.1
Figure 6.2
Figure 6.3
Figure 6.4
Figure 6.5
Figure 6.6
Figure 6.7
Table 6.1
Table 6.2
Table 6.3
Table 6.4
Table 6.5
Table 6.6
Table 6.7
Table 6.8

There are no comments on this title.

to post a comment.