| 000 | 08052cam a2200373 i 4500 | ||
|---|---|---|---|
| 999 |
_c6941 _d6941 |
||
| 001 | 16178380 | ||
| 005 | 20210427094150.0 | ||
| 008 | 100408s2010 flua b 001 0 eng | ||
| 010 | _a 2010013383 | ||
| 020 | _a9781439826966 (hardcover : alk. paper) | ||
| 020 | _a143982696X (hardcover : alk. paper) | ||
| 040 |
_aDLC _cDLC _dYDX _dBTCTA _dYDXCP _dBWX _dCDX _dDLC _erda |
||
| 050 | 0 | 0 |
_aQA76.76.D47 _bM466 2010 |
| 082 | 0 | 0 |
_a005.8 _222 _bM.M.S |
| 100 | 1 | _aMerkow, Mark S. | |
| 245 | 1 | 0 |
_aSecure and resilient software development / _cMark S. Merkow, Lakshmikanth Raghavan. |
| 264 | 1 |
_aBoca Raton, FL : _bCRC Press, _cc2010. |
|
| 300 |
_axxiv, 368 pages. : _billustrations. ; _c25 cm. |
||
| 336 |
_2rdacontent _atext |
||
| 337 |
_2rdamedia _aunmediated |
||
| 338 |
_2rdacarrier _avolume |
||
| 504 | _aIncludes bibliographical references and index. | ||
| 505 | 0 | _aChapter 1 How Does Software Fail Thee? Let Us Count the Ways Chapter Overview 1.1 Vulnerabilities Abound 1.1.1 Security Flaws Are Omnipresent 1.1.2 Cars Have their Share of Computer Problems Too 1.2 Tracing the Roots of Defective Software 1.3 What Are the True Costs of Insecure Software to Global Enterprises? 1.4 Addressing Security Questions Addresses Resilience | |
| 505 | 0 | _aChapter 2 Characteristics of Secure and Resilient Software Chapter Overview 2.1 Functional Versus Nonfunctional Requirements 2.2 Testing Nonfunctional Requirements 2.3 Families of Nonfunctional Requirements 2.4 Availability Availability Levels and Measurements 2.5 Capacity 2.6 Efficiency 2.7 Interoperability 2.8 Manageability 2.9 Cohesion 2.10 Coupling 2.11 Maintainability 2.12 Performance 2.13 Portability 2.14 Privacy 2.15 Recoverability 2.16 Reliability 2.17 Scalability 2.18 Security 2.19 Serviceability/Supportability 2.20 Characteristics of Good Requirements 2.21 Eliciting Nonfunctional Requirements 2.22 Documenting Nonfunctional Requirements | |
| 505 | 0 | _aFigure 2.1 Table 2.1 Table 2.2 Table 2.3 Chapter 3 Security and Resilience in the Software Development Life Cycle Chapter Overview 3.1 Resilience and Security Begin from Within 3.2 Requirements Gathering and Analysis 3.3 Systems Design and Detailed Design 3.3.1 Functional Decomposition 3.3.2 Categorizing Threats 3.3.3 Ranking Threats 3.3.4 Mitigation Planning 3.4 Design Reviews 3.5 Development (Coding) Phase 3.5.1 Static Analysis 3.5.2 Peer Review 3.5.3 Unit Testing 3.6 Testing 3.7 Deployment 3.8 Security Training Summary 3.9 References Figure 3.1 Figure 3.2 Figure 3.3 Figure 3.4 Figure 3.5 Figure 3.6 Chapter 4 Proven Best Practices for Resilient Applications Chapter Overview 4.1 Critical Concepts 4.2 The Security Perimeter 4.3 Attack Surface 4.3.1 Mapping the Attack Surface 4.3.2 Side Channel Attacks 4.4 Application Security and Resilience Principles 4.5 Practice 1: Apply Defense in Depth 4.6 Practice 2: Use a Positive Security Model 4.7 Practice 3: Fail Securely 4.8 Practice 4: Run with Least Privilege 4.9 Practice 5: Avoid Security by Obscurity 4.10 Practice 6: Keep Security Simple 4.11 Practice 7: Detect Intrusions 4.11.1 Log All Security-Relevant Information 4.11.2 Ensure That the Logs Are Monitored Regularly 4.11.3 Respond to Intrusions 4.12 Practice 8: Don’t Trust Infrastructure 4.13 Practice 9: Don’t Trust Services 4.14 Practice 10: Establish Secure Defaults 4.15 Mapping Best Practices to Nonfunctional Requirements Summary | |
| 505 | 0 | _a4.16 References Figure 4.1 Figure 4.2 Table 4.1 Chapter 5 Designing Applications for Security and Resilience Overview 5.1 Design Phase Recommendations 5.1.1 Misuse Case Modeling 5.1.2 Security Design and Architecture Review 5.1.3 Threat and Risk Modeling 5.1.4 Risk Analysis and Modeling 5.1.5 Security Requirements and Test Case Generation 5.2 Design to Meet Nonfunctional Requirements 5.3 Design Patterns 5.4 Architecting for the Web 5.5 Architecture and Design Review Checklist Summary 5.6 References Figure 5.1 Table 5.1 Table 5.2 Chapter 6 Programming Best Practices Chapter Overview 6.1 The Evolution of Software Attacks 6.2 The OWASP Top 10 6.2.1 A1: Injection 6.2.2 A2: Cross-Site Scripting 6.2.3 A3: Broken Authentication and Session Management 6.2.4 A4: Insecure Direct Object References 6.2.5 A5: Cross-Site Request Forgery 6.2.6 A6: Security Misconfiguration 6.2.7 A7: Failure to Restrict URL Access 6.2.8 A8: Unvalidated Redirects and Forwards 6.2.9 A9: Insecure Cryptographic Storage 6.2.10 A10: Insufficient Transport Layer Protection 6.3 OWASP Enterprise Security API (ESAPI) 6.3.1 Input Validation and Handling 6.3.2 Client-Side Versus Server-Side Validation 6.3.3 Input Sanitization 6.3.4 Canonicalization 6.3.5 Examples of Attacks due to Improper Input Handling 6.3.5.1 Buffer Overflow 6.3.5.2 OS Commanding 6.3.6 Approaches to Validating Input Data 6.3.6.1 Exact Match Validation 6.3.6.2 Known Good Validation 6.3.6.3 Known Bad Validation 6.3.7 Handling Bad Input 6.3.8 ESAPI Interfaces 6.4 Cross-Site Scripting 6.4.1 Same Origin Policy 6.4.2 Attacks Through XSS 6.4.2.1 Persistent Attacks 6.4.2.2 Nonpersistent Attacks 6.4.2.3 DOM-Based Attacks 6.4.3 Prevention of Cross-Site Scripting 6.4.4 ESAPI Interfaces 6.5 Injection Attacks 6.5.1 SQL Injection 6.5.2 Stored Procedures 6.5.3 Identifying SQL Injection and Exploitation 6.5.3.1 SQL Injection 6.5.3.2 Blind SQL Injection 6.5.4 Defending Against SQL Injection 6.5.5 Creating SQL Queries 6.5.6 Additional Controls to Prevent SQL Injection Attacks 6.5.7 ESAPI Interfaces 6.6 Authentication and Session Management 6.6.1 Attacking Log-in Functionality 6.6.2 Attacking Password Resets 6.6.3 Attacking Sensitive Transactions 6.7 Cross-Site Request Forgery 6.7.1 CSRF Mitigation 6.8 Session Management 6.8.1 Attacking Log-out Functionality 6.8.2 Defenses Against Log-out Attacks 6.8.3 Defenses Against Cookie Attacks 6.8.4 Session Identifiers 6.8.4.1 Attacking a Session Identifier 6.8.4.2 Defenses Against Session ID Attacks 6.8.5 ESAPI Interfaces 6.9 Access Control 6.9.1 Avoiding Security Through Obscurity 6.9.2 Access Control Issues 6.9.3 Testing for Broken Access Control 6.9.4 Defenses Against Access Control Attacks 6.9.5 Administrator Interfaces 6.9.6 Protecting Administrator Interfaces 6.9.7 ESAPI Interfaces 6.10 Cryptography 6.10.1 Hashing and Password Security 6.10.2 Attacking the Hash 6.10.3 Precomputed Attacks 6.10.4 Message Authentication Code (MAC) 6.10.5 Home-Grown Algorithms 6.10.6 Randomness and Pseudo-Randomness 6.10.7 ESAPI Interfaces 6.11 Error Handling 6.11.1 User Error Messages 6.11.2 Log-in Error Messages—A Case Study 6.11.3 Error Message Differentiation 6.11.4 Developer Error Messages 6.11.5 Information to Be Kept Private 6.11.6 Structured Exception Handling 6.11.7 ESAPI Interfaces 6.12 Ajax and Flash 6.12.1 AJAX Application Traffic 6.12.2 AJAX Client Requests 6.12.3 Server Responses 6.12.4 Typical Attacks Against AJAX Applications 6.12.5 Security Recommendations for AJAX Applications 6.12.6 Adobe Flash—Sandbox Security Model 6.12.7 Cross-Domain Policy 6.12.8 Restrict SWF Files Embedded in HTML 6.12.9 Attacking Flash Applications 6.12.10 Securing Flash Applications 6.13 Additional Best Practices for Software Resilience 6.13.1 Externalize Variables 6.13.2 EncryptedProperties—Method Summary 6.13.3 Initialize Variables Properly 6.13.4 Do Not Ignore Values Returned by Functions 6.13.5 Avoid Integer Overflows 6.14 Top 10 Secure Coding Practices 6.15 Fifty Questions to Improve Software Security Summary 6.16 References Figure 6.1 Figure 6.2 Figure 6.3 Figure 6.4 Figure 6.5 Figure 6.6 Figure 6.7 Table 6.1 Table 6.2 Table 6.3 Table 6.4 Table 6.5 Table 6.6 Table 6.7 Table 6.8 | |
| 650 | 0 |
_aComputer software _xDevelopment. |
|
| 650 | 0 |
_aComputer software _xReliability. |
|
| 650 | 0 | _aComputer security. | |
| 700 | 1 | _aRaghavan, Lakshmikanth. | |
| 942 |
_cBK _2ddc |
||