Book Image

Security-Driven Software Development

By : Aspen Olmsted

Book Image

Security-Driven Software Development

By: Aspen Olmsted

Overview of this book

Extend your software development skills to integrate security into every aspect of your projects. Perfect for any programmer or developer working on mission-critical applications, this hands-on guide helps you adopt secure software development practices. Explore core concepts like security specifi cation, modeling, and threat mitigation with the iterative approach of this book that allows you to trace security requirements through each phase of software development. You won’t stop at the basics; you’ll delve into multiple-layer att acks and develop the mindset to prevent them. Through an example application project involving an entertainment ticketing software system, you’ll look at high-profi le security incidents that have aff ected popular music stars and performers. Drawing from the author’s decades of experience building secure applications in this domain, this book off ers comprehensive techniques where problem-solving meets practicality for secure development. By the end of this book, you’ll have gained the expertise to systematically secure software projects, from crafting robust security specifi cations to adeptly mitigating multifaceted threats, ensuring your applications stand resilient in the face of evolving cybersecurity challenges.

Preface

Who this book is for

What this book covers

To get the most out of this book

Conventions used

Share your thoughts

Download a free PDF copy of this book

Free Chapter

Part 1: Modeling a Secure Application

Part 1: Modeling a Secure Application

Chapter 1: Security Principles

Chapter 1: Security Principles

What could go wrong?

Open Web Application Security Project

NIST’s Secure Software Development Framework

MITRE frameworks

Software development lifecycles

Microsoft’s Security Development Lifecycle

Confidentiality, integrity, and availability

Self-assessment questions

Chapter 2: Designing a Secure Functional Model

Chapter 2: Designing a Secure Functional Model

Requirements gathering and specification

Non-functional requirements and security

Capturing scenarios

Textual use cases and misuse cases

Graphical use cases and misuse cases

Example enterprise secure functional model

Self-assessment questions

Chapter 3: Designing a Secure Object Model

Chapter 3: Designing a Secure Object Model

Identify objects and relationships

Example of the enterprise secure object model

Self-assessment questions

Chapter 4: Designing a Secure Dynamic Model

Chapter 4: Designing a Secure Dynamic Model

Technical requirements

Object behavior

Modeling interactions between objects

Example of the enterprise secure dynamic model

Self-assessment questions

Chapter 5: Designing a Secure System Model

Chapter 5: Designing a Secure System Model

Modeling interactions between partitions

UML component diagrams

Example – developing an enterprise secure system model

Self-assessment questions

Chapter 6: Threat Modeling

Chapter 6: Threat Modeling

Threat model overview

Microsoft Threat Modeling Tool

Example of an enterprise threat model

Self-assessment questions

Part 2: Mitigating Risks in Implementation

Part 2: Mitigating Risks in Implementation

Chapter 7: Authentication and Authorization

Chapter 7: Authentication and Authorization

Security Models

Single sign-on and open authorization

Implementing SSO and OAuth with Google

Example of enterprise implementation

Self-assessment questions

Chapter 8: Input Validation and Sanitization

Chapter 8: Input Validation and Sanitization

Input validation

Input sanitization

Language-specific defenses

Buffer overflows

Example of the enterprise input validation and sanitization

Self-assessment questions

Chapter 9: Standard Web Application Vulnerabilities

Chapter 9: Standard Web Application Vulnerabilities

Injection attacks

Broken authentication and session management

Request forgery

Language-specific defenses

Example of enterprise web defenses

Self-assessment questions

Chapter 10: Database Security

Chapter 10: Database Security

Overview of SQL

Maintaining database correctness

Managing activity concurrency

Language-specific defenses

RBAC security in DBMS

Encryption in DBMS

An example of enterprise DB security

Self-assessment questions

Part 3: Security Validation

Part 3: Security Validation

Chapter 11: Unit Testing

Chapter 11: Unit Testing

The principles of unit testing

The advantages of unit testing

Unit testing frameworks

An example of enterprise threat model

Self-assessment questions

Chapter 12: Regression Testing

Chapter 12: Regression Testing

Regression testing overview

Robotic process automation

Regression testing tools

Example of the enterprise regression tests

Self-assessment questions

Chapter 13: Integration, System, and Acceptance Testing

Chapter 13: Integration, System, and Acceptance Testing

Types of integration tests

Examples of enterprise integration testing

Acceptance testing

Self-assessment questions

Chapter 14: Software Penetration Testing

Chapter 14: Software Penetration Testing

An example of an enterprise penetration test report

Self-assessment questions

Index

Other Books You May Enjoy

Other Books You May Enjoy

Packt is searching for authors like you

Share your thoughts

Download a free PDF copy of this book

Customer Reviews

5 star

0

4 star

0

3 star

0

2 star

0

1 star

0

What this book covers

Chapter 1, Security Principles and Procedures, gives us a foundation of some standard principles and procedures used in secure software development.

Chapter 2, Designing a Secure Functional Model, teaches us how to specify what our software should do and what should be true while the software is executing.

Chapter 3, Designing a Secure Object Model, helps us to identify the objects and structures we will use in our software application.

Chapter 4, Designing a Secure Dynamic Model, helps us think about how the objects in our programs will interact with each other.

Chapter 5, Designing a Secure System Model, explores how we partition our application into subsystems and helps us think about how those partitions can communicate securely.

Chapter 6, Threat Modeling, is where we model the risks to our software and start to think about the mitigations we can deploy to reduce those risks.

Chapter 7, Authentication and Authorization, explores utilizing authentication and authorization to mitigate risks identified in our threat models.

Chapter 8, Input Validation and Sanitization, explores input validation and sanitization to mitigate risks identified in our threat models.

Chapter 9, Standard Web Application Vulnerabilities, discusses the many common vulnerabilities that are found in web applications.

Chapter 10, Database Security, takes a deep dive into databases and the risks and mitigations we can use while our software interacts with the database.

Chapter 11, Unit Testing, looks at ensuring our software performs the functions and meets the non-functional requirements we specified earlier in our model on small unit levels.

Chapter 12, Regression Testing, looks at ensuring our software performs the functions and meets the non-functional requirements we specified earlier in our model as code is changed.

Chapter 13, Integration Testing, looks at ensuring our software performs the functions and meets the non-functional requirements we specified earlier in our model as we put the different partitions and subsystems together.

Chapter 14, Penetration Testing, considers how we can discover vulnerabilities that slipped through despite our earlier hard work modeling, planning, and testing.