Free Delivery Over $100
|
|
|||
|
||||
OverviewFull Product DetailsAuthor: Gary McGrawPublisher: Pearson Education (US) Imprint: Addison-Wesley Educational Publishers Inc Edition: Annotated edition Dimensions: Width: 17.90cm , Height: 2.80cm , Length: 23.60cm Weight: 0.884kg ISBN: 9780321356703ISBN 10: 0321356705 Pages: 448 Publication Date: 09 February 2006 Audience: College/higher education , Tertiary & Higher Education Format: Mixed media product Publisher's Status: Out of Print Availability: In Print  Limited stock is available. It will be ordered for you and shipped pending supplier's limited stock. Table of ContentsForeword xix Preface xxiii Acknowledgments xxxi About the Author xxxv Part I: Software Security Fundamentals 1 Chapter 1: Defining a Discipline 3 The Security Problem 4 Security Problems in Software 14 Solving the Problem: The Three Pillars of Software Security 25 The Rise of Security Engineering 37 Chapter 2: A Risk Management Framework 39 Putting Risk Management into Practice 40 How to Use This Chapter 41 The Five Stages of Activity 42 The RMF Is a Multilevel Loop 46 Applying the RMF: KillerAppCo's iWare 1.0 Server 48 The Importance of Measurement 73 The Cigital Workbench 76 Risk Management Is a Framework for Software Security 79 Part II: Seven Touchpoints for Software Security 81 Chapter 3:Introduction to Software Security Touchpoints 83 Flyover: Seven Terrific Touchpoints 86 Black and White: Two Threads Inextricably Intertwined 89 Moving Left 91 Touchpoints as Best Practices 94 Who Should Do Software Security? 96 Software Security Is a Multidisciplinary Effort 100 Touchpoints to Success 103 Chapter 4: Code Review with a Tool 105 Catching Implementation Bugs Early (with a Tool) 106 Aim for Good, Not Perfect 108 Ancient History 109 Approaches to Static Analysis 110 Tools from Researchland 114 Commercial Tool Vendors 123 Touchpoint Process: Code Review 135 Use a Tool to Find Security Bugs 137 Chapter 5: Architectural Risk Analysis 139 Common Themes among Security Risk Analysis Approaches 140 Traditional Risk Analysis Terminology 144 Knowledge Requirement 147 The Necessity of a Forest-Level View 148 A Traditional Example of a Risk Calculation 152 Limitations of Traditional Approaches 153 Modern Risk Analysis 154 Touchpoint Process: Architectural Risk Analysis 161 Getting Started with Risk Analysis 169 Architectural Risk Analysis Is a Necessity 170 Chapter 6: Software Penetration Testing 171 Penetration Testing Today 173 Software Penetration Testing--a Better Approach 178 Incorporating Findings Back into Development 183 Using Penetration Tests to Assess the Application Landscape 184 Proper Penetration Testing Is Good 185 Chapter 7: Risk-Based Security Testing 187 What's So Different about Security? 191 Risk Management and Security Testing 192 How to Approach Security Testing 193 Thinking about (Malicious) Input 201 Getting Over Input 203 Leapfrogging the Penetration Test 204 Chapter 8: Abuse Cases 205 Security Is Not a Set of Features 209 What You Can't Do 210 Creating Useful Abuse Cases 211 Touchpoint Process: Abuse Case Development 213 An Abuse Case Example 217 Abuse Cases Are Useful 222 Chapter 9: Software Security Meets Security Operations 223 Don't Stand So Close to Me 224 Kumbaya (for Software Security) 225 Come Together (Right Now) 232 Future's So Bright, I Gotta Wear Shades 235 Part III: Software Security Grows Up 237 Chapter 10: An Enterprise Software Security Program 239 The Business Climate 240 Building Blocks of Change 242 Building an Improvement Program 246 Establishing a Metrics Program 247 Continuous Improvement 250 What about COTS (and Existing Software Applications)? 251 Adopting a Secure Development Lifecycle 256 Chapter 11: Knowledge for Software Security 259 Experience, Expertise, and Security 261 Security Knowledge: A Unified View 262 Security Knowledge and the Touchpoints 268 The Department of Homeland Security Build Security In Portal 269 Knowledge Management Is Ongoing 274 Software Security Now 275 Chapter 12: A Taxonomy of Coding Errors 277 On Simplicity: Seven Plus or Minus Two 279 The Phyla 282 A Complete Example 290 Lists, Piles, and Collections 292 Go Forth (with the Taxonomy) and Prosper 297 Chapter 13: Annotated Bibliography and References 299 Annotated Bibliography: An Emerging Literature 299 Software Security Puzzle Pieces 318 Appendices 321 Appendix A: Fortify Source Code Analysis Suite Tutorial 323 1. Introducing the Audit Workbench 324 2. Auditing Source Code Manually 326 3. Ensuring a Working Build Environment 328 4. Running the Source Code Analysis Engine 329 5. Exploring the Basic SCA Engine Command Line Arguments 332 6. Understanding Raw Analysis Results 333 7. Integrating with an Automated Build Process 335 8. Using the Audit Workbench 339 9. Auditing Open Source Applications 342 Appendix B: ITS4 Rules 345 Appendix C: An Exercise in Risk Analysis: Smurfware 385 SmurfWare SmurfScanner Risk Assessment Case Study 385 SmurfWare SmurfScanner Design for Security 390 Appendix D: Glossary 393 Index 395ReviewsOverall, I rekon this was the best new security book I've seen this year. It certainly made me think more than any other security book I've read recently. I'd consider it a must-buy for the serious practitioner. --Ross Anderson, Professor of Security Engineering, University of Cambridge Computer Laboratory Author InformationGary McGraw, Cigital, Inc.'s CTO, is a world authority on software security. Dr. McGraw is coauthor of five best selling books: Exploiting Software (Addison-Wesley, 2004), Building Secure Software (Addison-Wesley, 2001), Software Fault Injection (Wiley 1998), Securing Java (Wiley, 1999), and Java Security (Wiley, 1996). His new book, Software Security: Building Security In (Addison-Wesley 2006) was released in February 2006. As a consultant, Dr. McGraw provides strategic advice to major software producers and consumers. Dr. McGraw has written over ninety peer-reviewed technical publications and functions as principal investigator on grants from DARPA, National Science Foundation, and NIST's Advanced Technology Program. He serves on Advisory Boards of Authentica, Counterpane, and Fortify Software, as well as advising the CS Department at UC Davis, the CS Department at UVa, and the School of Informatics at Indiana University. Dr. McGraw holds a dual PhD in Cognitive Science and Computer Science from Indiana University and a BA in Philosophy from UVa. He is a member of the IEEE Security and Privacy Task Force, and was recently elected to the IEEE Computer Society Board of Governors. He is the producer of the Silver Bullet Security Podcast for IEEE Security & Privacy magazine, writes a monthly column for darkreading.com, and is often quoted in the press. Tab Content 6Author Website:Countries AvailableAll regions |
||||
