You are previewing Enterprise Software Security: A Confluence of Disciplines.
O'Reilly logo
Enterprise Software Security: A Confluence of Disciplines

Book Description

STRENGTHEN SOFTWARE SECURITY BY HELPING DEVELOPERS AND SECURITY EXPERTS WORK TOGETHER

Traditional approaches to securing software are inadequate. The solution: Bring software engineering and network security teams together in a new, holistic approach to protecting the entire enterprise. Now, four highly respected security experts explain why this “confluence” is so crucial, and show how to implement it in your organization.

Writing for all software and security practitioners and leaders, they show how software can play a vital, active role in protecting your organization. You’ll learn how to construct software that actively safeguards sensitive data and business processes and contributes to intrusion detection/response in sophisticated new ways. The authors cover the entire development lifecycle, including project inception, design, implementation, testing, deployment, operation, and maintenance. They also provide a full chapter of advice specifically for Chief Information Security Officers and other enterprise security executives.


Whatever your software security responsibilities, Enterprise Software Security delivers indispensable big-picture guidance–and specific, high-value recommendations you can apply right now.

COVERAGE INCLUDES:


• Overcoming common obstacles to collaboration between developers and IT security professionals
• Helping programmers design, write, deploy, and operate more secure software
• Helping network security engineers use application output more effectively
• Organizing a software security team before you’ve even created requirements
• Avoiding the unmanageable complexity and inherent flaws of layered security
• Implementing positive software design practices and identifying security defects in existing designs
• Teaming to improve code reviews, clarify attack scenarios associated with vulnerable code, and validate positive compliance
• Moving beyond pentesting toward more comprehensive security testing
• Integrating your new application with your existing security infrastructure
• “Ruggedizing” DevOps by adding infosec to the relationship between development and operations
• Protecting application security during maintenance

Table of Contents

  1. About This eBook
  2. Title Page
  3. Copyright Page
  4. Dedication Page
  5. Contents
  6. Acknowledgments
  7. About the Authors
  8. Preface
    1. Moving Targets Are Harder to Hit
    2. Origins, Authors, Credentials
    3. Contents
    4. Summing Up
  9. 1. Introduction to the Problem
    1. Our Shared Predicament Today
    2. Why Are We in This Security Mess?
    3. Ancient History
    4. All Together Now
    5. The Status Quo: A Great Divide
    6. What’s Wrong with This Picture?
    7. Wait, It Gets Worse
    8. Stressing the Positive
    9. Summing Up
    10. Endnotes
  10. 2. Project Inception
    1. Without a Formal Software Security Process—The Norm Today
    2. The Case for a Project Security Team
    3. Tasks for the Project Security Team
    4. Putting Together the Project Security Team
    5. Roles to Cover on the Security Team
    6. Some Final Practical Considerations about Project Security Teams
    7. Summing Up
    8. Endnotes
  11. 3. Design Activities
    1. Security Tiers
    2. On Confluence
    3. Requirements
    4. Specifications
    5. Design and Architecture
    6. It’s Already Designed
    7. Deployment and Operations Planning
    8. Summing Up
    9. Endnotes
  12. 4. Implementation Activities
    1. Confluence
    2. Stress the Positive and Strike the Balance
    3. Security Mechanisms and Controls
    4. Code Reuse
    5. Coding Resources
    6. Implementing Security Tiers
    7. Code Reviews
    8. A Day in the Life of a Servlet
    9. Summing Up
    10. Endnotes
  13. 5. Testing Activities
    1. A Few Questions about Security Testing
    2. Tools of the Trade
    3. Security Bug Life Cycle
    4. Summing Up
    5. Endnotes
  14. 6. Deployment and Integration
    1. How Does Deployment Relate to Confluence?
    2. A Road Map
    3. Advanced Topics in Deployment
    4. Integrating with the Security Operations Infrastructure
    5. Third-Generation Log Analysis Tools
    6. Retrofitting Legacy and Third-Party Components
    7. Notes for Small Shops or Individuals
    8. Summing Up
    9. Endnotes
  15. 7. Operating Software Securely
    1. Adjusting Security Thresholds
    2. Dealing with IDS in Operations
    3. Identifying Critical Applications
    4. CSIRT Utilization
    5. Notes for Small Shops or Individuals
    6. Summing Up
  16. 8. Maintaining Software Securely
    1. Common Pitfalls
    2. How Does Maintaining Software Securely Relate to Confluence?
    3. Learning from History
    4. Evolving Threats
    5. The Security Patch
    6. Special Cases
    7. How Does Maintaining Software Securely Fit into Security SDLCs?
    8. Summing Up
    9. Endnotes
  17. 9. The View from the Center
    1. Ideas for Encouraging Confluent Application Development
    2. Toward a Confluent Network
    3. Security Awareness and Training
    4. Policies, Standards, and Guidelines
    5. The Role of Other Departments and Corporate Entities
    6. Resource Budgeting and Strategic Planning for Confluence
    7. Assessment Tools and Techniques
    8. Mobile Plans—Postmortem Interviews
    9. Notes for Small Shops or Individuals
    10. Summing Up
    11. Endnotes
  18. Index
  19. Code Snippets