Book description
As the global leader in information security education and certification, (ISC)2 has a proven track record of educating and certifying information security professionals. Its newest certification, the Certified Secure Software Lifecycle Professional (CSSLP) is a testament to the organization's ongoing commitment to information and software security
Table of contents
- Foreword
- About the Author
- Introduction
-
Chapter 1 - Secure Software Concepts
- 1.1 Introduction
- 1.2 Objectives
- 1.3 Holistic Security
- 1.4 Implementation Challenges
- 1.5 Quality and Security
- 1.6 Security Profile: What Makes a Software Secure?
- 1.7 Security Concepts in the SDLC
- 1.8 Risk Management
- 1.9 Security Policies: The “What” and “Why” for Security
- 1.10 Security Standards
- 1.11 Best Practices
- 1.12 Information Technology Infrastructure Library (ITIL)
-
1.13 Security Methodologies
- 1.13.1 Socratic Methodology
- 1.13.2 Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE®)
- 1.13.3 STRIDE and DREAD
- 1.13.4 Open Source Security Testing Methodology Manual (OSSTMM)
- 1.13.5 Flaw Hypothesis Method (FHM)
- 1.13.6 Six Sigma (6σ)
- 1.13.7 Capability Maturity Model Integration (CMMI)
- 1.14 Security Frameworks
- 1.15 Regulations, Privacy, and Compliance
- 1.16 Security Models
- 1.17 Trusted Computing
- 1.18 Trusted Platform Module (TPM)
- 1.19 Acquisitions
- 1.20 Summary
- 1.21 Review Questions
- References
-
Chapter 2 - Secure Software Requirements
- 2.1 Introduction
- 2.2 Objectives
- 2.3 Sources for Security Requirements
-
2.4 Types of Security Requirements
- 2.4.1 Confidentiality Requirements
- 2.4.2 Integrity Requirements
- 2.4.3 Availability Requirements
-
2.4.4 Authentication Requirements
- 2.4.4.1 Anonymous Authentication
- 2.4.4.2 Basic Authentication
- 2.4.4.3 Digest Authentication
- 2.4.4.4 Integrated Authentication
- 2.4.4.5 Client Certificate-Based Authentication
- 2.4.4.6 Forms Authentication
- 2.4.4.7 Token-Based Authentication
- 2.4.4.8 Smart Cards–Based Authentication
- 2.4.4.9 Biometric Authentication
- 2.4.5 Authorization Requirements
- 2.4.6 Auditing/Logging Requirements
- 2.4.7 Session Management Requirements
- 2.4.8 Errors and Exception Management Requirements
- 2.4.9 Configuration Parameters Management Requirements
- 2.4.10 Sequencing and Timing Requirements
- 2.4.11 Archiving Requirements
- 2.4.12 International Requirements
- 2.4.13 Deployment Environment Requirements
- 2.4.14 Procurement Requirements
- 2.4.15 Antipiracy Requirements
- 2.5 Protection Needs Elicitation
- 2.6 Requirements Traceability Matrix (RTM)
- 2.7 Summary
- 2.8 Review Questions
- References
-
Chapter 3 - Secure Software Design
- 3.1 Introduction
- 3.2 Objectives
- 3.3 The Need for Secure Design
- 3.4 Flaws versus Bugs
- 3.5 Design Considerations
- 3.6 Information Technology Security Principles and Secure Design
- 3.7 Designing Secure Design Principles
- 3.8 Balancing Secure Design Principles
- 3.9 Other Design Considerations
- 3.10 Design Processes
- 3.11 Architectures
- 3.12 Technologies
- 3.13 Secure Design and Architecture Review
- 3.14 Summary
- 3.15 Review Questions
- References
-
Chapter 4 - Secure Software Implementation/Coding
- 4.1 Introduction
- 4.2 Objectives
- 4.3 Who Is to Be Blamed for Insecure Software?
- 4.4 Fundamental Concepts of Programming
- 4.5 Software Development Methodologies
-
4.6 Common Software Vulnerabilities and Controls
- 4.6.1 Injection Flaws
- 4.6.2 Cross-Site Scripting (XSS)
- 4.6.3 Buffer Overflow
- 4.6.4 Broken Authentication and Session Management
- 4.6.5 Insecure Direct Object References
- 4.6.6 Cross-Site Request Forgery (CSRF)
- 4.6.7 Security Misconfiguration
- 4.6.8 Failure to Restrict URL Access
- 4.6.9 Unvalidated Redirects and Forwards
- 4.6.10 Insecure Cryptographic Storage
- 4.6.11 Insufficient Transport Layer Protection
- 4.6.12 Information Leakage and Improper Error Handling
- 4.6.13 File Attacks
- 4.6.14 Race Condition
- 4.6.15 Side Channel Attacks
-
4.7 Defensive Coding Practices—Concepts and Techniques
- 4.7.1 Attack Surface Evaluation and Reduction
- 4.7.2 Input Validation
- 4.7.3 Canonicalization
- 4.7.4 Code Access Security
- 4.7.5 Container (Declarative) versus Component (Programmatic) Security
- 4.7.6 Cryptographic Agility
- 4.7.7 Memory Management
- 4.7.8 Exception Management
- 4.7.9 Anti-Tampering
- 4.7.10 Secure Startup
- 4.7.11 Embedded Systems
- 4.7.12 Interface Coding
- 4.8 Secure Software Processes
- 4.9 Build Environment and Tools Security
- 4.10 Summary
- 4.11 Review Questions
- References
-
Chapter 5 - Secure Software Testing
- 5.1 Introduction
- 5.2 Objectives
- 5.3 Quality Assurance
- 5.4 Types of Software QA Testing
- 5.5 Security Testing Methodologies
-
5.6 Software Security Testing
- 5.6.1 Testing for Input Validation
- 5.6.2 Injection Flaws Testing
- 5.6.3 Testing for Nonrepudiation
- 5.6.4 Testing for Spoofing
- 5.6.5 Failure Testing
- 5.6.6 Cryptographic Validation Testing
- 5.6.7 Testing for Buffer Overflow Defenses
- 5.6.8 Testing for Privilege Escalations Defenses
- 5.6.9 Anti-Reversing Protection Testing
- 5.7 Other Testing
- 5.8 Defect Reporting and Tracking
- 5.9 Impact Assessment and Corrective Action
- 5.10 Tools for Security Testing
- 5.11 Summary
- 5.12 Review Questions
- References
-
Chapter 6 - Software Acceptance
- 6.1 Introduction
- 6.2 Objectives
- 6.3 Guidelines for Software Acceptance
- 6.4 Benefits of Accepting Software Formally
- 6.5 Software Acceptance Considerations
- 6.6 Legal Protection Mechanisms
- 6.7 Software Escrow
- 6.8 Verification and Validation (V&V)
- 6.9 Certification and Accreditation
- 6.10 Summary
- 6.11 Review Questions
- References
- Chapter 7 - Software Deployment, Operations, Maintenance, and Disposal
-
Appendix A Answers to Practice Questions
- Chapter 1—Secure Software Concepts Questions
- Chapter 2—Secure Software Requirements Questions
- Chapter 3—Secure Software Design Questions
- Chapter 4—Secure Software Implementation/Coding Questions
- Chapter 5—Secure Software Testing Questions
- Chapter 6—Software Acceptance Questions
- Chapter 7—Software Deployment, Operations, Maintenance, and Disposal Questions
- Appendix B
- Threat Modeling—Zion, Inc.
- Appendix C
- Commonly Used Opcodes in Assembly
- Appendix D
- HTTP/1.1 Status Codes and Reason Phrases (IETF RFC 2616)
- Appendix E
-
Security Testing Tools
- E.1 Reconnaissance (Information Gathering) Tools
- E.2 Vulnerability Scanners
- E.3 Fingerprinting Tools
- E.4 Sniffers/Protocol Analyzers
- E.5 Password Crackers
- E.6 Web Security Tools: Scanners, Proxies, and Vulnerability Management
- E.7 Wireless Security Tools
- E.8 Reverse Engineering Tools (Assembler and Disassemblers, Debuggers, and Decompilers)
- E.9 Source Code Analyzers
- E.10 Vulnerability Exploitation Tools
- E.11 Security-Oriented Operating Systems
- E.12 Privacy Testing Tools
Product information
- Title: Official (ISC)2 Guide to the CSSLP
- Author(s):
- Release date: April 2016
- Publisher(s): CRC Press
- ISBN: 9781498759939
You might also like
book
Official (ISC)2® Guide to the ISSAP® CBK, 2nd Edition
Candidates for the CISSP-ISSAP professional certification need to not only demonstrate a thorough understanding of the …
book
Official (ISC)2 Guide to the CSSLP CBK, 2nd Edition
Application vulnerabilities continue to top the list of cyber security concerns. While attackers and researchers continue …
book
CCSP Official (ISC)2 Practice Tests
The only official CCSP practice test product endorsed by (ISC)² With over 1,000 practice questions, this …
book
Security for Microsoft Windows System Administrators
Security for Microsoft Windows System is a handy guide that features security information for Windows beginners …