You are previewing Software Security Engineering: A Guide for Project Managers.
O'Reilly logo
Software Security Engineering: A Guide for Project Managers

Book Description

“This book’s broad overview can help an organization choose a set of processes, policies, and techniques that are appropriate for its security maturity, risk tolerance, and development style. This book will help you understand how to incorporate practical security techniques into all phases of the development lifecycle.”

      —Steve Riley, senior security strategist, Microsoft Corporation

“There are books written on some of the topics addressed in this book, and there are other books on secure systems engineering. Few address the entire life cycle with a comprehensive overview and discussion of emerging trends and topics as well as this one.”

      —Ronda Henning, senior scientist-software/security queen, Harris Corporation

Software that is developed from the beginning with security in mind will resist, tolerate, and recover from attacks more effectively than would otherwise be possible. While there may be no silver bullet for security, there are practices that project managers will find beneficial. With this management guide, you can select from a number of sound practices likely to increase the security and dependability of your software, both during its development and subsequently in its operation.

Software Security Engineering draws extensively on the systematic approach developed for the Build Security In (BSI) Web site. Sponsored by the Department of Homeland Security Software Assurance Program, the BSI site offers a host of tools, guidelines, rules, principles, and other resources to help project managers address security issues in every phase of the software development life cycle (SDLC). The book’s expert authors, themselves frequent contributors to the BSI site, represent two well-known resources in the security world: the CERT Program at the Software Engineering Institute (SEI) and Cigital, Inc., a consulting firm specializing in software security.

This book will help you understand why

  • Software security is about more than just eliminating vulnerabilities and conducting penetration tests

  • Network security mechanisms and IT infrastructure security services do not sufficiently protect application software from security risks

  • Software security initiatives should follow a risk-management approach to identify priorities and to define what is “good enough”—understanding that software security risks will change throughout the SDLC

  • Project managers and software engineers need to learn to think like an attacker in order to address the range of functions that software should not do, and how software can better resist, tolerate, and recover when under attack

  • Chapter 1: Why Is Security a Software Issue? 1

    1.1 Introduction 1

    1.2 The Problem 2

    1.3 Software Assurance and Software Security 6

    1.4 Threats to Software Security 9

    1.5 Sources of Software Insecurity 11

    1.6 The Benefits of Detecting Software Security Defects Early 13

    1.7 Managing Secure Software Development 18

    1.8 Summary 23

    Chapter 2: What Makes Software Secure? 25

    2.1 Introduction 25

    2.2 Defining Properties of Secure Software 26

    2.3 How to Influence the Security Properties of Software 36

    2.4 How to Assert and Specify Desired Security Properties 61

    2.5 Summary 71

    Chapter 3: Requirements Engineering for Secure Software 73

    3.1 Introduction 73

    3.2 Misuse and Abuse Cases 78

    3.3 The SQUARE Process Model 84

    3.4 SQUARE Sample Outputs 91

    3.5 Requirements Elicitation 99

    3.6 Requirements Prioritization 106

    3.7 Summary 112

    Chapter 4: Secure Software Architecture and Design 115

    4.1 Introduction 115

    4.2 Software Security Practices for Architecture and Design: Architectural Risk Analysis 119

    4.3 Software Security Knowledge for Architecture and Design: Security Principles, Security Guidelines, and Attack Patterns 137

    4.4 Summary 148

    Chapter 5: Considerations for Secure Coding and Testing 151

    5.1 Introduction 151

    5.2 Code Analysis 152

    5.3 Coding Practices 160

    5.4 Software Security Testing 163

    5.5 Security Testing Considerations Throughout the SDLC 173

    5.6 Summary 180

    Chapter 6: Security and Complexity: System Assembly Challenges 183

    6.1 Introduction 183

    6.2 Security Failures 186

    6.3 Functional and Attacker Perspectives for Security Analysis: Two Examples 189

    6.4 System Complexity Drivers and Security 203

    6.5 Deep Technical Problem Complexity 215

    6.6 Summary 217

    Chapter 7: Governance, and Managing for More Secure Software 221

    7.1 Introduction 221

    7.2 Governance and Security 223

    7.3 Adopting an Enterprise Software Security Framework 226

    7.4 How Much Security Is Enough? 236

    7.5 Security and Project Management 244

    7.6 Maturity of Practice 259

    7.7 Summary 266

    Chapter 8: Getting Started 267

    8.1 Where to Begin 269

    8.2 In Closing 281

    Table of Contents

    1. Copyright
    2. Foreword
    3. Preface
      1. The Problem Addressed by This Book
        1. Software’s Vulnerability to Attack
      2. Why We Wrote This Book: Its Purpose, Goals, and Scope
        1. The Challenge of Software Security Engineering
        2. What Readers Can Expect
      3. Who Should Read This Book
      4. How This Book Is Organized
      5. Notes to the Reader
        1. Navigating the Book’s Content
        2. Build Security In: A Key Resource
      6. Start the Journey
      7. Acknowledgments
    4. About the Authors
      1. Julia H. Allen
      2. Sean Barnum
      3. Robert J. Ellison
      4. Gary McGraw
      5. Nancy R. Mead
    5. 1. Why Is Security a Software Issue?
      1. 1.1. Introduction
      2. 1.2. The Problem
        1. 1.2.1. System Complexity: The Context within Which Software Lives
      3. 1.3. Software Assurance and Software Security
        1. 1.3.1. The Role of Processes and Practices in Software Security
      4. 1.4. Threats to Software Security
      5. 1.5. Sources of Software Insecurity
      6. 1.6. The Benefits of Detecting Software Security Defects Early
        1. 1.6.1. Making the Business Case for Software Security: Current State
      7. 1.7. Managing Secure Software Development
        1. 1.7.1. Which Security Strategy Questions Should I Ask?
        2. 1.7.2. A Risk Management Framework for Software Security
        3. 1.7.3. Software Security Practices in the Development Life Cycle
      8. 1.8. Summary
    6. 2. What Makes Software Secure?
      1. 2.1. Introduction
      2. 2.2. Defining Properties of Secure Software
        1. 2.2.1. Core Properties of Secure Software
        2. 2.2.2. Influential Properties of Secure Software
          1. Dependability and Security
          2. Correctness and Security
            1. “Small” Faults, Big Consequences
          3. Predictability and Security
          4. Reliability, Safety, and Security
          5. Size, Complexity, Traceability, and Security
      3. 2.3. How to Influence the Security Properties of Software
        1. 2.3.1. The Defensive Perspective
          1. Addressing the Expected: Security Architecture and Features
          2. Addressing the Unexpected: Avoiding, Removing, and Mitigating Weaknesses
            1. Application Defense
            2. Software Security
          3. Attack Resistance, Attack Tolerance, and Attack Resilience
        2. 2.3.2. The Attacker’s Perspective
          1. The Attacker’s Advantage
          2. Finding a Way to Represent the Attacker’s Perspective
            1. What Does an Attack Pattern Look Like?
            2. Leveraging Attack Patterns in All Phases of the Software Development Life Cycle
              1. Leveraging Attack Patterns in Positive and Negative Security Requirements
              2. Leveraging Attack Patterns in Architecture and Design
              3. Leveraging Attack Patterns in Implementation and Coding
              4. Leveraging Attack Patterns in Software Security Testing
      4. 2.4. How to Assert and Specify Desired Security Properties
        1. 2.4.1. Building a Security Assurance Case
        2. 2.4.2. A Security Assurance Case Example
        3. 2.4.3. Incorporating Assurance Cases into the SDLC
        4. 2.4.4. Related Security Assurance and Compliance Efforts
          1. Security-Privacy Laws and Regulations
          2. Common Criteria
        5. 2.4.5. Maintaining and Benefitting from Assurance Cases
      5. 2.5. Summary
    7. 3. Requirements Engineering for Secure Software
      1. 3.1. Introduction
        1. 3.1.1. The Importance of Requirements Engineering
        2. 3.1.2. Quality Requirements
        3. 3.1.3. Security Requirements Engineering
      2. 3.2. Misuse and Abuse Cases
        1. 3.2.1. Security Is Not a Set of Features
        2. 3.2.2. Thinking About What You Can’t Do
        3. 3.2.3. Creating Useful Misuse Cases
        4. 3.2.4. An Abuse Case Example
      3. 3.3. The SQUARE Process Model
        1. 3.3.1. A Brief Description of SQUARE
        2. 3.3.2. Tools
        3. 3.3.3. Expected Results
      4. 3.4. SQUARE Sample Outputs
        1. 3.4.1. Output from SQUARE Steps
          1. Step 1: Agree on Definitions
          2. Step 2: Identify Security Goals
          3. Step 3: Develop Artifacts
          4. Step 4: Perform Risk Assessment
          5. Step 5: Select Elicitation Techniques
          6. Steps 6 and 7: Elicit and Categorize Security Requirements
          7. Step 8: Prioritize Requirements
          8. Step 9: Requirements Inspection
        2. 3.4.2. SQUARE Final Results
      5. 3.5. Requirements Elicitation
        1. 3.5.1. Overview of Several Elicitation Methods
          1. Misuse Cases
          2. Soft Systems Methodology (SSM)
          3. Quality Function Deployment (QFD)
          4. Controlled Requirements Expression (CORE)
          5. Issue-Based Information Systems (IBIS)
          6. Joint Application Development (JAD)
          7. Feature-Oriented Domain Analysis (FODA)
          8. Critical Discourse Analysis (CDA)
          9. Accelerated Requirements Method (ARM)
        2. 3.5.2. Elicitation Evaluation Criteria
          1. Additional Considerations
      6. 3.6. Requirements Prioritization
        1. 3.6.1. Identify Candidate Prioritization Methods
          1. Binary Search Tree (BST)
          2. Numeral Assignment Technique
          3. Planning Game
          4. 100-Point Method
          5. Theory-W
          6. Requirements Triage
          7. Wiegers’ Method
          8. Requirements Prioritization Framework
          9. AHP
        2. 3.6.2. Prioritization Technique Comparison
        3. 3.6.3. Recommendations for Requirements Prioritization
      7. 3.7. Summary
    8. 4. Secure Software Architecture and Design
      1. 4.1. Introduction
        1. 4.1.1. The Critical Role of Architecture and Design
        2. 4.1.2. Issues and Challenges
      2. 4.2. Software Security Practices for Architecture and Design: Architectural Risk Analysis,
        1. 4.2.1. Software Characterization
        2. 4.2.2. Threat Analysis
        3. 4.2.3. Architectural Vulnerability Assessment
          1. Attack Resistance Analysis
          2. Ambiguity Analysis
          3. Dependency Analysis
          4. Vulnerability Classification
          5. Mapping Threats and Vulnerabilities
        4. 4.2.4. Risk Likelihood Determination
        5. 4.2.5. Risk Impact Determination
          1. Identify Threatened Assets
          2. Identify Business Impact
          3. Risk Exposure Statement
        6. 4.2.6. Risk Mitigation Planning
        7. 4.2.7. Recapping Architectural Risk Analysis
      3. 4.3. Software Security Knowledge for Architecture and Design: Security Principles, Security Guidelines, and Attack Patterns
        1. 4.3.1. Security Principles
          1. The Principles for Software Security
            1. The Principle of Least Privilege
            2. The Principle of Failing Securely
            3. The Principle of Securing the Weakest Link
            4. The Principle of Defense in Depth
            5. The Principle of Separation of Privilege
            6. The Principle of Economy of Mechanism
            7. The Principle of Least Common Mechanism
            8. The Principle of Reluctance to Trust
            9. The Principle of Never Assuming That Your Secrets Are Safe
            10. The Principle of Complete Mediation
            11. The Principle of Psychological Acceptability
            12. The Principle of Promoting Privacy
          2. Recapping Security Principles
        2. 4.3.2. Security Guidelines
          1. What Do Security Guidelines Look Like?
            1. Guideline: Follow the Rules Regarding Concurrency Management
              1. Competing “Systems” (Time of Check/Time of Use)
              2. Competing Threads within a “System” (Races)
              3. Security Policies to Be Preserved
              4. How to Recognize This Defect
          2. Recapping Security Guidelines
        3. 4.3.3. Attack Patterns
      4. 4.4. Summary
    9. 5. Considerations for Secure Coding and Testing
      1. 5.1. Introduction
      2. 5.2. Code Analysis
        1. 5.2.1. Common Software Code Vulnerabilities
          1. Input Validation
          2. Exceptions
          3. Buffer Overflows
          4. SQL Injection
          5. Race Conditions
        2. 5.2.2. Source Code Review
          1. Static Code Analysis Tools
          2. Metric Analysis
          3. Code Analysis Process Diagrams
      3. 5.3. Coding Practices
        1. 5.3.1. Sources of Additional Information on Secure Coding
      4. 5.4. Software Security Testing
        1. 5.4.1. Contrasting Software Testing and Software Security Testing
          1. Security Testing Methods
        2. 5.4.2. Functional Testing
          1. Some Caveats
          2. Testing Beyond Requirements
        3. 5.4.3. Risk-Based Testing
          1. Defining Tests for Negative Requirements
      5. 5.5. Security Testing Considerations Throughout the SDLC
        1. 5.5.1. Unit Testing
        2. 5.5.2. Testing Libraries and Executable Files
        3. 5.5.3. Integration Testing
        4. 5.5.4. System Testing
          1. Black-Box Testing
          2. Penetration Testing
        5. 5.5.5. Sources of Additional Information on Software Security Testing
      6. 5.6. Summary
    10. 6. Security and Complexity: System Assembly Challenges
      1. 6.1. Introduction
      2. 6.2. Security Failures
        1. 6.2.1. Categories of Errors
        2. 6.2.2. Attacker Behavior
      3. 6.3. Functional and Attacker Perspectives for Security Analysis: Two Examples
        1. 6.3.1. Web Services: Functional Perspective
        2. 6.3.2. Web Services: Attacker’s Perspective
        3. 6.3.3. Identity Management: Functional Perspective
        4. 6.3.4. Identity Management: Attacker’s Perspective
        5. 6.3.5. Identity Management and Software Development
      4. 6.4. System Complexity Drivers and Security
        1. 6.4.1. Wider Spectrum of Failures
          1. Partitioning Security Analysis
          2. Mitigations
        2. 6.4.2. Incremental and Evolutionary Development
        3. 6.4.3. Conflicting or Changing Goals Complexity
          1. Mitigations
      5. 6.5. Deep Technical Problem Complexity
        1. Mitigations
      6. 6.6. Summary
    11. 7. Governance, and Managing for More Secure Software
      1. 7.1. Introduction
      2. 7.2. Governance and Security
        1. 7.2.1. Definitions of Security Governance
        2. 7.2.2. Characteristics of Effective Security Governance and Management
      3. 7.3. Adopting an Enterprise Software Security Framework
        1. 7.3.1. Common Pitfalls
          1. Lack of Software Security Goals and Vision
          2. Creating a New Group
          3. Software Security Best Practices Nonexistent
          4. Software Risk Doesn’t Support Decision Making
          5. Tools as the Answer
        2. 7.3.2. Framing the Solution
          1. “Who, What, When” Structure
          2. Focus on Resisting Attack, Not Including Security Features
          3. Possess Five Competencies
        3. 7.3.3. Define a Roadmap
      4. 7.4. How Much Security Is Enough?
        1. 7.4.1. Defining Adequate Security
          1. Risk Tolerance
        2. 7.4.2. A Risk Management Framework for Software Security
          1. Five Stages of Activity
            1. 1. Understand the Business Context
            2. 2. Identify Business and Technical Risks
            3. 3. Synthesize and Prioritize Risks
            4. 4. Define the Risk Mitigation Strategy
            5. 5. Fix the Problems and Validate the Fixes
          2. Measurement and Reporting on Risk
          3. The Multilevel-Loop Nature of the RMF
      5. 7.5. Security and Project Management
        1. 7.5.1. Project Scope
        2. 7.5.2. Project Plan
          1. Software Security Practices in the Development Life Cycle
          2. Activities Required to Complete Deliverables
        3. 7.5.3. Resources
          1. Tools
          2. Knowledge and Expertise
        4. 7.5.4. Estimating the Nature and Duration of Required Resources
        5. 7.5.5. Project and Product Risks
        6. 7.5.6. Measuring Software Security
          1. Process Measures for Secure Development
          2. Product Measures for Secure Development
      6. 7.6. Maturity of Practice
        1. 7.6.1. Protecting Information
        2. 7.6.2. Audit’s Role
        3. 7.6.3. Operational Resilience and Convergence
        4. 7.6.4. A Legal View
        5. 7.6.5. A Software Engineering View
        6. 7.6.6. Exemplars
      7. 7.7. Summary
    12. 8. Getting Started
      1. 8.1. Where to Begin
      2. 8.2. In Closing
    13. Glossary
    14. References
    15. Build Security In Web Site References