Software Security Engineering
Design and Applications
Published on 1. June 2013
282 pages
978-1-61470-280-1 (ISBN)
Description
Software engineering has established techniques, methods and technology over two decades. However, due to the lack of understanding of software security vulnerabilities, we have been not successful in applying software engineering principles when developing secured software systems. Therefore software security can not be added after a system has been built as seen on today's software applications. This book provides concise and good practice design guidelines on software security which will benefit practitioners, researchers, learners, and educators. Topics discussed include systematic approaches to engineering; building and assuring software security throughout software lifecycle; software security based requirements engineering; design for software security; software security implementation; best practice guideline on developing software security; test for software security and quality validation for software security.
More details
Other editions
Additional editions
Book
10/2011
Nova Science Publishers Inc
€151.51
Shipment within 15-20 days
Content
- Intro
- SOFTWARE SECURITY ENGINEERING
- Library of Congress Cataloging-in-Publication Data
- CONTENTS
- PREFACE
- PART 1. SOFTWARE SECURITY REQUIREMENTS ENGINEERING AND MANAGEMENT
- Chapter 1 SOFTWARE SECURITY ENGINEERING: INTRODUCTION
- INTRODUCTION
- SOFTWARE ENGINEERING CHALLENGES FOR APPLICATIONS SECURITY
- SECURITY CHALLENGES
- SOFTWARE SECURITY CHALLENGES
- SOFTWARE SECURITY TAXONOMY
- SOFTWARE SECURITY PROCESS
- MICROSOFT SECURITY DEVELOPMENT LIFECYCLE (SDL)
- QBAY (QUALITY-BAY) AUCTION SYSTEM: CASE STUDY
- KEY POINTS
- EXERCISES
- REFERENCES
- Chapter 2 SOFTWARE SECURITY REQUIREMENTS ENGINEERING
- INTRODUCTION
- SECURITY SOFTWARE DEVELOPMENT LIFECYCLE PROCESS
- SOFTWARE SECURITY REQUIREMENTS ENGINEERING METHODS
- SQUARE METHOD
- TAXONOMY OF NON-FUNCTIONAL REQUIREMENTS
- CLASP, SDL, TOUCHPOINTS METHODS
- CLASP (COMPREHENSIVE, LIGHTWEIGHT APPLICATION SECURITY PROCESS)
- BEST-PRACTICE GUIDELINES
- KEY POINTS
- EXERCISES
- REFERENCES
- Chapter 3 SOFTWARE SECURITY MODELING
- 3.1. INTRODUCTION
- 3.2. RISK ANALYSIS FOR SOFTWARE SECURITY
- 3.3.THREAT MODELING AND ATTACK TREE ANALYSIS
- 3.3.1. TAM Process and Tool Used for Qbay System
- 3.3.2. Attack Trees
- 3.4. TRUST MODEL FOR SOFTWARE SECURITY
- 3.4.1. Generic Trust Model Parameters
- KEY POINTS
- EXERCISES
- REFERENCES
- APPENDIX A: THREAT MODEL FOR QBAY SYSTEM
- Business Objectives
- Roles
- Components
- External Dependencies Software Security Modelling
- Data
- Chapter 4 KNOWLEDGE ENGINEERING AND SOFTWARE SECURITY FOR SOFTWARE PRODUCT LINES
- INTRODUCTION
- INTELLIGENT SYSTEMS AND SOFTWARE ENGINEERING
- DOMAIN ENGINEERING METHOD FOR PRODUCT-LINE DEVELOPMENT
- Knowledge-based Domain Engineering Method
- Asset Library Management
- Services, Use Cases and Features
- Knowledge-based Tool Support
- KNOWLEDGE MANAGEMENT FOR SOFTWARE PRODUCT LINE
- RESEARCH TRENDS AND FUTURE DIRECTIONS
- KEY POINTS
- EXERCISES
- SUMMARY
- REFERENCES
- Chapter 5 SOFTWARE SECURITY ASSURANCE AND MANAGEMENT
- INTRODUCTION
- SOFTWARE QUALITY ASSURANCE
- SOFTWARE SECURITY ASSURANCE
- SOFTWARE SECURITY METRICS
- SOURCE CODE ANALYSIS METRICS
- BUILDING RESILIENT AND SECURE SOFTWARE SYSTEMS
- SOCIAL ENGINEERING FOR SOFTWARE SECURITY AND RESILIENCY
- SOFTWARE SECURITY ASSURANCE DOCUMENT TEMPLATES
- SUMMARY
- KEY POINTS
- EXERCISES
- REFERENCES
- PART 2. DESIGN, BEST-PRACTICE GUIDELINES, TESTING AND IMPROVEMENTMODELS FOR SOFTWARE SECURITY
- Chapter 6 DESIGN FOR SOFTWARE SECURITY
- INTRODUCTION
- SECURITY DESIGN PRINCIPLES
- SOFTWARE SECURITY ARCHITECTURE
- SOFTWARE ARCHITECTURE DESIGN AND REVIEW GUIDELINES
- DEVELOPMENT FOR SOFTWARE SECURITY
- AUTOMATED TOOL SUPPORT FOR IMPROVING CODE SECURITY
- KEY POINTS
- EXERCISES
- REFERENCES
- Chapter 7 COMPONENTS-BASED SOFTWARE ENGINEERING (CBSE) FOR SOFTWARE SECURITY
- LEARNING OBJECTIVE
- INTRODUCTION
- COMPONENT-BASED SOFTWARE ENGINEERING (CBSE) AND BEST-PRACTICE DESIGN GUIDELINES
- GUIDELINES-BASED SOFTWARE ENGINEERING
- GUIDELINES, OBSERVATIONS, EMPIRICAL STUDIES TO LAWS AND THEORIES
- COMPONENT-BASED DEVELOPMENT FOR SOFTWARE SECURITY PROCESS
- SOFTWARE COMPONENT MODEL FOR SECURITY
- SECURED DESIGN OF SOFTWARE COMPONENTS
- KEY POINTS
- EXERCISES
- REFERENCES
- Chapter 8 CODE SECURITY: BEST-PRACTICE GUIDELINES AND EXAMPLES
- INTRODUCTION
- BEST-PRACTICE SOFTWARE SECURITY DESIGN GUIDELINES
- VULNERABILITY ASSESSMENT PROCESS
- BEST PROGRAMMING PRACTICES
- JAVA SECURITY
- ASP.NET ARCHITECTURE AND SECURITY PRINCIPLES
- WEB-SERVICES SECURITY
- KEY POINTS
- EXERCISES
- REFERENCES
- Chapter 9 SOFTWARE SECURITY TESTING
- INTRODUCTION
- THE V MODEL-BASED SOFTWARE SECURITY TESTING PROCESS
- SOFTWARE SECURITY REQUIREMENTS-BASED TESTING
- STATIC ANALYSIS OF SOURCE CODE
- PENETRATION TESTING
- RISK-BASED SOFTWARE SECURITY TESTING
- TOOL SUPPORT
- APPENDIX A: SOFTWARE SECURITY TEST PLAN
- APPENDIX B: SOFTWARE SECURITY ATTACK TREE AND ATTACK PATTERNS TEST PLAN
- APPENDIX C: SOFTWARE SECURITY VULNERABILITIES (SSV) TEST PLAN
- KEY POINTS
- EXERCISES
- REFERENCES
- Chapter 10 INTERNET SECURITY IMPROVEMENT MODEL
- 1. INTRODUCTION
- 2. INTERNET SECURITY
- 2.1. Basic Security Techniques
- 2.2.1. Physical Security
- 2.2.2. Protecting the Perimeter of the Network Using Firewalls
- 2.2.3. Protecting the Inner Circle of the Network Using Firewalls
- 2.2.4 Encryption and Authentication Management When w
- 3. WEB-SERVICES SECURITY
- 4. INTERNET SECURITY ASSESSMENT AND IMPROVEMENT PROCESS MODELS
- 3.1. Security-improvement Model
- 3.1.1 Level 1 Initial Assessment Results This is t
- RESULTS AND CONCLUSIONS
- KEY POINTS
- EXERCISES
- REFERENCES
- APPENDIX 1 SECURITY CHECKLISTS (SCHWEITZER, 2003)
- Developing a Computer Security Incident Response
- Recognizing Signs of an Intrusion
- Monitoring Systems for Intrusion in a Windows Environment
- NIPC Recommendations for Incident Victims
- Incident Reporting Assessment
- Preparing Systems for Data Collection
- IT Contingency-Planning Process
- NIST Forensic Tool Requirements
- Dealing with Digital Evidence Obtained from a Memory Dump
- Detecting Malicious Code and Intruders
- Collecting Log File Data
- Reviewing Operating System and Network Logs
- Retrieving and Analyzing Clues
- Basic Procedures for Collecting and Preserving Evidence
- Computer Evidence Guidelines
- The Order of Evidence Collection
- Collecting Volatile Evidence
- Building an Incident Response/Forensic Toolkit
- Selecting Incident Response/Forensic Tools
- Incident Containment and Eradication of Vulnerabilities
- Maintaining Chain-of-Custody Notes
- Disaster Recovery and Follow-Up
- The Goals of a Disaster Recovery Plan
- Developing a Disaster Recovery Plan
- Restoring the System
- Disaster Recovery Plan Training Goals for Employees
- Implementing and Maintaining an Effective Records Security Program
- Authentication Methods for Electronic Records
- Procedures to Improve the Legal Admissibility of Electronic Records as Evidence
- Creating a Backup Plan
- Post-Incident Monitoring and Analysis
- Incident Postmortem Questions
- Removing a Hacker from the System
- Network Security Audit Elements
- Computer Security Policy Goals
- Security Policy Assessment Elements
- The Basic Six-Step Computer Security Audit Process
- Analyzing Workstations
- Security Policy Audit Checklist Questions
- Analyzing Network Severs
- Security Policy Mistakes to Avoid
- Information Security Precautions
- PART 3. APPLICATIONS AND CASE STUDIES
- Chapter 11 SOFTWARE SECURITY-BASED DEVELOPMENT FOR CLOUD COMPUTING APPLICATIONS
- INTRODUCTION
- BACKGROUND AND CHARACTERISTICS OF CLOUD COMPUTING
- CLOUD SERVICES
- Service-oriented Component Architectures
- Characteristics of Service-Oriented Systems for the Cloud
- DEVELOPMENT PROCESS MODEL FOR CLOUD APPLICATIONS
- BEST-PRACTICE SOFTWARE DESIGN GUIDELINES
- COMPONENT MODEL FOR CLOUD APPLICATIONS AND SERVICES
- Component Model and Design Guidelines for Security in Cloud Computing
- Component Model and Design Guidelines for Software as a Service (SaaS)
- Component Model and Design Guidelines for Platform as a Service (PaaS)
- Component Model and Design Guidelines for Infrastructure as a Service (IaaS)
- COMPONENT COMPOSITION FOR AMAZON CLOUD ARCHITECTURE
- KEY POINTS
- EXERCISES
- REFERENCES
- Chapter 12 SECURED SOFTWARE COMPONENTS FOR ERP SYSTEMS
- INTRODUCTION
- PROBLEM OF CURRENT ERP DESIGN
- SOFTWARE SECURITY, CBSE AND ERPSYSTEM CHARACTERISTICS
- REQUIREMENTS ENGINEERING METHOD AND ERP MATURITY MODEL
- COMPONENT MODEL AND COMPONENT-BASED DEVELOPMENT PROCESS FOR ERP PROJECTS
- CASE STUDY: DISTRIBUTED PROCESSING SYSTEM FOR A MANUFACTURING COMPANY
- COMPONENT-ORIENTED DESIGN
- KEY POINTS
- EXERCISES
- REFERENCES
