Star Wars Sale
 
 

Special Offers see all

Enter to WIN!

Weekly drawing for $100 credit. Subscribe to PowellsBooks.news for a chance to win.
Privacy Policy

More at Powell's


Recently Viewed clear list


Original Essays | June 20, 2014

Lisa Howorth: IMG So Many Books, So Many Writers



I'm not a bookseller, but I'm married to one, and Square Books is a family. And we all know about families and how hard it is to disassociate... Continue »
  1. $18.20 Sale Hardcover add to wish list

    Flying Shoes

    Lisa Howorth 9781620403013

spacer
Qualifying orders ship free.
$74.99
New Trade Paper
Ships in 1 to 3 days
Add to Wishlist
Available for In-store Pickup
in 7 to 12 days
Qty Store Section
1 Remote Warehouse Networking- Computer Security
1 Remote Warehouse Internet- General

Software Security: Building Security in

by

Software Security: Building Security in Cover

 

Synopses & Reviews

Publisher Comments:

 "When it comes to software security, the devil is in the details. This book tackles the details."

--Bruce Schneier, CTO and founder, Counterpane, and author of Beyond Fear and Secrets and Lies

 

"McGraw's book shows you how to make the 'culture of security' part of your development lifecycle."

--Howard A. Schmidt, Former White House Cyber Security Advisor

 

"McGraw is leading the charge in software security. His advice is as straightforward as it is actionable. If your business relies on software (and whose doesn't), buy this book and post it up on the lunchroom wall."

--Avi Rubin, Director of the NSF ACCURATE Center; Professor, Johns Hopkins University; and coauthor of Firewalls and Internet Security

 

Beginning where the best-selling book Building Secure Software left off, Software Security teaches you how to put software security into practice.The software security best practices, or touchpoints, described in this book have their basis in good software engineering and involve explicitly pondering security throughout the software development lifecycle. This means knowing and understanding common risks (including implementation bugsand architectural flaws), designing for security, and subjecting all software artifacts to thorough, objective risk analyses and testing.

 

Software Security is about putting the touchpoints to work for you. Because you can apply these touchpoints to the software artifacts you already produce as you develop software, you can adopt this book's methods without radically changing the way you work. Inside you'll find detailed explanations of

  • Risk management frameworks and processes
  • Code review using static analysis tools
  • Architectural risk analysis
  • Penetration testing
  • Security testing
  • Abuse case development

In addition to the touchpoints, Software Security covers knowledge management, training and awareness, and enterprise-level software security programs. Now that the world agrees that software security is central to computer security, it is time to put philosophy into practice. Create your own secure development lifecycle by enhancing your existing software development lifecycle with the touchpoints described in this book. Let this expert author show you how to build more secure software by building security in.

Synopsis:

What is it about software that makes security such a problem? If you want to build secure software, how do you do it? These questions and the perseverance of three of the world's leading security experts, Gary McGraw, John Viega, and Greg Hoglund, led to the three books contained in this package.

Building Secure Software: How to Avoid Security Problems the Right Way, the white hat book, seems to have touched off a revolution. Security people who once relied solely on firewalls, intrusion detection, and anti-virus mechanisms came to understand and embrace the necessity of better software. This book provides a coherent and sensible philosophical foundation for the blossoming field of software security.

Exploiting Software: How to Break Code, the black hat book, provides a much needed balance, teaching how to break software and how malicious hackers write exploits. This book is meant as a reality check for software security, ensuring that the good guys address real attacks and invent and peddle solutions that actually work. Exploiting Software and Building Secure Software are in some senses mirror images.

Software Security: Building Security In unifies the two sides of software security--attack and defense, exploiting and designing, breaking and building--into a coherent whole. Like the yin and the yang, software security requires a careful balance.

Synopsis:

A computer security expert shows readers how to build more secure software by building security in and putting it into practice. The CD-ROM contains a tutorial and demo of the Fortify Source Code Analysis Suite.

About the Author

Gary McGraw, Cigital, Inc.'s CTO, is a world authority on software security. Dr. McGraw is coauthor of five best selling books: Exploiting Software (Addison-Wesley, 2004), Building Secure Software (Addison-Wesley, 2001), Software Fault Injection (Wiley 1998), Securing Java (Wiley, 1999), and Java Security (Wiley, 1996). His new book, Software Security: Building Security In (Addison-Wesley 2006) was released in February 2006. As a consultant, Dr. McGraw provides strategic advice to major software producers and consumers. Dr. McGraw has written over ninety peer-reviewed technical publications and functions as principal investigator on grants from DARPA, National Science Foundation, and NIST's Advanced Technology Program. He serves on Advisory Boards of Authentica, Counterpane, and Fortify Software, as well as advising the CS Department at UC Davis, the CS Department at UVa, and the School of Informatics at Indiana University. Dr. McGraw holds a dual PhD in Cognitive Science and Computer Science from Indiana University and a BA in Philosophy from UVa. He is a member of the IEEE Security and Privacy Task Force, and was recently elected to the IEEE Computer Society Board of Governors. He is the producer of the Silver Bullet Security Podcast for IEEE Security & Privacy magazine, writes a monthly column for darkreading.com, and is often quoted in the press.

Table of Contents

Foreword xix

Preface xxiii

Acknowledgments xxxi

About the Author xxxv

Part I: Software Security Fundamentals 1

Chapter 1: Defining a Discipline 3

The Security Problem 4

Security Problems in Software 14

Solving the Problem: The Three Pillars of Software Security 25

The Rise of Security Engineering 37

Chapter 2: A Risk Management Framework 39

Putting Risk Management into Practice 40

How to Use This Chapter 41

The Five Stages of Activity 42

The RMF Is a Multilevel Loop 46

Applying the RMF: KillerAppCo's iWare 1.0 Server 48

The Importance of Measurement 73

The Cigital Workbench 76

Risk Management Is a Framework for Software Security 79

Part II: Seven Touchpoints for Software Security 81

Chapter 3: Introduction to Software Security Touchpoints 83

Flyover: Seven Terrific Touchpoints 86

Black and White: Two Threads Inextricably Intertwined 89

Moving Left 91

Touchpoints as Best Practices 94

Who Should Do Software Security? 96

Software Security Is a Multidisciplinary Effort 100

Touchpoints to Success 103

Chapter 4: Code Review with a Tool 105

Catching Implementation Bugs Early (with a Tool) 106

Aim for Good, Not Perfect 108

Ancient History 109

Approaches to Static Analysis 110

Tools from Researchland 114

Commercial Tool Vendors 123

Touchpoint Process: Code Review 135

Use a Tool to Find Security Bugs 137

Chapter 5: Architectural Risk Analysis 139

Common Themes among Security Risk Analysis Approaches 140

Traditional Risk Analysis Terminology 144

Knowledge Requirement 147

The Necessity of a Forest-Level View 148

A Traditional Example of a Risk Calculation 152

Limitations of Traditional Approaches 153

Modern Risk Analysis 154

Touchpoint Process: Architectural Risk Analysis 161

Getting Started with Risk Analysis 169

Architectural Risk Analysis Is a Necessity 170

Chapter 6: Software Penetration Testing 171

Penetration Testing Today 173

Software Penetration Testing--a Better Approach 178

Incorporating Findings Back into Development 183

Using Penetration Tests to Assess the Application Landscape 184

Proper Penetration Testing Is Good 185

Chapter 7: Risk-Based Security Testing 187

What's So Different about Security? 191

Risk Management and Security Testing 192

How to Approach Security Testing 193

Thinking about (Malicious) Input 201

Getting Over Input 203

Leapfrogging the Penetration Test 204

Chapter 8: Abuse Cases 205

Security Is Not a Set of Features 209

What You Can't Do 210

Creating Useful Abuse Cases 211

Touchpoint Process: Abuse Case Development 213

An Abuse Case Example 217

Abuse Cases Are Useful 222

Chapter 9: Software Security Meets Security Operations 223

Don't Stand So Close to Me 224

Kumbaya (for Software Security) 225

Come Together (Right Now) 232

Future's So Bright, I Gotta Wear Shades 235

Part III: Software Security Grows Up 237

Chapter 10: An Enterprise Software Security Program 239

The Business Climate 240

Building Blocks of Change 242

Building an Improvement Program 246

Establishing a Metrics Program 247

Continuous Improvement 250

What about COTS (and Existing Software Applications)? 251

Adopting a Secure Development Lifecycle 256

Chapter 11: Knowledge for Software Security 259

Experience, Expertise, and Security 261

Security Knowledge: A Unified View 262

Security Knowledge and the Touchpoints 268

The Department of Homeland Security Build Security In Portal 269

Knowledge Management Is Ongoing 274

Software Security Now 275

Chapter 12: A Taxonomy of Coding Errors 277

On Simplicity: Seven Plus or Minus Two 279

The Phyla 282

A Complete Example 290

Lists, Piles, and Collections 292

Go Forth (with the Taxonomy) and Prosper 297

Chapter 13: Annotated Bibliography and References 299

Annotated Bibliography: An Emerging Literature 299

Software Security Puzzle Pieces 318

Appendices 321

Appendix A: Fortify Source Code Analysis Suite Tutorial 323

1. Introducing the Audit Workbench 324

2. Auditing Source Code Manually 326

3. Ensuring a Working Build Environment 328

4. Running the Source Code Analysis Engine 329

5. Exploring the Basic SCA Engine Command Line Arguments 332

6. Understanding Raw Analysis Results 333

7. Integrating with an Automated Build Process 335

8. Using the Audit Workbench 339

9. Auditing Open Source Applications 342

Appendix B: ITS4 Rules 345

Appendix C: An Exercise in Risk Analysis: Smurfware 385

SmurfWare SmurfScanner Risk Assessment Case Study 385

SmurfWare SmurfScanner Design for Security 390

Appendix D: Glossary 393

Index 395

Product Details

ISBN:
9780321356703
Author:
Mcgraw, Gary
Publisher:
Addison-Wesley Professional
Author:
McGraw, Gary
Author:
Viega, John
Author:
Hoglund, Greg
Subject:
Computer security
Subject:
Security - General
Subject:
Internet - Security
Subject:
Networking-Computer Security
Copyright:
Edition Description:
Trade paper
Series:
Addison-Wesley Software Security Series
Publication Date:
January 2006
Binding:
TRADE PAPER
Grade Level:
Professional and scholarly
Language:
English
Pages:
1392
Dimensions:
9.14 x 7 x 1.03 in 864 gr

Related Subjects

Computers and Internet » Computers Reference » General
Computers and Internet » Internet » General
Computers and Internet » Internet » Information
Computers and Internet » Networking » Computer Security
Computers and Internet » Networking » General
Computers and Internet » Software Engineering » General
Reference » Science Reference » Technology

Software Security: Building Security in New Trade Paper
0 stars - 0 reviews
$74.99 In Stock
Product details 1392 pages Addison-Wesley Professional - English 9780321356703 Reviews:
"Synopsis" by , What is it about software that makes security such a problem? If you want to build secure software, how do you do it? These questions and the perseverance of three of the world's leading security experts, Gary McGraw, John Viega, and Greg Hoglund, led to the three books contained in this package.

Building Secure Software: How to Avoid Security Problems the Right Way, the white hat book, seems to have touched off a revolution. Security people who once relied solely on firewalls, intrusion detection, and anti-virus mechanisms came to understand and embrace the necessity of better software. This book provides a coherent and sensible philosophical foundation for the blossoming field of software security.

Exploiting Software: How to Break Code, the black hat book, provides a much needed balance, teaching how to break software and how malicious hackers write exploits. This book is meant as a reality check for software security, ensuring that the good guys address real attacks and invent and peddle solutions that actually work. Exploiting Software and Building Secure Software are in some senses mirror images.

Software Security: Building Security In unifies the two sides of software security--attack and defense, exploiting and designing, breaking and building--into a coherent whole. Like the yin and the yang, software security requires a careful balance.

"Synopsis" by , A computer security expert shows readers how to build more secure software by building security in and putting it into practice. The CD-ROM contains a tutorial and demo of the Fortify Source Code Analysis Suite.
spacer
spacer
  • back to top
Follow us on...




Powell's City of Books is an independent bookstore in Portland, Oregon, that fills a whole city block with more than a million new, used, and out of print books. Shop those shelves — plus literally millions more books, DVDs, and gifts — here at Powells.com.