Book Review: Software Security - Building Security In

I'm jealous. No seriously. If Cigital is actually ran as depicted in the
book Software Security - Building Security In, I have to give kudos to Gary
and the gang for making an impressive environment for software security.

I'm a fan of Gary's writing. If you are a regular reader, you know I loved
both his books on Building Secure Software and Exploiting Software. This
latest book is, in my mind at least, a balancing act between the two
previous books on the topic. Gary calls it the "Ying and Yang". Which makes
total sense, since the book cover is of exactly that, a white hat and a
black hat (taken from the other two books), positioned in the chinese
ying/yang symbol.

I always thought that my favorite book on software security would be
"Writing Secure Code" by Michael Howard. I really liked how it was
presented, and it offered security software engineering best practices that
I felt could be passed on to others on teams that I worked with. But now,
Gary has given me a new book to put in my arsenal of knowledge. Not a
practical coding book on the topic like I felt I got from Michael's writing,
but a book that I feel managers of that process can use to build better
software security processes and systems in a team.

The book touches on a number of critical components for software security:


Risk management frameworks and processes

Code review using static analysis tools

Architectural risk analysis

Penetration testing

Security testing

Abuse case development


I have to admit, it was somewhat of a battle in the first section of the
book as it was somewhat dry. The content itself was good and required
information to round out this book, but just how do you jazz up discussing
risk management frameworks? When Gary sent me the book he followed up with
an email warning me about that... but by that time I had already trudged
through it. The good news is, its a small pain... as the content gets more
exciting as you progress. And to be fair, anyone who is going to manage the
software security process in an organization will find they will learn
something in that section. So nothing is really lost there.

By the time you get into part two of the book focused on what Gary calls
"The 7 Touchpoints of Software Security", you know why he is well respected
in our field. He knows what he is talking about. The 7 touchpoints?


Code review

Architectural risk analysis

Penetration testing

Risk-based security tests

Abuse cases

Security requirements

Security operations


You know... all the exciting stuff!! By the time you get through the 7
touchpoints, if you don't "get it" by then, there is little hope for you.
The interesting point here is that each touchpoint is really in a lifecycle,
VERY similar to the security development lifecycle Michael has been
presenting on behalf of Microsoft for the last few years. I think they both
have it figured out, but tainted towards their own company's objectives.

My thoughts on the book? A lof of content in this book isn't for the regular
coding geek that needs to learn about software security. Get Gary's other
books for that. But if you are the project manager of the team that the
forementioned geek works on, or are responsible for software security in
your organization, get this book. If you have the responsibility and
authority to set the direction and process in your environment, you will
find this book useful. Near the front of the book there is a section in
which reviewers comment on their thoughts of the book. I think Bruce
Schneier said it best:

When it comes to software security, the devil is in the details. This book
tackled the details.
I couldn't have said it better myself. Actually, I won't even try.

Great book. Worth recommending to anyone in the software security field. 4
out of 5 stars.
http://silverstr.ufies.org/blog/

-- 
Regard: Joh@nnes �  :-))
"If U know neither the enemy nor yourself,U will succumb in every battle"


0
Johannes
4/16/2006 3:38:59 PM
grc.security.software 15003 articles. 0 followers. Follow

0 Replies
1436 Views

Similar Articles

[PageSpeed] 18
Get it on Google Play
Get it on Apple App Store

Reply:

Similar Artilces:

Software [In]Security: Twitter Security
Making Your Thoughts as Small and Incomplete as Possible Just for the record, I don't use Twitter. But if this column were a Twitter entry, it might read something like: http://www.informit.com/articles/article.aspx?p=1350268&cid=nl_DR_DAILY_T -- "If U know neither the enemy nor yourself,U will succumb in every battle" ...

How secure is secure?
Thanks to this group and all the high tech individuals who frequent it I have learned how to protect my PC from the inside out. But what about security risks to my info 'before' it gets to my computer? Like my mail box on the server. Could someone hack into that and thumb through my mail? If so, how would I ever know? (The short story) We have a rogue employee at my work who one day decided to run the web site, she got in tight with the ISP, got tools to set and delete passwords on a protected directory on the server. Who knows if she has telnet access to other things, li...

when is secure, secure?
Lo everyone, I wrote a custom authentication handler for PureFTPD, using a combination of authentication methods, for about 4 different types of users. So far, from testing it, it does look to work properly, and does it's job pretty well (and fast). I use #!/usr/bin/perl -W as well as use Strict, and use warnings, and the code returns no errors or warnings when run. I am right to presume that this basically only really tells me the my syntax and structure of the application is right? What's a good way to see whether it is actually SECURE... There is a couple of lines of...

security too secure
Name: joe Product: Firefox Summary: security too secure Comments: The security thing won't let me in this sight no matter how I accept, confirm, get certificate, etc. https://www.vtext.com/customer_site/jsp/messaging_lo.jsp Browser Details: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-GB; rv:1.9.1b4) Gecko/20090423 Firefox/3.5b4 From URL: http://hendrix.mozilla.org/ Note to readers: Hendrix gives no expectation of a response to this feedback but if you wish to provide one you must BCC (not CC) the sender for them to see it. ...

Is security software becoming a security risk?
"Due to bugs in antivirus software, the security suite becomes a risk by itself, and adding multiple pieces of security software makes the problem worse, not better "... <http://www.infoworld.com/article/07/11/21/Is-security-software-becoming-a-security-risk_1.html> or http://preview.tinyurl.com/2nkk9r -- js http://justheadlines.exofire.net john s. smith wrote: > "Due to bugs in antivirus software, the security suite becomes a risk > by itself, and adding multiple pieces of security software makes the > problem worse, not better "... > ...

What do security guards and computer security software have in common???
http://www.securitynewsportal.com/article.php?sid=920&mode=thread&order=0 -- Regard: Joh@nnes� 1216771 Ont.Inc. "Nothing is more damaging to a new truth than an old error" ...

Security software to secure USB flash drives?
Hello, does anyone know of some software (preferably freeware that would password protect access to a USB flash drive?) Currentlty the drive I have is open wide as soon as it is plugged in. Any help would be appreciated. Paul -- Calculating in binary code is as easy as 01,10,11. Paul Jackson wrote: > Hello, > > does anyone know of some software (preferably freeware that would > password protect access to a USB flash drive?) > > Currentlty the drive I have is open wide as soon as it is plugged in. > > Any help would be appreciated. >...

F-Secure Readies Security Software For Linux
F-Secure Corp. on Tuesday unveiled security software for open-source Samba file servers and Linux, addressing a need that's growing within the enterprise market. The Finnish company announced the availability of antivirus software for Samba that automatically detects and removes viruses from files stored on the server. The new product is meant to protect all Samba-attached computers from malicious code that could enter the network from a Windows or Linux machine. Next month, F-Secure plans to ship a Linux version of F-Secure Policy Manager, which will extend centrally managed ...

Open software, secure software
Monday, 1 March 2004, 1:51 PM CET Fifty-plus years ago Grace Hopper used her experiences with programming the UNIVAC with FLOW-MATIC (an open-source project) to write her first compiler paper and the modern era of computing programming began. Some would also say that things haven't improved much since her day. Indeed, the National Institute of Standards and Technology (NIST) estimated that in 2001 $59.5 billion annually, about 0.6 percent of the gross domestic product was being lost because of software bugs. The Sustainable Computing Consortium (SCC), an academic, gove...

Securing Windows: Inside Microsoft's Battle to Deliver Secure Software
Securing Windows: Inside Microsoft's Battle to Deliver Secure Software http://www.eweek.com/category2/0,4148,1252525,00.asp (A record of virus/worms/holes since August 2003 and how Microsoft has battled them) -- Kayode Okeyode http://www.kayodeok.co.uk/weblog/ http://www.kayodeok.btinternet.co.uk/favorites/webdesign.htm ...

How secure is secure enough?
July 28, 2008 (Computerworld) This story originally appeared in Computerworld's print edition. If there is a Holy Grail in the information security industry, it surely is the answer to the question, "How secure is secure enough?" It's a question that many security managers have either avoided answering altogether or tried to quickly sidestep by throwing a fistful of mainly pointless operational metrics at anyone who cared to ask. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=321921&intsrc=hm_list -- "Never d...

Security Software
What are the top most important software to have for internect securtiy, beside ZAP which I have. (ie- Ad-Aware?? anything?) Antivirus (my favorite: Norton AntiVirus), Antitrojan (recommended: BOClean) , Ad-Aware. Gtz. Tony "Felix919" <Flex@nowhere.com> schreef in bericht news:9ge2bb$18qs$1@news.grc.com... > What are the top most important software to have for internect securtiy, > beside ZAP which I have. (ie- Ad-Aware?? anything?) > > "Felix919" <Flex@nowhere.com> wrote in message news:9ge2bb$18qs$1@news.grc.com... > What a...

security software
Name: Roland Hanke Email: roland_h5atmywaydotcom Product: Firefox Summary: security software Comments: Have you ever thought about doing security software? I would have more confidence in it than most of what is out there. Browser Details: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729) From URL: http://hendrix.mozilla.org/ Note to readers: Hendrix gives no expectation of a response to this feedback but if you wish to provide one you must BCC (not CC) the sender for them to see it. ...

Password secure...is it secure?
Yes I just got this baby and I LOVE it! Its great. I have stored all my passwords inside of it (and yes made a few backups from them in secure locations) How secure is this program really? It uses blowfish to encrypt the database but how strong blowfish? 128bits? 256? 448? Anything else I should think about it? I have putted it and its databases inside PGPdisk just to play it safe...but then again Im a paranoid. :) -- Markus Jansson ************************************ My privacy related homepage and PGP keys: http://www.geocities.com/jansson_markus/ ********...

How secure is AuthenticationTypes.Secure?
I understand that AuthenticationTypes.Secure requests secure authentication using Kerberos or NTLM (??). However, here is a scenario I am trying to understand. Let us say that I am having a regular ASP.NET site - with SSL certificates not installed on the web server. The login sends the request out to an AD server which also does not have certificates installed. However, I have set Secure flag to AuthenticationTypes.Secure. When the username and password data gets transmitted between the application and the LDAP server, how secure are the password and username info? In other words is this in...

Web resources about - Book Review: Software Security - Building Security In - grc.security.software

Software - Wikipedia, the free encyclopedia
Computer software or simply software is any set of machine-readable instructions that directs a computer 's processor to perform specific operations. ...

Agile Software Development - Better ways of developing software
- All things cross-platform, mobile, and mobile-web. Especially Qt/QML related - I love developing software, but also practice managing projects ...

Questioning Software
Given that I resigned a couple weeks ago and am looking for new work , I've been asking myself a lot of questions about what I want to do next. ...

Lessons Learned by a Solo Entrepreneur - Software by Rob
... is written by Rob Walling, a serial web entrepreneur. He writes about startups, internet marketing, SEO, and other topics that interest software ...

Renaissance Software
We help individuals and companies to apply state of the art design and process technologies to both embedded and non-embedded software development. ...

Business of Software
We are gearing up for another awe-inspiring, thought-engaging, and actionable conference in 2012. It is our vision to stir up innovation and ...

Scaling Software Agility - Best Practices for Large Enterprises, by Dean Leffingwell
Best Practices for Large Enterprises, by Dean Leffingwell

Software on the Side
While I was at Ancestry.com, we used the StrengthsFinder assessment to give us insights into ourselves. If you haven’t taken it, I highly recommend ...

The Famous Software Company - Development Blog
A year ago I was looking for an app that enabled me to stream audio from iTunes to my iPhone. I was sharing an apartment at the time, and in ...

A Software Insider's Point of View
Innovative CIO’s Betting On Disruptive Technologies That Impact Enterprise Business Value In the Four Personas of the Next Gen CIO published ...

Resources last updated: 12/13/2015 9:47:02 PM