Book Review: Software Security - Building Security In

I'm jealous. No seriously. If Cigital is actually ran as depicted in the
book Software Security - Building Security In, I have to give kudos to Gary
and the gang for making an impressive environment for software security.
I'm a fan of Gary's writing. If you are a regular reader, you know I loved
both his books on Building Secure Software and Exploiting Software. This
latest book is, in my mind at least, a balancing act between the two
previous books on the topic. Gary calls it the "Ying and Yang". Which makes
total sense, since the book cover is of exactly that, a white hat and a
black hat (taken from the other two books), positioned in the chinese
ying/yang symbol.
I always thought that my favorite book on software security would be
"Writing Secure Code" by Michael Howard. I really liked how it was
presented, and it offered security software engineering best practices that
I felt could be passed on to others on teams that I worked with. But now,
Gary has given me a new book to put in my arsenal of knowledge. Not a
practical coding book on the topic like I felt I got from Michael's writing,
but a book that I feel managers of that process can use to build better
software security processes and systems in a team.
The book touches on a number of critical components for software security:

Risk management frameworks and processes
Code review using static analysis tools
Architectural risk analysis
Penetration testing
Security testing
Abuse case development

I have to admit, it was somewhat of a battle in the first section of the
book as it was somewhat dry. The content itself was good and required
information to round out this book, but just how do you jazz up discussing
risk management frameworks? When Gary sent me the book he followed up with
an email warning me about that... but by that time I had already trudged
through it. The good news is, its a small pain... as the content gets more
exciting as you progress. And to be fair, anyone who is going to manage the
software security process in an organization will find they will learn
something in that section. So nothing is really lost there.
By the time you get into part two of the book focused on what Gary calls
"The 7 Touchpoints of Software Security", you know why he is well respected
in our field. He knows what he is talking about. The 7 touchpoints?

Code review
Architectural risk analysis
Penetration testing
Risk-based security tests
Abuse cases
Security requirements
Security operations

You know... all the exciting stuff!! By the time you get through the 7
touchpoints, if you don't "get it" by then, there is little hope for you.
The interesting point here is that each touchpoint is really in a lifecycle,
VERY similar to the security development lifecycle Michael has been
presenting on behalf of Microsoft for the last few years. I think they both
have it figured out, but tainted towards their own company's objectives.
My thoughts on the book? A lof of content in this book isn't for the regular
coding geek that needs to learn about software security. Get Gary's other
books for that. But if you are the project manager of the team that the
forementioned geek works on, or are responsible for software security in
your organization, get this book. If you have the responsibility and
authority to set the direction and process in your environment, you will
find this book useful. Near the front of the book there is a section in
which reviewers comment on their thoughts of the book. I think Bruce
Schneier said it best:
When it comes to software security, the devil is in the details. This book
tackled the details.
I couldn't have said it better myself. Actually, I won't even try.
Great book. Worth recommending to anyone in the software security field. 4
out of 5 stars.
http://silverstr.ufies.org/blog/
-- 
Regard: Joh@nnes �  :-))
"If U know neither the enemy nor yourself,U will succumb in every battle"

0
Johannes
4/16/2006 3:38:59 PM
📁 grc.security.software
📃 15003 articles.
⭐ 0 followers.

💬 0 Replies
👁️‍🗨️ 1436 Views


Reply: