Enterprise Software Security: A Confluence of Disciplines

STRENGTHEN SOFTWARE SECURITY BY HELPING DEVELOPERS AND SECURITY EXPERTS WORK TOGETHER   Traditional approaches to securing software are inadequate. The solution: Bring software engineering and network security teams together in a new, holistic approach to protecting the entire enterprise. Now, four highly respected security experts explain why this “confluence” is so crucial, and show how to implement it in your organization.   Writing for all software and security practitioners and leaders, they show how software can play a vital, active role in protecting your organization. You’ll learn how to construct software that actively safeguards sensitive data and business processes and contributes to intrusion detection/response in sophisticated new ways. The authors cover the entire development lifecycle, including project inception, design, implementation, testing, deployment, operation, and maintenance. They also provide a full chapter of advice specifically for Chief Information Security Officers and other enterprise security executives. Whatever your software security responsibilities, Enterprise Software Security delivers indispensable big-picture guidance–and specific, high-value recommendations you can apply right now.   COVERAGE INCLUDES: • Overcoming common obstacles to collaboration between developers and IT security professionals • Helping programmers design, write, deploy, and operate more secure software • Helping network security engineers use application output more effectively • Organizing a software security team before you’ve even created requirements • Avoiding the unmanageable complexity and inherent flaws of layered security • Implementing positive software design practices and identifying security defects in existing designs • Teaming to improve code reviews, clarify attack scenarios associated with vulnerable code, and validate positive compliance • Moving beyond pentesting toward more comprehensive security testing • Integrating your new application with your existing security infrastructure • “Ruggedizing” DevOps by adding infosec to the relationship between development and operations • Protecting application security during maintenance

Table of Contents:
Preface     xiii 1 Introduction to the Problem    1 Our Shared Predicament Today    2 Why Are We in This Security Mess?     5 Ancient History     7 All Together Now     11 The Status Quo: A Great Divide     15 What’s Wrong with This Picture?     20 Wait, It Gets Worse     25 Stressing the Positive     27 Summing Up     30 Endnotes     31 2 Project Inception     33 Without a Formal Software Security Process–The Norm Today    34 The Case for a Project Security Team     42 Tasks for the Project Security Team     43 Putting Together the Project Security Team     50 Roles to Cover on the Security Team     51 Some Final Practical Considerations about Project Security Teams     64 Summing Up     67 Endnotes     68 3 Design Activities    71 Security Tiers     72 On Confluence     76 Requirements     78 Specifications     98 Design and Architecture    100 It’s Already Designed     112 Deployment and Operations Planning     115 Summing Up     121 Endnotes     121 4 Implementation Activities    123 Confluence     123 Stress the Positive and Strike the Balance    124 Security Mechanisms and Controls     126 Code Reuse     146 Coding Resources     148 Implementing Security Tiers    152 Code Reviews     154 A Day in the Life of a Servlet    157 Summing Up     167 Endnotes     167 5 Testing Activities    169 A Few Questions about Security Testing    170 Tools of the Trade     180 Security Bug Life Cycle     185 Summing Up     191 Endnotes     192 6 Deployment and Integration    193 How Does Deployment Relate to Confluence?     194 A Road Map     194 Advanced Topics in Deployment    198 Integrating with the Security Operations Infrastructure    200 Third-Generation Log Analysis Tools     213 Retrofitting Legacy and Third-Party Components     216 Notes for Small Shops or Individuals     217 Summing Up     219 Endnotes     220 7 Operating Software Securely     221 Adjusting Security Thresholds     222 Dealing with IDS in Operations     230 Identifying Critical Applications     236 CSIRT Utilization     237 Notes for Small Shops or Individuals    238 Summing Up     240 8 Maintaining Software Securely    241 Common Pitfalls     243 How Does Maintaining Software Securely Relate to Confluence?     248 Learning from History     249 Evolving Threats     251 The Security Patch     254 Special Cases     256 How Does Maintaining Software Securely Fit into Security SDLCs?     259 Summing Up     261 Endnotes     262 9 The View from the Center    263 Ideas for Encouraging Confluent Application Development    265 Toward a Confluent Network     269 Security Awareness and Training     273 Policies, Standards, and Guidelines     274 The Role of Other Departments and Corporate Entities    275 Resource Budgeting and Strategic Planning for Confluence     277 Assessment Tools and Techniques     279 Mobile Plans–Postmortem Interviews     289 Notes for Small Shops or Individuals     292 Summing Up     292 Endnotes     293 Index    295

About the Author :
Kenneth R. van Wyk is a career security guy, having started with Carnegie Mellon University’s CERT/CC in the late 1980s and subsequently worked for the United States Department of Defense and in several senior technologist roles in the commercial sector. He is the co-author of two popular O’Reilly and Associates books on incident response and secure coding. He now owns and runs KRvW Associates, LLC, a software security consulting and training practice in Virginia, USA. Mark G. Graff is the CISO of NASDAQ OMX. Formerly the chief cybersecurity strategist at Lawrence Livermore National Laboratory, he has appeared as an expert witness on computer security before Congress and analyzed electronic voting machine software security for the state of California. A past chairman of the International Forum of Incident Response and Security Teams (FIRST), Graff has lectured on risk analysis, the future of cyber security, and privacy before the American Academy for the Advancement of Science, the Federal Communications Commission (FCC), the Pentagon, and many U.S. national security facilities and think tanks. Dan S. Peters has been involved with security for longer than he had first expected when he stumbled into this field out of curiosity while making a good living as a consultant and a commercial software developer. Many security disciplines are exciting to him, but mobile security has been the most intriguing topic as of late. Before working on this book, Dan repeatedly shared his passion for security in conference presentations and numerous publications. Diana L. Burley, Ph.D., is an award-winning cyber-security workforce expert who has been honored by the U.S. Federal CIO Council and was named the CISSE 2014 Cybersecurity Educator of the Year. As a professor, researcher, and consultant on IT use and workforce development for nearly 20 years, she passionately promotes a holistic view of cyber security to influence education, policy, and practice from her home in the Washington, D.C., region.