Secure and Resilient Software Development

Although many software books highlight open problems in secure software development, few provide easily actionable, ground-level solutions. Breaking the mold, Secure and Resilient Software Development teaches you how to apply best practices and standards for consistent and secure software development. It details specific quality software development strategies and practices that stress resilience requirements with precise, actionable, and ground-level inputs. Providing comprehensive coverage, the book illustrates all phases of the secure software development life cycle. It shows developers how to master non-functional requirements including reliability, security, and resilience. The authors provide expert-level guidance through all phases of the process and supply many best practices, principles, testing practices, and design methodologies. For updates to this book and ongoing activities of interest to the secure and resilient software community, please visit: www.srsdlc.com "Secure and Resilient Software Development provides a strong foundation for anyone getting started in application security. Most application security books fall into two categories: business-oriented and vague or ridiculously super technical. Mark and Laksh draw on their extensive experience to bridge this gap effectively. The book consistently links important technical concepts back to the business reasons for application security with interesting stories about real companies dealing with application security issues." —Jeff Williams, Chair, The OWASP Foundation

How Does Software Fail Thee? Let Us Count the Ways Vulnerabilities Abound Security Flaws Are Omnipresent Cars Have Their Share of Computer Problems Too Tracing the Roots of Defective Software What Are the True Costs of Insecure Software to Global Enterprises? Addressing Security Questions Addresses Resilience Characteristics of Secure and Resilient Software Functional Versus Nonfunctional Requirements Testing Nonfunctional Requirements Families of Nonfunctional Requirements Availability Capacity Efficiency Interoperability Manageability Cohesion Coupling Maintainability Performance Portability Privacy Recoverability Reliability Scalability Security Serviceability/Supportability Characteristics of Good Requirements Eliciting Nonfunctional Requirements Documenting Nonfunctional Requirements Security and Resilience in the Software Development Life Cycle Resilience and Security Begin from Within Requirements Gathering and Analysis Systems Design and Detailed Design Functional Decomposition Categorizing Threats Ranking Threats Mitigation Planning Design Reviews Development (Coding) Phase Static AnalysisPeer ReviewUnit Testing Testing Deployment Security Training Proven Best Practices for Resilient Applications Critical Concepts |The Security Perimeter Attack Surface Mapping the Attack Surface Side Channel Attacks Application Security and Resilience Principles Practice 1: Apply Defense in Depth Practice 2: Use a Positive Security Model Practice 3: Fail Securely Practice 4: Run with Least Privilege Practice 5: Avoid Security by Obscurity Practice 6: Keep Security Simple Practice 7: Detect Intrusions Log All Security-Relevant Information Ensure That the Logs Are Monitored Regularly Respond to Intrusions Practice 8: Don’t Trust Infrastructure Practice 9: Don’t Trust Services Practice 10: Establish Secure Defaults Mapping Best Practices to Nonfunctional Requirements Designing Applications for Security and Resilience Design Phase Recommendations Misuse Case Modeling Security Design and Architecture Review Threat and Risk Modeling Risk Analysis and Modeling Security Requirements and Test Case Generation Design to Meet Nonfunctional Requirements Design Patterns Architecting for the Web Architecture and Design Review Checklist Programming Best Practices The Evolution of Software AttacksThe OWASP Top 10 A1: Injection A2: Cross-Site Scripting A3: Broken Authentication and Session Management A4: Insecure Direct Object References A5: Cross-Site Request ForgeryA6: Security Misconfiguration A7: Failure to Restrict URL AccessA8: Unvalidated Redirects and Forwards A9: Insecure Cryptographic StorageA10: Insufficient Transport Layer Protection OWASP Enterprise Security API (ESAPI) Input Validation and Handling Client-Side Versus Server-Side Validation Input Sanitization Canonicalization Examples of Attacks due to Improper Input Handling Approaches to Validating Input Data Handling Bad Input ESAPI InterfacesCross-Site Scripting Same Origin Policy Attacks Through XSS Prevention of Cross-Site Scripting ESAPI Interfaces Injection Attacks SQL Injection Stored Procedures Identifying SQL Injection and Exploitation Defending Against SQL Injection Creating SQL Queries Additional Controls to Prevent SQLInjection Attacks ESAPI Interfaces Authentication and Session Management Attacking Log-in Functionality Attacking Password Resets Attacking Sensitive Transactions Cross-Site Request Forgery CSRF MitigationSession Management Attacking Log-out Functionality Defenses Against Log-out Attacks Defenses Against Cookie Attacks Session Identifiers ESAPI Interfaces Access Control Avoiding Security Through Obscurity Access Control Issues Testing for Broken Access Control Defenses Against Access Control Attacks Administrator Interfaces Protecting Administrator Interfaces ESAPI Interfaces Cryptography Hashing and Password Security Attacking the Hash Precomputed Attacks Message Authentication Code (MAC) Home-Grown Algorithms Randomness and Pseudo-Randomness ESAPI InterfacesError Handling User Error Messages Log-in Error Messages—A Case Study Error Message Differentiation Developer Error Messages Information to Be Kept Private Structured Exception Handling ESAPI Interfaces Ajax and Flash AJAX Application Traffic AJAX Client Requests Server Responses Typical Attacks Against AJAX Applications Security Recommendations for AJAX Applications Adobe Flash—Sandbox Security Model Cross-Domain Policy Restrict SWF Files Embedded in HTML Attacking Flash Applications Securing Flash Applications Additional Best Practices for Software Resilience Externalize Variables EncryptedProperties—Method Summary Initialize Variables Properly Do Not Ignore Values Returned by Functions Avoid Integer Overflows Top Secure Coding Practices Fifty Questions to Improve Software Security Special Considerations for Embedded Systems, Cloud Computing, and Mobile Computing Devices Embedded Systems Bad Assumptions About Embedded Systems Programming New Mantras The Framework Distributed Applications/Cloud Computing Representational State Transfer (REST) REST Stateless Authentication Attacking Distributed APIs Securing Distributed APIs Mobile Applications BlackBerry Windows Mobile iPhone Mobile Application SecuritySecurity Testing of Custom Software Applications Fixing Early Versus Fixing After Release Testing Phases Unit Testing Manual Source Code Review The Code Review Process Automated Source Code Analysis Automated Reviews Compared with Manual Reviews Commercial and Free Source Code Analyzers Fortify 360Acquiring Commercial or Open-Source Analysis ToolsDeployment Strategy IDE Integration for Developers Build Integration for Governance Regulatory Compliance Benefits of Using Source Code Analyzers Penetration (Pen) Testing Penetration Testing Tools Automated Black Box Scanning Deployment Strategy Gray Box TestingLimitations and Constraints of Pen Testing Tools Testing Commercial off-the-Shelf Systems The Problems with Shrink-Wrapped Software The Common Criteria for Information Technology Security Evaluation Harmonizing Evaluation Criteria Development Evaluation Operation Key Concepts of the Common Criteria The Security Framework The Common Criteria Approach The Security Environment The Common Criteria Portal Criticisms of the CC The Commercial Community Responds The BITS/FSTC Security Assurance Initiative ICSA Labs Evaluation Methodology Certification Criteria ICSA Labs Testing and Certification Process Veracode’s VerAfied Software Assurance Ratings Methodology Assessing Software for the VerAfied Mark Implementing Security and Resilience Using CLASP Comprehensive, Lightweight Application Security Process (CLASP) CLASP Concepts Overview of the CLASP Process CLASP Key Best Practices Best Practice 1: Institute Awareness Programs Best Practice 2: Perform Application Assessments Best Practice 3: Capture Security Requirements Best Practice 4: Implement Secure Development Practices Best Practice 5: Build Vulnerability Remediation Procedures Best Practice 6: Define and Monitor Metrics Best Practice 7: Publish Operational Security GuidelinesCLASP Security Activities to Augment Software Development Processes Applying CLASP Security Activities to Roles Re-engineering Your SDLC for CLASP Business Objectives Process Milestones Process Evaluation Criteria Forming the Process Re-engineering TeamSample CLASP Implementation Roadmaps Green-Field RoadmapLegacy Roadmap Metrics and Models for Security and Resilience Maturity Maturity Models for Security and Resilience Software Assurance Maturity Model—OpenSAMM Core Practice Areas Levels of Maturity Assurance The Building Security In Maturity Model (BSIMM) BSIMM Software Security Framework BSIMM ActivitiesGovernance: Strategy and MetricsGovernance: Compliance and PolicyGovernance: Training Intelligence: Attack Models Intelligence: Security Features and Design Intelligence: Standards and RequirementsSSDL Touchpoints : Architecture Analysis SSDL Touchpoints: Code Review SSDL Touchpoints: Security Testing Deplo

Mark S. Merkow, CISSP, CISM, CSSLP, works at PayPal Inc. (an eBay company) in Scottsdale, Arizona, as Manager of Security Consulting and IT Security Strategy in the Information Risk Management area. Mark has over 35 years of experience in information technology in a variety of roles, including applications development, systems analysis and design, security engineer, and security manager. Mark holds a Masters in Decision and Info Systems from Arizona State University (ASU), a Masters of Education in Distance Learning from ASU, and a BS in Computer Info Systems from ASU. In addition to his day job, Mark engages in a number of extracurricular activities, including consulting, course development, online course delivery, writing e-business columns, and writing books on information technology and information security. Mark has authored or co-authored nine books on IT and has been a contributing editor to four others. Mark remains very active in the information security community, working in a variety of roles for the Financial Services Information Sharing and Analysis Center (FS-ISAC), the Financial Services Technology Consortium (FSTC), and the Financial Services Sector Coordinating Council (FSCCC) on Homeland Security and Critical Infrastructure Protection. Lakshmikanth Raghavan (Laksh) works at PayPal Inc. (an eBay company) as Staff Information Security Engineer in the Information Risk Management area. He has over eight years of experience in the areas of information security and information risk management and has been providing consulting services to Fortune 500 companies and financial services companies around the world in his previous stints. He is a Certified Ethical Hacker (CEH) and also maintains the Certified Information Security Manager (CISM) certificate from ISACA (previously known as the Information Systems Audit and Control Association). Laksh holds a Bachelor's degree in Electronics & Telecommunication Engineering from the University of Madras, India. Laksh enjoys writing security-related articles and has spoken on the various dimensions of software security at industry forums and security conferences.