Enterprise Software Security: A Confluence of Disciplines

Enterprise Software Security: A Confluence of Disciplines

By: Dan S. Peters (author), Mark G. Graf (author), Diana L. Burley (author), Kenneth R. van Wyk (author)Paperback

Only 1 in stock

£26.39 RRP £32.99  You save £6.60 (20%) With FREE Saver Delivery


STRENGTHEN SOFTWARE SECURITY BY HELPING DEVELOPERS AND SECURITY EXPERTS WORK TOGETHER Traditional approaches to securing software are inadequate. The solution: Bring software engineering and network security teams together in a new, holistic approach to protecting the entire enterprise. Now, four highly respected security experts explain why this "confluence" is so crucial, and show how to implement it in your organization. Writing for all software and security practitioners and leaders, they show how software can play a vital, active role in protecting your organization. You'll learn how to construct software that actively safeguards sensitive data and business processes and contributes to intrusion detection/response in sophisticated new ways. The authors cover the entire development lifecycle, including project inception, design, implementation, testing, deployment, operation, and maintenance. They also provide a full chapter of advice specifically for Chief Information Security Officers and other enterprise security executives. Whatever your software security responsibilities, Enterprise Software Security delivers indispensable big-picture guidance-and specific, high-value recommendations you can apply right now. COVERAGE INCLUDES: * Overcoming common obstacles to collaboration between developers and IT security professionals* Helping programmers design, write, deploy, and operate more secure software* Helping network security engineers use application output more effectively* Organizing a software security team before you've even created requirements* Avoiding the unmanageable complexity and inherent flaws of layered security* Implementing positive software design practices and identifying security defects in existing designs* Teaming to improve code reviews, clarify attack scenarios associated with vulnerable code, and validate positive compliance* Moving beyond pentesting toward more comprehensive security testing* Integrating your new application with your existing security infrastructure* "Ruggedizing" DevOps by adding infosec to the relationship between development and operations* Protecting application security during maintenance

About Author

Kenneth R. van Wyk is a career security guy, having started with Carnegie Mellon University's CERT/CC in the late 1980s and subsequently worked for the United States Department of Defense and in several senior technologist roles in the commercial sector. He is the co-author of two popular O'Reilly and Associates books on incident response and secure coding. He now owns and runs KRvW Associates, LLC, a software security consulting and training practice in Virginia, USA. Mark G. Graff is the CISO of NASDAQ OMX. Formerly the chief cybersecurity strategist at Lawrence Livermore National Laboratory, he has appeared as an expert witness on computer security before Congress and analyzed electronic voting machine software security for the state of California. A past chairman of the International Forum of Incident Response and Security Teams (FIRST), Graff has lectured on risk analysis, the future of cyber security, and privacy before the American Academy for the Advancement of Science, the Federal Communications Commission (FCC), the Pentagon, and many U.S. national security facilities and think tanks. Dan S. Peters has been involved with security for longer than he had first expected when he stumbled into this field out of curiosity while making a good living as a consultant and a commercial software developer. Many security disciplines are exciting to him, but mobile security has been the most intriguing topic as of late. Before working on this book, Dan repeatedly shared his passion for security in conference presentations and numerous publications. Diana L. Burley, Ph.D., is an award-winning cyber-security workforce expert who has been honored by the U.S. Federal CIO Council and was named the CISSE 2014 Cybersecurity Educator of the Year. As a professor, researcher, and consultant on IT use and workforce development for nearly 20 years, she passionately promotes a holistic view of cyber security to influence education, policy, and practice from her home in the Washington, D.C., region.


Preface xiii 1 Introduction to the Problem 1 Our Shared Predicament Today 2Why Are We in This Security Mess? 5Ancient History 7All Together Now 11The Status Quo: A Great Divide 15What's Wrong with This Picture? 20Wait, It Gets Worse 25Stressing the Positive 27Summing Up 30Endnotes 31 2 Project Inception 33 Without a Formal Software Security Process-The Norm Today 34The Case for a Project Security Team 42Tasks for the Project Security Team 43Putting Together the Project Security Team 50Roles to Cover on the Security Team 51Some Final Practical Considerations about Project Security Teams 64Summing Up 67Endnotes 68 3 Design Activities 71 Security Tiers 72On Confluence 76Requirements 78Specifications 98Design and Architecture 100It's Already Designed 112Deployment and Operations Planning 115Summing Up 121Endnotes 121 4 Implementation Activities 123 Confluence 123Stress the Positive and Strike the Balance 124Security Mechanisms and Controls 126Code Reuse 146Coding Resources 148Implementing Security Tiers 152Code Reviews 154A Day in the Life of a Servlet 157Summing Up 167Endnotes 167 5 Testing Activities 169 A Few Questions about Security Testing 170Tools of the Trade 180Security Bug Life Cycle 185Summing Up 191Endnotes 192 6 Deployment and Integration 193 How Does Deployment Relate to Confluence? 194A Road Map 194Advanced Topics in Deployment 198Integrating with the Security Operations Infrastructure 200Third-Generation Log Analysis Tools 213Retrofitting Legacy and Third-Party Components 216Notes for Small Shops or Individuals 217Summing Up 219Endnotes 220 7 Operating Software Securely 221 Adjusting Security Thresholds 222Dealing with IDS in Operations 230Identifying Critical Applications 236CSIRT Utilization 237Notes for Small Shops or Individuals 238Summing Up 240 8 Maintaining Software Securely 241 Common Pitfalls 243How Does Maintaining Software Securely Relate to Confluence? 248Learning from History 249Evolving Threats 251The Security Patch 254Special Cases 256How Does Maintaining Software Securely Fit into Security SDLCs? 259Summing Up 261Endnotes 262 9 The View from the Center 263 Ideas for Encouraging Confluent Application Development 265Toward a Confluent Network 269Security Awareness and Training 273Policies, Standards, and Guidelines 274The Role of Other Departments and Corporate Entities 275Resource Budgeting and Strategic Planning for Confluence 277Assessment Tools and Techniques 279Mobile Plans-Postmortem Interviews 289Notes for Small Shops or Individuals 292Summing Up 292Endnotes 293 Index 295

Product Details

  • ISBN13: 9780321604118
  • Format: Paperback
  • Number Of Pages: 320
  • ID: 9780321604118
  • weight: 514
  • ISBN10: 0321604113

Delivery Information

  • Saver Delivery: Yes
  • 1st Class Delivery: Yes
  • Courier Delivery: Yes
  • Store Delivery: Yes

Prices are for internet purchases only. Prices and availability in WHSmith Stores may vary significantly