Software Security Engineering: A Guide for Project Managers (Paperback)
暫譯: 軟體安全工程:專案經理指南 (平裝本)
Julia H. Allen, Sean Barnum, Robert J. Ellison, Gary McGraw, Nancy R. Mead
- 出版商: Addison Wesley
- 出版日期: 2008-05-01
- 售價: $2,160
- 貴賓價: 9.5 折 $2,052
- 語言: 英文
- 頁數: 368
- 裝訂: Paperback
- ISBN: 032150917X
- ISBN-13: 9780321509178
-
相關分類:
資訊安全
立即出貨 (庫存 < 3)
買這商品的人也買了...
-
$399Hacking Exposed: Network Security Secrets & Solutions, 3/e (Paperback) -
Exploiting Software : How to Break Code (Paperback)$2,275$2,161 -
PHP 5 動態網頁入門實務$620$490 -
Mastering FreeBSD and OpenBSD Security (Paperback)$2,120$2,014 -
Software Security: Building Security In (Paperback)$2,630$2,499 -
鳥哥的 Linux 私房菜基礎學習篇, 2/e$780$663 -
Hacking Exposed Web Applications, 2/e (Paperback)$1,930$1,834 -
Hacking Exposed Windows: Microsoft Windows Security Secrets and Solutions, 3/e (Paperback)$2,510$2,385 -
跟我學 Office 2007, 2/e$299$236 -
Exploiting Online Games: Cheating Massively Distributed Systems (Paperback)$1,730$1,644 -
$1,235The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws -
最新 PHP + MySQL + AJAX 網頁程式設計$650$514 -
Interconnecting Cisco Network Devices, Part 1 (ICND1): CCNA Exam 640-802 and ICND1 Exam 640-822, 2/e$2,390$2,271 -
完全制霸-Office 2007 技巧的便利貼$399$315 -
程式之美-微軟技術面試心得$490$417 -
大話設計模式$620$527 -
$1,162Web Security Testing Cookbook (Paperback) -
Google Android SDK 開發範例大全$750$638 -
Web Application Obfuscation: '-/WAFs..Evasion..Filters//alert(/Obfuscation/)-' (Paperback)$2,050$1,948 -
Android 技術內幕-探索 Android 核心原理與系統開發$580$458 -
深入淺出 iPhone 與 iPad 開發, 第二版 (Head First iPhone and iPad Development, 2/e)$880$695 -
$399Security Metrics, A Beginners Guide (Paperback) -
Windows Server 2008 R2 整合 Windows 7 企業現場實戰$560$442 -
$1,320Hacking Exposed Mobile Security Secrets & Solutions (Paperback) -
$3,430Computer Architecture : A Quantitative Approach, 6/e (Paperback)
商品描述
“This book’s broad overview can help an organization choose a set of processes, policies, and techniques that are appropriate for its security maturity, risk tolerance, and development style. This book will help you understand how to incorporate practical security techniques into all phases of the development lifecycle.”
—Steve Riley, senior security strategist, Microsoft Corporation
“There are books written on some of the topics addressed in this book, and there are other books on secure systems engineering. Few address the entire life cycle with a comprehensive overview and discussion of emerging trends and topics as well as this one.”
—Ronda Henning, senior scientist-software/security queen, Harris Corporation
Software that is developed from the beginning with security in mind will resist, tolerate, and recover from attacks more effectively than would otherwise be possible. While there may be no silver bullet for security, there are practices that project managers will find beneficial. With this management guide, you can select from a number of sound practices likely to increase the security and dependability of your software, both during its development and subsequently in its operation.
Software Security Engineering draws extensively on the systematic approach developed for the Build Security In (BSI) Web site. Sponsored by the Department of Homeland Security Software Assurance Program, the BSI site offers a host of tools, guidelines, rules, principles, and other resources to help project managers address security issues in every phase of the software development life cycle (SDLC). The book’s expert authors, themselves frequent contributors to the BSI site, represent two well-known resources in the security world: the CERT Program at the Software Engineering Institute (SEI) and Cigital, Inc., a consulting firm specializing in software security.
This book will help you understand why
- Software security is about more than just eliminating vulnerabilities and conducting penetration tests
- Network security mechanisms and IT infrastructure security services do not sufficiently protect application software from security risks
- Software security initiatives should follow a risk-management approach to identify priorities and to define what is “good enough”—understanding that software security risks will change throughout the SDLC
- Project managers and software engineers need to learn to think like an attacker in order to address the range of functions that software should not do, and how software can better resist, tolerate, and recover when under attack
Chapter 1: Why Is Security a Software Issue? 1
1.1 Introduction 1
1.2 The Problem 2
1.3 Software Assurance and Software Security 6
1.4 Threats to Software Security 9
1.5 Sources of Software Insecurity 11
1.6 The Benefits of Detecting Software Security Defects Early 13
1.7 Managing Secure Software Development 18
1.8 Summary 23
Chapter 2: What Makes Software Secure? 25
2.1 Introduction 25
2.2 Defining Properties of Secure Software 26
2.3 How to Influence the Security Properties of Software 36
2.4 How to Assert and Specify Desired Security Properties 61
2.5 Summary 71
Chapter 3: Requirements Engineering for Secure Software 73
3.1 Introduction 73
3.2 Misuse and Abuse Cases 78
3.3 The SQUARE Process Model 84
3.4 SQUARE Sample Outputs 91
3.5 Requirements Elicitation 99
3.6 Requirements Prioritization 106
3.7 Summary 112
Chapter 4: Secure Software Architecture and Design 115
4.1 Introduction 115
4.2 Software Security Practices for Architecture and Design: Architectural Risk Analysis 119
4.3 Software Security Knowledge for Architecture and Design: Security Principles, Security Guidelines, and Attack Patterns 137
4.4 Summary 148
Chapter 5: Considerations for Secure Coding and Testing 151
5.1 Introduction 151
5.2 Code Analysis 152
5.3 Coding Practices 160
5.4 Software Security Testing 163
5.5 Security Testing Considerations Throughout the SDLC 173
5.6 Summary 180
Chapter 6: Security and Complexity: System Assembly Challenges 183
6.1 Introduction 183
6.2 Security Failures 186
6.3 Functional and Attacker Perspectives for Security Analysis: Two Examples 189
6.4 System Complexity Drivers and Security 203
6.5 Deep Technical Problem Complexity 215
6.6 Summary 217
Chapter 7: Governance, and Managing for More Secure Software 221
7.1 Introduction 221
7.2 Governance and Security 223
7.3 Adopting an Enterprise Software Security Framework 226
7.4 How Much Security Is Enough? 236
7.5 Security and Project Management 244
7.6 Maturity of Practice 259
7.7 Summary 266
Chapter 8: Getting Started 267
8.1 Where to Begin 269
8.2 In Closing 281
商品描述(中文翻譯)
“本書的廣泛概述可以幫助組織選擇一套適合其安全成熟度、風險容忍度和開發風格的流程、政策和技術。本書將幫助您了解如何將實用的安全技術融入開發生命週期的所有階段。”
—Steve Riley,微軟公司資深安全策略師
“有些主題在本書中有專門的書籍,而其他書籍則專注於安全系統工程。很少有書籍能像這本書一樣全面地涵蓋整個生命週期,並討論新興趨勢和主題。”
—Ronda Henning,哈里斯公司資深科學家-軟體/安全專家
從一開始就考慮安全性開發的軟體,將比其他情況下更有效地抵抗、容忍和從攻擊中恢復。雖然安全性可能沒有萬能的解決方案,但有一些實踐是專案經理會發現有益的。通過這本管理指南,您可以從多種可靠的實踐中選擇,這些實踐可能會提高您軟體的安全性和可靠性,無論是在開發過程中還是在後續運行中。
軟體安全工程廣泛借鑒了為Build Security In (BSI)網站開發的系統化方法。該網站由國土安全部軟體保證計畫贊助,提供一系列工具、指導方針、規則、原則和其他資源,以幫助專案經理在軟體開發生命週期(SDLC)的每個階段解決安全問題。本書的專家作者,自己也是BSI網站的頻繁貢獻者,代表了安全領域的兩個知名資源:軟體工程研究所(SEI)的CERT計畫和專注於軟體安全的顧問公司Cigital, Inc。
本書將幫助您了解為什麼
- 軟體安全不僅僅是消除漏洞和進行滲透測試
- 網路安全機制和IT基礎設施安全服務不足以保護應用軟體免受安全風險
- 軟體安全倡議應遵循風險管理方法,以確定優先事項並定義什麼是“足夠好”——理解軟體安全風險在SDLC過程中會變化
- 專案經理和軟體工程師需要學會像攻擊者一樣思考,以解決軟體不應該執行的各種功能,以及軟體在受到攻擊時如何更好地抵抗、容忍和恢復
第一章:為什麼安全是軟體問題? 1
1.1 介紹 1
1.2 問題 2
1.3 軟體保證與軟體安全 6
1.4 軟體安全威脅 9
1.5 軟體不安全的來源 11
1.6 早期檢測軟體安全缺陷的好處 13
1.7 管理安全軟體開發 18
1.8 總結 23
第二章:什麼使軟體安全? 25
2.1 介紹 25
2.2 定義安全軟體的屬性 26
2.3 如何影響軟體的安全屬性 36
2.4 如何聲明和指定所需的安全屬性 61
2.5 總結 71
第三章:安全軟體的需求工程 73
3.1 介紹 73
3.2 誤用和濫用案例 78
3.3 SQUARE過程模型 84
3.4 SQUARE範例輸出 91
3.5 需求引導 99
3.6 需求優先排序 106
3.7 總結 112
第四章:安全軟體架構與設計 115
4.1 介紹 115
4.2 架構和設計的軟體安全實踐:架構風險分析 119
4.3 架構和設計的軟體安全知識:安全原則、安全指導方針和攻擊模式 137
4.4 總結 148
第五章:安全編碼和測試的考量 151
5.1 介紹 151
5.2 代碼分析 152
5.3 編碼實踐 160
5.4 軟體安全測試 163
5.5 SDLC過程中的安全測試考量 173
5.6 總結 180
第六章:安全與複雜性:系統組裝挑戰 183
6.1 介紹 183
6.2 安全失敗 186
6.3 功能和攻擊者視角的安全分析:兩個範例 189
6.4 系統複雜性驅動因素與安全 203
6.5 深層技術問題的複雜性 215
6.6 總結 217
第七章:治理與管理更安全的軟體 221
7.1 介紹 221
7.2 治理與安全 223
7.3 採用企業軟體安全框架 226
7.4 多少安全才算足夠? 236
7.5 安全與專案管理 244
7.6 實踐的成熟度 259
7.7 總結 266
第八章:開始 267
8.1 從哪裡開始 269
8.2 結語 281
