دانلود کتاب Software Security Engineering: A Guide for Project Managers: A Guide for Project Managers (SEI Series in Software Engineering)

“This book’s broad overview can help an organization choose a set of processes, policies, and techniques that are appropriate for its security maturity, risk tolerance, and development style. This book will help you understand how to incorporate practical security techniques into all phases of the development lifecycle.”      ―Steve Riley, senior security strategist, Microsoft Corporation “There are books written on some of the topics addressed in this book, and there are other books on secure systems engineering. Few address the entire life cycle with a comprehensive overview and discussion of emerging trends and topics as well as this one.”      ―Ronda Henning, senior scientist-software/security queen, Harris Corporation Software that is developed from the beginning with security in mind will resist, tolerate, and recover from attacks more effectively than would otherwise be possible. While there may be no silver bullet for security, there are practices that project managers will find beneficial. With this management guide, you can select from a number of sound practices likely to increase the security and dependability of your software, both during its development and subsequently in its operation.  Software Security Engineering draws extensively on the systematic approach developed for the Build Security In (BSI) Web site. Sponsored by the Department of Homeland Security Software Assurance Program, the BSI site offers a host of tools, guidelines, rules, principles, and other resources to help project managers address security issues in every phase of the software development life cycle (SDLC). The book’s expert authors, themselves frequent contributors to the BSI site, represent two well-known resources in the security world: the CERT Program at the Software Engineering Institute (SEI) and Cigital, Inc., a consulting firm specializing in software security. This book will help you understand whySoftware security is about more than just eliminating vulnerabilities and conducting penetration testsNetwork security mechanisms and IT infrastructure security services do not sufficiently protect application software from security risksSoftware security initiatives should follow a risk-management approach to identify priorities and to define what is “good enough”―understanding that software security risks will change throughout the SDLCProject managers and software engineers need to learn to think like an attacker in order to address the range of functions that software should not do, and how software can better resist, tolerate, and recover when under attack
Chapter 1: Why Is Security a Software Issue? 11.1 Introduction 11.2 The Problem 21.3 Software Assurance and Software Security 61.4 Threats to Software Security 91.5 Sources of Software Insecurity 111.6 The Benefits of Detecting Software Security Defects Early 131.7 Managing Secure Software Development 181.8 Summary 23 Chapter 2: What Makes Software Secure? 252.1 Introduction 252.2 Defining Properties of Secure Software 262.3 How to Influence the Security Properties of Software 362.4 How to Assert and Specify Desired Security Properties 612.5 Summary 71 Chapter 3: Requirements Engineering for Secure Software 733.1 Introduction 733.2 Misuse and Abuse Cases 783.3 The SQUARE Process Model 843.4 SQUARE Sample Outputs 913.5 Requirements Elicitation 993.6 Requirements Prioritization 1063.7 Summary 112 Chapter 4: Secure Software Architecture and Design 1154.1 Introduction 1154.2 Software Security Practices for Architecture and Design: Architectural Risk Analysis 1194.3 Software Security Knowledge for Architecture and Design: Security Principles, Security Guidelines, and Attack Patterns 1374.4 Summary 148 Chapter 5: Considerations for Secure Coding and Testing 1515.1 Introduction 1515.2 Code Analysis 1525.3 Coding Practices 1605.4 Software Security Testing 1635.5 Security Testing Considerations Throughout the SDLC 1735.6 Summary 180 Chapter 6: Security and Complexity: System Assembly Challenges 1836.1 Introduction 1836.2 Security Failures 1866.3 Functional and Attacker Perspectives for Security Analysis: Two Examples 1896.4 System Complexity Drivers and Security 2036.5 Deep Technical Problem Complexity 2156.6 Summary 217 Chapter 7: Governance, and Managing for More Secure Software 2217.1 Introduction 2217.2 Governance and Security 2237.3 Adopting an Enterprise Software Security Framework 2267.4 How Much Security Is Enough? 2367.5 Security and Project Management 2447.6 Maturity of Practice 2597.7 Summary 266 Chapter 8: Getting Started 2678.1 Where to Begin 2698.2 In Closing 281