دانلود کتاب Building in Security at Agile Speed

فهرست مطالب :

Cover Half Title Title Page Copyright Page Dedications Table of Contents Foreword Preface Acknowledgments About the Authors Chapter 1: Setting the Stage 1.1 Introduction 1.2 Current Events 1.3 The State of Software Security 1.4 What Is Secure Software? 1.5 Developing an SDL Model That Can Work with Any Development Methodology 1.5.1 Our Previous Secure Development Lifecycle Design and Methodology 1.5.2 Mapping the Security Development Lifecycle (SDL) to the Software Development Life Cycle (SDLC) 1.5.3 Software Development Methodologies 1.6 The Progression from Waterfall and Agile to Scrum: A Management Perspective 1.6.1 DevOps and CI/CD 1.6.2 Cloud Services 1.6.3 Platform Services 1.6.4 Automation 1.6.5 General Testing and Quality Assurance 1.6.6 Security Testing 1.6.7 DevSecOps 1.6.8 Education 1.6.9 Architects and Principal Engineers 1.6.10 Pulling It All Together Using Visual Analogies 1.6.11 DevOps Best Practices 1.6.12 Optimizing Your Team Size 1.7 Chapter Summary Chapter 2: Software Development Security Management in an Agile World 2.1 Introduction 2.2 Building and Managing the DevOps Software Security Organization 2.2.1 Use of the Term DevSecOps 2.2.2 Product Security Organizational Structure 2.2.3 Software Security Program Management 2.2.4 Software Security Organizational Realities and Leverage 2.2.5 Software Security Organizational and People Management Tips 2.3 Security Tools, Automation, and Vendor Management 2.3.1 Security Tools and Automation 2.3.2 DevOps Tools: Going Beyond the SDL 2.3.3 Vendor Management 2.4 DevOps Security Incident Response 2.4.1 Internal Response to Defects and Security Vulnerabilities in Your Source Code 2.4.2 External Response to Security Vulnerabilities Discovered in Your Product Source Code 2.4.3 Post-Release PSIRT Response 2.4.4 Optimizing Post-Release Third-Party Response 2.4.5 Key Success Factors 2.5 Security Training Management 2.6 Security Budget Management 2.6.1 Preparing and Delivering the Budget Message 2.6.2 Other Things to Consider When Preparing Your Budget 2.7 Security Governance, Risk, and Compliance (GRC) Management 2.7.1 SDL Coverage of Relevant Regulations, Certifications, and Compliance Frameworks 2.7.2 Third-Party Reviews 2.7.3 Post-Release Certifications 2.7.4 Privacy 2.8 Security Metrics Management 2.8.1 The Importance of Metrics 2.8.2 SDL Specific Metrics 2.8.3 Additional Security Metrics Focused on Optimizing Your DevOps Environment 2.9 Mergers and Acquisitions (M&A) Management 2.9.1 Open Source M&A Considerations 2.10 Legacy Code Management 2.11 Chapter Summary Chapter 3: A Generic Security Development Lifecycle (SDL) 3.1 Introduction 3.2 Build Software Securely 3.2.1 Produce Secure Code 3.2.2 Manual Code Review 3.2.3 Static Analysis 3.2.4 Third-Party Code Assessment 3.2.5 Patch (Upgrade or Fix) Issues Identified in Third-Party Code 3.3 Determining the Right Activities for Each Project 3.3.1 The SDL Determining Questions 3.4 Architecture and Design 3.5 Testing 3.5.1 Functional Testing 3.5.2 Dynamic Testing 3.5.3 Attack and Penetration Testing 3.5.4 Independent Testing 3.6 Assess and Threat Model Build/Release/Deploy/Operate Chain 3.7 Agile: Sprints 3.8 Key Success Factors and Metrics 3.8.1 Secure Coding Training Program 3.8.2 Secure Coding Frameworks (APIs) 3.8.3 Manual Code Review 3.8.4 Independent Code Review and Testing (by Experts or Third Parties) 3.8.5 Static Analysis 3.8.6 Risk Assessment Methodology 3.8.7 Integration of SDL with SDLC 3.8.8 Development of Architecture Talent 3.8.9 Metrics 3.9 Chapter Summary Chapter 4: Secure Design through Threat Modeling 4.1 Threat Modeling Is Foundational 4.2 Secure Design Primer 4.3 Analysis Technique 4.3.1 Before the Threat Model 4.3.2 Pre-Analysis Knowledge 4.3.3 ATASM Process 4.3.4 Target System Discovery 4.4 A Short “How To” Primer 4.4.1 Enumerate CAV 4.4.2 Structure, Detail, and Abstraction 4.4.3 Rating Risk 4.4.4 Identifying Defenses 4.5 Threat Model Automation 4.6 Chapter Summary Chapter 5: Enhancing Software Development Security Management in an Agile World 5.1 Introduction 5.2 Building and Managing the DevOps Software Security Organization 5.2.1 Continuous and Integrated Security 5.2.2 Security Mindset versus Dedicated Security Organization 5.2.3 Optimizing Security to Prevent Real-World Threats 5.3 Security Tools, Automation, and Vendor Management 5.3.1 Static Application Security Testing (SAST) 5.3.2 Dynamic Analysis Security Testing (DAST) 5.3.3 Fuzzing and Continuous Delivery 5.3.4 Unit and Functional Testing 5.3.5 Integration Testing 5.3.6 Automate Red Team Testing 5.3.7 Automate Pen Testing 5.3.8 Vulnerability Management 5.3.9 Automated Configuration Management 5.3.10 Software Composition Analysis 5.3.11 Bug Bounty Programs 5.3.12 Securing Your Continuous Delivery Pipeline 5.3.13 Vendor Management 5.4 DevOps Security Incident Response 5.4.1 Organizational Structure 5.4.2 Proactive Hunting 5.4.3 Continuous Detection and Response 5.4.4 Software Bill of Materials 5.4.5 Organizational Management 5.5 Security Training Management 5.5.1 People 5.5.2 Process 5.5.3 Technology 5.6 Security Budget Management 5.7 Security Governance, Risk, and Compliance (GRC) Management 5.8 Security Metrics Management 5.9 Mergers and Acquisitions (M&A) Management 5.10 Legacy Code Management 5.10.1 Security Issues 5.10.2 Legal and Compliance Issues 5.11 Chapter Summary Chapter 6: Culture Hacking 6.1 Introduction 6.2 Culture Must Shift 6.3 Hack All Levels 6.3.1 Executive Support 6.3.2 Mid-Management Make or Break 6.3.3 Accept All Help 6.4 Trust Developers 6.5 Build a Community of Practice 6.6 Threat Model Training Is for Everyone 6.7 Audit and Security Are Not the Same Thing 6.8 An Organizational Management Perspective 6.8.1 Security Cultural Change 6.8.2 Security Incident Response 6.8.3 Security Training 6.8.4 Security Technical Debt (Legacy Software) 6.9 Summary/Conclusion Appendix A: The Generic Security Development Lifecycle Index