دانلود کتاب Software Security. Concepts & Practices

فهرست مطالب :

Cover
Half Title
Title Page
Copyright Page
Dedication
Table of Contents
Preface
Key Features
Organization of the Book
Acknowledgments
Authors
Chapter 1: Software and Security Concepts
1.1 Objectives
1.2 Security: An Overview
1.3 Security: Software Perspective
1.3.1 Security Components
1.3.2 Security Characteristics
1.3.2.1 Ability to Trust
1.3.2.2 Defects Ramifications for Security
1.3.2.3 Pervasive Approach
1.3.2.4 Failure-Free Operations
1.3.2.5 Attack Resilience
1.3.2.6 Conformance: Acting According to Specific Accepted Standards
1.3.2.7 Robustness of Operational Defense
1.3.2.8 Trustworthiness
1.3.2.9 Damage Control
1.3.2.10 Defect Removal
1.3.3 Security Types
1.3.4 Security Myths
1.3.4.1 Security Myth: 1
1.3.4.1.1 No Need to Worry About Security; I Have Exerted Enough Recitation to Control It
1.3.4.2 Security Myth: 2
1.3.4.2.1 Good News! I Have Installed Anti-Virus Software, and I Am Now Free from Viruses
1.3.4.3 Security Myth: 3
1.3.4.3.1 Installing a Software Patch Will Fix All Security Holes
1.3.4.4 Security Myth: 4
1.3.4.4.1 Software Security Is Always a Cryptographic Problem
1.3.4.5 Security Myth: 5
1.3.4.5.1 Software Security Is a Tool to Find out Bugs in Lines of Codes
1.3.4.6 Security Myth: 6
1.3.4.6.1 Secure Only High-Risk Software Applications
1.3.4.7 Security Myth: 7
1.3.4.7.1 We Don’t Have a Software Security Problem
1.3.5 Security Planning
1.4 Software Security Assurance
1.5 Software Security Models
1.6 Software Security Measurement and Metrics
1.7 Conclusion
Key Terms
Points to Remember
Objective-Type Questions
Short-Answer Type Questions
Descriptive Questions
References
Useful Links
Chapter 2: Software Security Problems
2.1 Objectives
2.2 Major Causes to Software Security
2.2.1 Connectivity
2.2.2 Extensibility
2.2.2.1 Classification of Extensibility Mechanisms
2.2.2.2 White-Box Extensibility
2.2.2.2.1 Open-Box Extensibility
2.2.2.2.2 Glass-Box Extensibility
2.2.2.3 Gray-Boy Extensibility
2.2.2.4 Black-Box Extensibility
2.2.3 Complexity
2.3 Sustainable Factors for Software Security
2.3.1 Risk Management
2.3.2 Point of Interaction
2.3.3 Acquaintance
2.4 Evolution of Risk Management Framework
2.5 Protracted Cigital’s Risk Management Framework
2.5.1 Stage 1: Understanding
2.5.2 Stage 2: Identification
2.5.3 Stage 3: Synthesize
2.5.4 Stage 4: Mitigation
2.5.5 Stage 5: Validation
2.5.6 Stage 6: Review & Revision
2.6 Security Engineering: An Inclusive Approach
2.6.1 Software Security First: Societal Perspective
2.7 Conclusion
Key Terms
Points to Ponder
Objective-Type Questions
Short-Answer Type Questions
Descriptive Questions
References
Useful Links
Chapter 3: Threats to Security
3.1 Objectives
3.2 Threats
3.2.1 Physical Threat
3.2.2 Non-Physical Threat
3.2.3 Common Threat
3.3 Security Threats
3.3.1 Security Threats Based on Common Security Vulnerability
3.3.2 Security Threats Based on Security Risk
3.3.3 Software Security Risk
3.3.3.1 The CWE Top 25
3.4 Security Threats Classification
3.4.1 Errors
3.4.2 Fraud and Theft
3.4.3 Threat to Privacy
3.5 Threat Impact Analysis
3.6 Protection and Mitigation Strategies
3.6.1 Software Update and Upgrade Daily
3.6.2 Privacy and Privileges Security of Accounts
3.6.3 Security Training in Employees
3.6.4 Hunt for Network Loopholes Frequently
3.6.5 Implementation of Multifactor Authentication
3.7 Conclusion
Key Terms
Points to Remember
Objective-Type Questions
Short-Answer Type Questions
Descriptive Questions
References
Useful Links
Threat to Security
Organizational Threat
Threat Impact
Secure Development
Threat Mitigation
Chapter 4: Software Security Metrics
4.1 Objectives
4.2 Software Security Metrics
4.3 Defining Good Security Metrics
4.4 Security Metrics Collection
4.5 Security Metrics Development Process
4.6 Security Metrics Development Framework
4.6.1 Premises
4.6.2 Generic Guidelines
4.6.3 Conceptualization
4.6.4 Planning
4.6.5 Development
4.6.6 Theoretical Validation
4.6.7 Empirical Validation
4.6.8 Packaging
4.7 Conclusion
Key Terms
Point to Ponder
Objective-Type Questions
Short-Answer Type Questions
Descriptive Questions
References
Useful Links
Chapter 5: Software Security Estimation
5.1 Objectives
5.2 Security Estimation
5.2.1 Software Security Estimation
5.2.2 Security Risk Estimation
5.2.2.1 Significance of Risk Estimation
5.2.2.2 Software Security Risk Estimation
5.2.3 Vulnerability Assessment
5.2.4 Vulnerability Assessment Framework
5.2.4.1 Risk Assessment
5.2.4.2 Risk Minimization or Management
5.2.4.3 Monitoring and Adaptive Management
5.2.4.4 Some Other Security Estimating Procedures
5.3 Security Profiling
5.3.1 Environmental Profiling
5.3.2 Strategic Profiling
5.3.3 Technical Profiling
5.3.4 Operational Profiling
5.4 Operation Ability
5.5 Security Measurement Process
5.5.1 Measures, Metrics, and Indicators
5.5.2 Technical Metrics
5.6 Conclusion
Key Terms
Point to Remember
Review Questions
Objective-Type Questions
Short-Answer Type Questions
Descriptive Questions
References
Useful Links
Secure Development
Threat Mitigation
Software Engineering
Security Engineering
Risk Management
Software Security Problem
Chapter 6: Secure Software Architecture
6.1 Objectives
6.2 Software Architecture
6.2.1 Essential Qualities for Architecture Evaluation
6.3 Security Architecture and Models
6.3.1 Security Models
6.4 Security Architecture Process
6.5 Components of Security Architecture Process
6.6 Software Security Best Practices
6.7 Conclusion
Key Terms
Points to Remember
Review Questions
Objective-Type Questions
Short-Answer Type Questions
Descriptive Questions
References
Useful Links
Chapter 7: Software Security Assurance
7.1 Objectives
7.2 Software Security Assurance
7.2.1 Goals
7.2.2 Responsibilities
7.3 Establishing Software Security Assurance Program
7.3.1 Recognition
7.3.2 Review
7.3.3 Categorization
7.3.4 Estimation
7.3.5 Training and Adaptation
7.4 Information Security Assurance Framework
7.4.1 Risk Management
7.4.2 Resource Management
7.4.3 Incident Management
7.4.3.1 Threat and Vulnerability Responses
7.4.3.2 Collection of Digital Evidence
7.4.4 Training and Awareness Program
7.4.5 Technology Integration
7.4.6 Performance Management
7.5 Cybersecurity Assurance Framework
7.6 Conclusion
Key Terms
Points to Remember
Objective-Type Questions
Short-Answer Type Questions
Descriptive Questions
References
Useful Links
Chapter 8: Secure Software Development Process
8.1 Objectives
8.2 Secure Development
8.3 Microsoft Secure Development Life Cycle
8.4 OWASP Software Assurance Maturity Model
8.5 An Integrated Secure Development Framework
8.5.1 Securing Requirement Phase
8.5.2 Securing Design Phase
8.5.3 Securing Coding Phase
8.5.4 Securing Testing Phase
8.5.5 Securing Deployment Phase
8.5.6 Secure Maintenance
8.6 Conclusion
Key Terms
Points to Ponder
Objective-Type Questions
Short-Answer Type Questions
Descriptive Questions
References
Useful Links
Chapter 9: Software Security Testing
9.1 Objectives
9.2 Software Testing
9.3 Security Testing
9.4 Software Security Testing Process
9.5 An Integrated Approach
9.5.1 Security Test Strategy and Test Plan
9.5.2 Designing Security Test Cases
9.5.3 Executing Security Test Cases
9.5.4 Capturing Security Test Result
9.5.5 Capturing Security Test Metrics
9.5.6 Qualitative Assessment
9.5.7 Security Test Closure Reports
9.6 Software Security Testing Tools
9.7 Conclusion
Key Terms
Point to Remember
Objective-Type Questions
Short-Answer Type Questions
Descriptive Questions
References
Useful Links
Chapter 10: Implementing Security Testing: A Case Study
10.1 Objectives
10.2 Planning for Security Testing
10.3 Security Test Case Optimization Framework
10.3.1 Security Test Plan Specification
10.3.2 Identification of Security Attributes
10.3.3 Evaluation of Security Attributes
10.3.4 Test Case Execution & Capturing the Results
10.3.5 Optimization
10.3.6 Validation
10.3.7 Review and Revision
10.4 Test Case Evaluation
10.4.1 Case Study: Mobile Payment Wallet
10.4.2 Test Case Sampling and its Execution
10.4.2.1 Module-1: Sign In
10.4.2.2 Assumptions for ACO based Algorithm
10.5 Optimization of Security Test Cases
10.5.1 ACO based Algorithm for Optimized Security Test Case
10.5.2 Obtaining the Results through Different Techniques
10.6 Contextual Interpretation
10.7 Automated Security Testing
10.7.1 List of Automation Testing Tools
10.8 Impact and Importance
10.9 Conclusion
Key Terms
Point to Remember
Objective-Type Questions
Short-Answer Type Questions
Descriptive Questions
References
Useful Links
Chapter 11: Implementing Security: A Case Study
11.1 Objectives
11.2 The Concept
11.3 Implementations Perspective
11.4 An Integrated Approach
11.4.1 Case Study on Vulnerability Perspective
11.4.2 The Process
11.4.3 Framework Implementation
11.4.3.1 Metric-1: Attribute Vulnerability Ratio (AVR)
11.4.3.2 Algorithm Development for Computation of VPF Metric
11.4.3.3 Analysis of AVR
11.4.3.4 Metric-2: Coupling Induced Vulnerability Propagation Factor (CIVPF)
11.4.3.5 Algorithm Development for Computing CIVPF Metric
11.4.3.6 Working of an Algorithm to Compute CIVPF
11.4.3.7 Analysis of CIVPF
11.4.3.8 Metric-3: Vulnerability Confinement Capacity (VCC) of a Class
11.4.3.9 Metric-4: Vulnerability Confinement Capacity of an Object-Oriented Design
11.4.3.10 Analysis of VCC
11.4.3.11 Metric-5: Vulnerable Association of a Method
11.4.3.12 Metric-6: Vulnerable Association of a Class
11.4.3.13 Developing Algorithm for Computing VA Metric
11.4.3.14 Analysis of VA
11.4.3.15 Metric-7: Vulnerable Association of Design
11.4.4 Validation of the Framework
11.4.4.1 Computation of AVR for the Design
11.4.4.2 Computation of CIVPF for the Design
11.4.4.3 Computation of VCC for the Design
11.4.4.4 Computation of VA for the Design
11.4.5 Case Study on CIA Perspective
11.4.5.1 The Framework
11.4.5.2 Premises
11.4.5.3 Generic Guidelines
11.4.5.4 Framework Development
11.4.5.5 Framework Implementation
11.4.5.6 Establishing Correlation between Complexity Factors and Design Constructs
11.4.5.7 Establishing Correlation between Complexity Factors and Security Attributes
11.4.5.8 Model Development
11.4.5.9 Development of Confidentiality Quantification Model for Object Oriented Design (CQM OOD)
11.4.5.10 Development of Integrity Quantification Model for Object Oriented Design (IQM OOD)
11.4.5.11 Development of Availability Quantification Model for Object Oriented Design (AQM OODC)
11.4.5.12 Development of Security Quantification Model for Object Oriented Design (SQM OOD)
11.4.5.13 Validating SQM OOD
11.5 Analyzability: A Case Study
11.5.1 Assessment of Object-Oriented Design
11.5.2 Assessment of Quality Attributes
11.5.3 Mapping Maintainability Properties with Object-Oriented Design Properties
11.5.4 Calculation of Metrics Suit on Class Diagram
11.5.5 An Experimental Validation
11.5.6 Statistical Analysis
11.5.7 Contextual Interpretation
11.6 Assessment Reflection
11.7 Experiences
11.8 Societal Impacts
11.9 Conclusions
Key Terms
Points to Remember
Objective-Type Questions
Short-Answer Type Questions
Descriptive Questions
References
Useful Links
Chapter 12: Knowledge, Management, and Governance for Higher Security
12.1 Objectives
12.2 Secure Knowledge Management (SKM)
12.2.1 Security Concerns for Knowledge Management System
12.2.2 Importance of Security Knowledge and Expertise
12.3 Security Governance
12.3.1 Effective Security Governance and Management
12.3.2 Effective versus Ineffective Security Governance
12.3.3 Enterprise Software Security Framework
12.4 Secure Project Management
12.4.1 Scope of the Project
12.4.2 Reflection of Project Plan
12.4.3 Tools, Knowledge, and Expertise
12.4.4 To Estimate the Nature and Duration of Required Resources
12.4.5 Project and Product Risks
12.5 Measuring Software Security
12.5.1 Process Measures for Secure Development
12.5.2 Product Measures for Secure Development
12.6 Maturity of Practice
12.7 Protecting Information
12.7.1 Audit’s Role
12.7.2 Operational Resilience and Convergence
12.7.3 A Legal View
12.7.4 A Software Engineering View
12.8 E-governance Framework in India: e-Kranti: National e-Governance Plan (NeGP) 2.0
12.8.1 Vision, Mission, and Objectives
12.8.2 The Objectives of e-Kranti
12.8.3 Principles of e-Kranti
12.9 Digital India Initiatives
12.10 Conclusion
Key Terms
Points to Remember
Objective-Type Questions
Short-Answer Type Questions
Descriptive Questions
References
Useful Links
Chapter 13: Research Trends in Software Security Estimation
13.1 Objectives
13.2 A Multidimensional Approach
13.3 Research Trends in Security Estimation
13.4 List of Security Research Problem
13.4.1 Trend No. 1: Cyber-Security Mesh
13.4.2 Trend No. 2: Cyber-Savvy Boards
13.4.3 Trend No. 3: Vendor Consolidation
13.4.4 Trend No. 4: Identity-First Security
13.4.5 Trend No. 5: Managing Machine Identities Becoming a Critical Security Capability
13.4.6 Trend No. 6: ‘Remote Work’ Is Now Just ‘Work’
13.4.7 Trend No. 7: Breach and Attack Simulation
13.4.8 Trend No. 8: Privacy-Enhancing Computation Techniques
13.5 Future Prospects in Security Estimation
13.6 Conclusion
Key Terms
Point to Remember
Objective-Type Questions
Short-Answer Type Questions
Descriptive Questions
References
Useful Links
Index