Software Security Building Security In
by McGraw, Gary R.Edition: 1st
Format: Package
Pub. Date: 2006-01-23
Publisher(s): Addison-Wesley Professional
Other versions by this Author
-
This Item Qualifies for Free Shipping!*
*Excludes marketplace orders.
List Price: $74.99
Buy New
Usually Ships in 2-3 Business Days
$74.92
Rent Book
Select for Price
Used Book
We're Sorry
Sold Out
eBook
We're Sorry
Not Available
How Marketplace Works:
- This item is offered by an independent seller and not shipped from our warehouse
- Item details like edition and cover design may differ from our description; see seller's comments before ordering.
- Sellers much confirm and ship within two business days; otherwise, the order will be cancelled and refunded.
- Marketplace purchases cannot be returned to eCampus.com. Contact the seller directly for inquiries; if no response within two days, contact customer service.
- Additional shipping costs apply to Marketplace purchases. Review shipping costs at checkout.
Summary
Expert author, Gary McGraw, shows how to build more secure software by building security in.
Author Biography
Gary McGraw, Cigital, Inc.'s CTO, is a world authority on software security. Dr. McGraw is coauthor of five best selling books: Exploiting Software (Addison-Wesley, 2004), Building Secure Software (Addison-Wesley, 2001), Software Fault Injection (Wiley 1998), Securing Java (Wiley, 1999), and Java Security (Wiley, 1996). His new book, Software Security: Building Security In (Addison-Wesley 2006) was released in February 2006. As a consultant, Dr. McGraw provides strategic advice to major software producers and consumers. Dr. McGraw has written over ninety peer-reviewed technical publications and functions as principal investigator on grants from DARPA, National Science Foundation, and NIST's Advanced Technology Program. He serves on Advisory Boards of Authentica, Counterpane, and Fortify Software, as well as advising the CS Department at UC Davis, the CS Department at UVa, and the School of Informatics at Indiana University. Dr. McGraw holds a dual PhD in Cognitive Science and Computer Science from Indiana University and a BA in Philosophy from UVa. He is a member of the IEEE Security and Privacy Task Force, and was recently elected to the IEEE Computer Society Board of Governors. He is the producer of the Silver Bullet Security Podcast for IEEE Security & Privacy magazine, writes a monthly column for darkreading.com, and is often quoted in the press.
Table of Contents
| Defining a discipline | p. 3 |
| A risk management framework | p. 39 |
| Introduction to software security touchpoints | p. 83 |
| Code review with a tool | p. 105 |
| Architectural risk analysis | p. 139 |
| Software penetration testing | p. 171 |
| Risk-based security testing | p. 187 |
| Abuse cases | p. 205 |
| Software security meets security operations | p. 223 |
| An enterprise software security program | p. 239 |
| Knowledge for software security | p. 259 |
| A taxonomy of coding errors | p. 277 |
| Annotated bibliography and references | p. 299 |
| Fortify source code analysis suite tutorial | p. 323 |
| ITS4 rules | p. 345 |
| An exercise in risk analysis : Smurfware | p. 385 |
| Table of Contents provided by Blackwell. All Rights Reserved. |
Excerpts
Software security has come a long way in the last few years, but we've really only just begun. Software security is the practice of building software to be secure and to function properly under malicious attack. The underlying concepts behind Software Security have developed over almost a decade and were first described inBuilding Secure SoftwareViega and McGraw 2001 andExploiting SoftwareHoglund and McGraw 2004. This book begins where its predecessors left off, describing in detail how to put software security into practice. After completingJava SecurityMcGraw and Felten 1996 and following it up withSecuring JavaMcGraw and Felten 1999, I began wondering how it was that such excellent designers, engineers, and architects went astray when it came to security. What was it about software that made security such a problem? If you wanted to build secure software, how would you do it? These questions and the perseverance of John Viega led toBuilding Secure Software. Building Secure Software (BSS), the white hat book, seems to have touched off a revolution. Security people who once relied solely on firewalls, intrusion detection, and antivirus mechanisms came to understand and embrace the necessity of better software.BSSprovides a coherent and sensible philosophical foundation for the blossoming field of software security. Exploiting Software (ES), the black hat book, provides a much-needed balance, teaching how to break software and how malicious hackers write exploits.ESis meant as a reality check for software security, ensuring that the good guys address real attacks and invent and peddle solutions that actually work. The two books are in some sense mirror images. Software Securityunifies the two sides of software security--attack and defense, exploiting and designing, breaking and building--into a coherent whole. Like the yin and the yang, software security requires a careful balance. Who This Book Is For Software Securityis a "how to" book for software security. In most organizations, software security is nobody's job, when software security really should be everyone's job. Hopefully this book will help explain both why this is so and what to do about it. The number one audience for the book is software security professionals. If your job is to analyze software for security problems, you will find this book filled to the brim with ideas and processes that you can apply today. Software security professionals should seek to use each of the best practices (which I call touchpoints) throughout the software lifecycle, follow a risk management framework, and call on software security knowledge. If you're a software security person, I'm afraid you'll have to read the whole book. As computer security evolves, the job of security analysis gets more complicated. Computer security professionals will benefit greatly from Chapters 1, 2, and 9. Chapter 1 provides a discussion of the software security problem and can help justify attention to software security. As philosophy in action, the risk management framework of Chapter 2 is directly applicable to computer security, regardless of software. Chapter 9 in particular was written for computer security professionals who may not necessarily know much about software. Turns out there is plenty for operational security people to do to enhance and support software security. We need your help. Software developers and architects almost always enjoy learning new things. Hopefully, the lessons of Software Security will find their way into many development shops. Software people will probably benefit most from the description of code review and architectural risk analysis in Chapters 4 and 5, as well as the taxonomy of coding errors described in Chapter 12. Of course, all of the best practices described in this book are designed to be directly applicable by those at the
An electronic version of this book is available through VitalSource.
This book is viewable on PC, Mac, iPhone, iPad, iPod Touch, and most smartphones.
By purchasing, you will be able to view this book online, as well as download it, for the chosen number of days.
Digital License
You are licensing a digital product for a set duration. Durations are set forth in the product description, with "Lifetime" typically meaning five (5) years of online access and permanent download to a supported device. All licenses are non-transferable.
More details can be found here.
A downloadable version of this book is available through the eCampus Reader or compatible Adobe readers.
Applications are available on iOS, Android, PC, Mac, and Windows Mobile platforms.
Please view the compatibility matrix prior to purchase.