Security-Driven Software Development: Learn to analyze and mitigate risks in your software projects 9781835462836
Trace security requirements through each development phase, mitigating multiple-layer attacks with practical examples, a
121 67 12MB
English Pages 342 Year 2024
Table of contents :
Security-Driven Software Development
Contributors
About the author
About the reviewer
Preface
Who this book is for
What this book covers
To get the most out of this book
Conventions used
Get in touch
Share your thoughts
Download a free PDF copy of this book
Part 1: Modeling a Secure Application
1
Security Principles
What could go wrong?
Principles
Open Web Application Security Project
NIST’s Secure Software Development Framework
MITRE frameworks
Software development lifecycles
Microsoft’s Security Development Lifecycle
Confidentiality, integrity, and availability
Summary
Self-assessment questions
Answers
2
Designing a Secure Functional Model
Requirements gathering and specification
Non-functional requirements and security
Capturing scenarios
Textual use cases and misuse cases
Graphical use cases and misuse cases
Graphical use case diagram
Graphical misuse case diagram
Example enterprise secure functional model
Purchase of tickets via self-service
Trying to purchase tickets beyond the patron limit
Summary
Self-assessment questions
Answers
3
Designing a Secure Object Model
Identify objects and relationships
Class diagrams
Stereotypes
Invariants
Example of the enterprise secure object model
Summary
Self-assessment questions
Answers
4
Designing a Secure Dynamic Model
Technical requirements
Object behavior
Modeling interactions between objects
UML sequence diagrams
UML activity diagrams
Constraints
Example of the enterprise secure dynamic model
Summary
Self-assessment questions
Answers
5
Designing a Secure System Model
Partitions
Modeling interactions between partitions
UML component diagrams
Patterns
Example – developing an enterprise secure system model
Summary
Self-assessment questions
Answers
6
Threat Modeling
Threat model overview
The STRIDE threat model
The DREAD threat model
Attack trees
Mitigations
Microsoft Threat Modeling Tool
Example of an enterprise threat model
Summary
Self-assessment questions
Answers
Part 2: Mitigating Risks in Implementation
7
Authentication and Authorization
Authentication
Authorization
Security Models
Single sign-on and open authorization
Single sign-on (SSO)
Open authorization (OAuth)
Implementing SSO and OAuth with Google
Example of enterprise implementation
Summary
Self-assessment questions
Answers
8
Input Validation and Sanitization
Input validation
Input sanitization
Language-specific defenses
Buffer overflows
Example of the enterprise input validation and sanitization
Summary
Self-assessment questions
Answers
9
Standard Web Application Vulnerabilities
Injection attacks
Broken authentication and session management
Request forgery
Language-specific defenses
Example of enterprise web defenses
Summary
Self-assessment questions
Answers
10
Database Security
Overview of SQL
SQL injection
Maintaining database correctness
Managing activity concurrency
Language-specific defenses
RBAC security in DBMS
Encryption in DBMS
An example of enterprise DB security
Summary
Self-assessment questions
Answers
Part 3: Security Validation
11
Unit Testing
The principles of unit testing
The advantages of unit testing
Unit testing frameworks
An example of enterprise threat model
PHPUnit
JUnit
PyUnit
Summary
Self-assessment questions
Answers
12
Regression Testing
Regression testing overview
Key concepts
Process
Benefits
Robotic process automation
The intersection of RPA and regression testing
Regression testing tools
Load testing
Integration and complementarity
UI.Vision RPA
Example of the enterprise regression tests
Summary
Self-assessment questions
Answers
13
Integration, System, and Acceptance Testing
Types of integration tests
Mocks
Stubs
Examples of enterprise integration testing
System testing
Acceptance testing
Summary
Self-assessment questions
Answers
14
Software Penetration Testing
Types of tests
Phases
Tools
Information gathering and reconnaissance
Vulnerability analysis and exploitation
Post-exploitation and privilege escalation
Network sniffing
Forensics and monitoring
Reporting and documentation
An example of an enterprise penetration test report
High-level summary
Host analysis
Summary
Self-assessment questions
Answers
Index
Why subscribe?
Other Books You May Enjoy
Packt is searching for authors like you
Share your thoughts
Download a free PDF copy of this book
![Security-Driven Software Development: Learn to analyze and mitigate risks in your software projects [1 ed.]
1835462839, 9781835462836](https://dokumen.pub/img/200x200/security-driven-software-development-learn-to-analyze-and-mitigate-risks-in-your-software-projects-1nbsped-1835462839-9781835462836.jpg)
![Hands-On Agile Software Development with JIRA: Design and manage software projects using the Agile methodology [1 ed.]
9781789532135](https://dokumen.pub/img/200x200/hands-on-agile-software-development-with-jira-design-and-manage-software-projects-using-the-agile-methodology-1nbsped-9781789532135.jpg)
![Building Green Software: A Sustainable Approach to Software Development and Operations [1 ed.]
1098150627, 9781098150624](https://dokumen.pub/img/200x200/building-green-software-a-sustainable-approach-to-software-development-and-operations-1nbsped-1098150627-9781098150624.jpg)
