E-Book, Englisch, 278 Seiten
Merkow / Raghavan Secure and Resilient Software
Erscheinungsjahr 2011
ISBN: 978-1-4398-6622-1
Verlag: Taylor & Francis
Format: PDF
Kopierschutz: Adobe DRM (»Systemvoraussetzungen)
Requirements, Test Cases, and Testing Methods
E-Book, Englisch, 278 Seiten
ISBN: 978-1-4398-6622-1
Verlag: Taylor & Francis
Format: PDF
Kopierschutz: Adobe DRM (»Systemvoraussetzungen)
Secure and Resilient Software: Requirements, Test Cases, and Testing Methods provides a comprehensive set of requirements for secure and resilient software development and operation. It supplies documented test cases for those requirements as well as best practices for testing nonfunctional requirements for improved information assurance. This resource-rich book includes:
- Pre-developed nonfunctional requirements that can be reused for any software development project
- Documented test cases that go along with the requirements and can be used to develop a Test Plan for the software
- Testing methods that can be applied to the test cases provided
- A CD with all security requirements and test cases as well as MS Word versions of the checklists, requirements, and test cases covered in the book
Offering ground-level, already-developed software nonfunctional requirements and corresponding test cases and methods, this book will help to ensure that your software meets its nonfunctional requirements for security and resilience. The accompanying CD filled with helpful checklists and reusable documentation provides you with the tools needed to integrate security into the requirements analysis, design, and testing phases of your software development lifecycle.
Some Praise for the Book:
This book pulls together the state of the art in thinking about this important issue in a holistic way with several examples. It takes you through the entire lifecycle from conception to implementation.
—Doug Cavit, Chief Security Strategist, Microsoft Corporation
.provides the reader with the tools necessary to jump-start and mature security within the software development lifecycle (SDLC).
—Jeff Weekes, Sr. Security Architect at Terra Verde Services
. full of useful insights and practical advice from two authors who have lived this process. What you get is a tactical application security roadmap that cuts through the noise and is immediately applicable to your projects.
—Jeff Williams, Aspect Security CEO and Volunteer Chair of the OWASP Foundation
Zielgruppe
Software developers, high-level programmers, software systems analysts, design teams, software testing coordinators, IT managers, and testing teams.
Autoren/Hrsg.
Fachgebiete
Weitere Infos & Material
Introduction
Secure and Resilient
Bad Design Choices Led to the Vulnerable Internet We Know Today
HTTP Has Its Problems, Too
Design Errors Continue Haunting Us Today
Requirements & Design: The Keys to a Successful Software Project
How Design Flaws Play Out DNS Vulnerability The London Stock Exchange Medical Equipment Airbus A380
Solutions Are In Sight!
Notes
Nonfunctional Requirements (NFRs) in Context
System Quality Requirements Engineering (SQUARE) Agree on Definitions Identify Assets and Security/Quality Goals Perform Risk Assessments Elicit Security Requirements Prioritize Requirements
Characteristics of Good Requirements
Summary
Notes
Resilience and Quality Considerations for Application Software and the Application Runtime Environment
Relationships among Nonfunctional Requirements
Considerations for Developing NFRs for your Applications and Runtime Environment
Checking Your Work
Summary
Notes
Security Requirements for Application Software
Security Control Types
Think Like an Attacker
Detailed Security Requirements
Identification Requirements
Authentication Requirements
Authorization Requirements
Security Auditing Requirements
Confidentiality Requirements
Integrity Requirements
Availability Requirements
Nonrepudiation Requirements
Immunity Requirements
Survivability Requirements
Systems Maintenance Security Requirements
Privacy Requirements
Summary
References
Security Services for the Application Operating Environment
The Open Group Architecture Framework (TOGAF)
Standardizing Tools for an Enterprise Architecture
Security Technical Reference Model (TRM) Identification and Authentication System Entry Control Audit Access Control Nonrepudiation Security Management Trusted Recovery Encryption Trusted Communications
Summary
References
Software Design Considerations for Security and Resilience Design Issues Architecture and Design Considerations Special Security Design Considerations for Payment Applications on Mobile Communications Devices Designing for Integrity Architecture and Design Review Checklist Summary References
Best Practices for Converting Requirements to Secure Software Designs
Secure Design Approach
Reusable Security APIs/Libraries
Security Frameworks
Establishing and Following Best Practices for Design
Security Requirements
Security Recommendations
What’s an Attack Surface?
What Is Managed Code?
Understanding Business Requirements for Security Design
Summary
References
Security Test Cases
Standardized Testing Policy
Security Test Cases Test Cases for Identification Requirements Test Cases for Authentication Requirements
Test Cases for Authorization Requirements Test Cases for Security Auditing Requirements Test Cases for Confidentiality Requirements Test Cases for Integrity Requirements Test Cases for Availability Requirements Test Cases for Nonrepudiation Requirements Test Cases for Immunity Requirements Test Cases for Survivability Requirements Test Cases for Systems Maintenance Security Requirements
Summary
Testing Methods and Best Practices
Secure Testing Approach
OWASP’s Application Security Verification Standard (ASVS) Application Security Verification Levels Level 1—Automated Verification Level 2—Manual Verification Level 3—Design Verification Level 4—Internal Verification Security Testing Methods
Manual Source Code Review
Automated Source Code Analysis Automated Reviews Compared with Manual Reviews Automated Source Code Analysis Tools—Deployment Strategy IDE Integration for Developers Build Integration for Governance Automated Dynamic Analysis Limitations of Automated Dynamic Analysis Tools Automated Dynamic Analysis Tools—Deployment Strategy Developer Testing Centralized Quality Assurance Testing
Penetration (Pen) Testing Gray Box Testing
Summary
References
Connecting the Moving Parts
OpenSAMM
Security Requirements Security Requirements: Level 1 Security Requirements: Level 2 Security Requirements: Level 3
Security Testing Security Testing: Level 1 Security Testing: Level 2 Security Testing: Level 3
Wrap-Up
References
Index
