简介
Secure and Resilient Software: Requirements, Test Cases, and Testing Methodsprovides a comprehensive set of requirements for secure and resilient software development and operation. It supplies documented test cases for those requirements as well as best practices for testing nonfunctional requirements for improved information assurance. This resource-rich book includes:
Pre-developed nonfunctional requirements that can be reused for any software development project Documented test cases that go along with the requirements and can be used to develop a Test Plan for the softwareTesting methods that can be applied to the test cases provided A CD with all security requirements and test cases as well as MS Word versions of the checklists, requirements, and test cases covered in the book
Offering ground-level, already-developed software nonfunctional requirements and corresponding test cases and methods, this book will help to ensure that your software meets its nonfunctional requirements for security and resilience. The accompanying CD filled with helpful checklists and reusable documentation provides you with the tools needed to integrate security into the requirements analysis, design, and testing phases of your software development lifecycle.
Some Praise for the Book:
This book pulls together the state of the art in thinking about this important issue in a holistic way with several examples. It takes you through the entire lifecycle from conception to implementation ... .
—Doug Cavit, Chief Security Strategist, Microsoft Corporation
...provides the reader with the tools necessary to jump-start and mature security within the software development lifecycle (SDLC).
—Jeff Weekes, Sr. Security Architect at Terra Verde Services
...?full of useful insights and practical advice from two authors who have lived this process. What you get is a tactical application security roadmap that cuts through the noise and is immediately applicable to your projects.
—Jeff Williams, Aspect Security CEO and Volunteer Chair of the OWASP Foundation
目录
Table Of Contents:
Preface xi
How This Book Is Organized xii
What's On the CD? xv
About the Authors xvii
Acknowledgements xix
From Mark Merkow xvii
From Laksh Raghavan xviii
Chapter 1 Introduction 1(14)
1.1 Secure and Resilient 1(1)
1.2 Bad Design Choices Led to the Vulnerable Internet We Know Today 2(2)
1.3 HTTP Has Its Problems, Too 4(2)
1.4 Design Errors Continue Haunting Us Today 6(1)
1.5 Requirements & Design: The Keys to a Successful Software Project 7(3)
1.6 How Design Flaws Play Out 10(2)
1.6.1 DNS Vulnerability 10(1)
1.6.2 The London Stock Exchange 10(1)
1.6.3 Medical Equipment 11(1)
1.6.4 Airbus A380 12(1)
1.7 Solutions Are In Sight! 12(1)
1.8 Notes 13(2)
Chapter 2 Nonfunctional Requirements (NFRs) in Context 15(10)
2.1 System Quality Requirements Engineering (Square) 15(6)
2.1.1 Agree on Definitions 16(1)
2.1.2 Identify Assets and Security/Quality Goals 17(1)
2.1.3 Perform Risk Assessments 17(1)
2.1.4 Elicit Security Requirements 18(2)
2.1.5 Prioritize Requirements 20(1)
2.2 Characteristics of Good Requirements 21(1)
2.3 Summary 22(1)
2.4 Notes 23(2)
Chapter 3 Resilience and Quality Considerations for Application Software and the Application Runtime Environment 25(30)
3.1 Relationships among Nonfunctional Requirements 26(1)
3.2 Considerations for Developing NFRs for your Applications and Runtime Environment 26(25)
3.3 Checking Your Work 51(1)
3.4 Summary 52(1)
3.5 Notes 52(3)
Chapter 4 Security Requirements for Application Software 55(82)
4.1 Security Control Types 55(1)
4.2 Think Like an Attacker 56(1)
4.3 Detailed Security Requirements 57(1)
4.4 Identification Requirements 57(4)
4.5 Authentication Requirements 61(10)
4.6 Authorization Requirements 71(8)
4.7 Security Auditing Requirements 79(6)
4.8 Confidentiality Requirements 85(6)
4.9 Integrity Requirements 91(5)
4.10 Availability Requirements 96(1)
4.11 Nonrepudiation Requirements 97(2)
4.12 Immunity Requirements 99(3)
4.13 Survivability Requirements 102(2)
4.14 Systems Maintenance Security Requirements 104(6)
4.15 Privacy Requirements 110(24)
4.16 Summary 134(1)
4.17 References 135(2)
Chapter 5 Security Services for the Application Operating Environment 137(10)
5.1 The Open Group Architecture Framework (TOGAF) 138(1)
5.2 Standardizing Tools for an Enterprise Architecture 139(1)
5.3 Security Technical Reference Model (TRM) 140(6)
5.3.1 Identification and Authentication 141(1)
5.3.2 System Entry Control 141(1)
5.3.3 Audit 142(1)
5.3.4 Access Control 143(1)
5.3.5 Nonrepudiation 143(1)
5.3.6 Security Management 144(1)
5.3.7 Trusted Recovery 144(1)
5.3.8 Encryption 144(1)
5.3.9 Trusted Communications 145(1)
5.4 Summary 146(1)
5.5 References 146(1)
Chapter 6 Software Design Considerations for Security and Resilience 147(20)
6.1 Design Issues 147(3)
6.2 Architecture and Design Considerations 150(4)
6.3 Special Security Design Considerations for Payment Applications on Mobile Communications Devices 154(1)
6.4 Designing for Integrity 155(1)
6.5 Architecture and Design Review Checklist 156(9)
6.6 Summary 165(1)
6.7 References 165(2)
Chapter 7 Best Practices for Converting Requirements to Secure Software Designs 167(10)
7.1 Secure Design Approach 167(1)
7.2 Reusable Security APIs/Libraries 168(1)
7.3 Security Frameworks 168(1)
7.4 Establishing and Following Best Practices for Design 169(1)
7.5 Security Requirements 169(1)
7.6 Security Recommendations 170(1)
7.7 What's an Attack Surface? 171(2)
7.8 What Is Managed Code? 173(2)
7.9 Understanding Business Requirements for Security Design 175(1)
7.10 Summary 176(1)
7.11 References 176(1)
Chapter 8 Security Test Cases 177(40)
8.1 Standardized Testing Policy 177(1)
8.2 Security Test Cases 178(11)
8.2.1 Test Cases for Identification Requirements 179(2)
8.2.2 Test Cases for Authentication Requirements 181(8)
8.3 Test Cases for Authorization Requirements 189(26)
8.3.1 Test Cases for Security Auditing Requirements 195(4)
8.3.2 Test Cases for Confidentiality Requirements 199(4)
8.3.3 Test Cases for Integrity Requirements 203(3)
8.3.4 Test Cases for Availability Requirements 206(1)
8.3.5 Test Cases for Nonrepudiation Requirements 207(2)
8.3.6 Test Cases for Immunity Requirements 209(1)
8.3.7 Test Cases for Survivability Requirements 210(2)
8.3.8 Test Cases for Systems Maintenance Security Requirements 212(3)
8.4 Summary 215(2)
Chapter 9 Testing Methods and Best Practices 217(18)
9.1 Secure Testing Approach 217(1)
9.2 OWASP's Application Security Verification Standard (ASVS) 217(7)
9.2.1 Application Security Verification Levels 219(1)
9.2.2 Level 1---Automated Verification 220(1)
9.2.3 Level 2---Manual Verification 220(1)
9.2.4 Level 3---Design Verification 221(1)
9.2.5 Level 4---Internal Verification 222(2)
9.2.6 Security Testing Methods 224(1)
9.3 Manual Source Code Review 224(1)
9.4 Automated Source Code Analysis 225(6)
9.4.1 Automated Reviews Compared with Manual Reviews 226(1)
9.4.2 Automated Source Code Analysis Tools---Deployment Strategy 226(1)
9.4.3 IDE Integration for Developers 227(1)
9.4.4 Build Integration for Governance 227(1)
9.4.5 Automated Dynamic Analysis 228(1)
9.4.6 Limitations of Automated Dynamic Analysis Tools 229(1)
9.4.7 Automated Dynamic Analysis Tools---Deployment Strategy 229(1)
9.4.8 Developer Testing 230(1)
9.4.9 Centralized Quality Assurance Testing 230(1)
9.5 Penetration (Pen) Testing 231(1)
9.5.1 Gray Box Testing 232(1)
9.6 Summary 232(1)
9.7 References 232(3)
Chapter 10 Connecting the Moving Parts 235(16)
10.1 OpenSAMM 236(2)
10.2 Security Requirements 238(5)
10.2.1 Security Requirements: Level 1 239(2)
10.2.2 Security Requirements: Level 2 241(1)
10.2.3 Security Requirements: Level 3 242(1)
10.3 Security Testing 243(6)
10.3.1 Security Testing: Level 1 245(1)
10.3.2 Security Testing: Level 2 246(1)
10.3.3 Security Testing: Level 3 247(2)
10.4 Wrap-Up 249(1)
10.5 References 249(2)
Index 251
Preface xi
How This Book Is Organized xii
What's On the CD? xv
About the Authors xvii
Acknowledgements xix
From Mark Merkow xvii
From Laksh Raghavan xviii
Chapter 1 Introduction 1(14)
1.1 Secure and Resilient 1(1)
1.2 Bad Design Choices Led to the Vulnerable Internet We Know Today 2(2)
1.3 HTTP Has Its Problems, Too 4(2)
1.4 Design Errors Continue Haunting Us Today 6(1)
1.5 Requirements & Design: The Keys to a Successful Software Project 7(3)
1.6 How Design Flaws Play Out 10(2)
1.6.1 DNS Vulnerability 10(1)
1.6.2 The London Stock Exchange 10(1)
1.6.3 Medical Equipment 11(1)
1.6.4 Airbus A380 12(1)
1.7 Solutions Are In Sight! 12(1)
1.8 Notes 13(2)
Chapter 2 Nonfunctional Requirements (NFRs) in Context 15(10)
2.1 System Quality Requirements Engineering (Square) 15(6)
2.1.1 Agree on Definitions 16(1)
2.1.2 Identify Assets and Security/Quality Goals 17(1)
2.1.3 Perform Risk Assessments 17(1)
2.1.4 Elicit Security Requirements 18(2)
2.1.5 Prioritize Requirements 20(1)
2.2 Characteristics of Good Requirements 21(1)
2.3 Summary 22(1)
2.4 Notes 23(2)
Chapter 3 Resilience and Quality Considerations for Application Software and the Application Runtime Environment 25(30)
3.1 Relationships among Nonfunctional Requirements 26(1)
3.2 Considerations for Developing NFRs for your Applications and Runtime Environment 26(25)
3.3 Checking Your Work 51(1)
3.4 Summary 52(1)
3.5 Notes 52(3)
Chapter 4 Security Requirements for Application Software 55(82)
4.1 Security Control Types 55(1)
4.2 Think Like an Attacker 56(1)
4.3 Detailed Security Requirements 57(1)
4.4 Identification Requirements 57(4)
4.5 Authentication Requirements 61(10)
4.6 Authorization Requirements 71(8)
4.7 Security Auditing Requirements 79(6)
4.8 Confidentiality Requirements 85(6)
4.9 Integrity Requirements 91(5)
4.10 Availability Requirements 96(1)
4.11 Nonrepudiation Requirements 97(2)
4.12 Immunity Requirements 99(3)
4.13 Survivability Requirements 102(2)
4.14 Systems Maintenance Security Requirements 104(6)
4.15 Privacy Requirements 110(24)
4.16 Summary 134(1)
4.17 References 135(2)
Chapter 5 Security Services for the Application Operating Environment 137(10)
5.1 The Open Group Architecture Framework (TOGAF) 138(1)
5.2 Standardizing Tools for an Enterprise Architecture 139(1)
5.3 Security Technical Reference Model (TRM) 140(6)
5.3.1 Identification and Authentication 141(1)
5.3.2 System Entry Control 141(1)
5.3.3 Audit 142(1)
5.3.4 Access Control 143(1)
5.3.5 Nonrepudiation 143(1)
5.3.6 Security Management 144(1)
5.3.7 Trusted Recovery 144(1)
5.3.8 Encryption 144(1)
5.3.9 Trusted Communications 145(1)
5.4 Summary 146(1)
5.5 References 146(1)
Chapter 6 Software Design Considerations for Security and Resilience 147(20)
6.1 Design Issues 147(3)
6.2 Architecture and Design Considerations 150(4)
6.3 Special Security Design Considerations for Payment Applications on Mobile Communications Devices 154(1)
6.4 Designing for Integrity 155(1)
6.5 Architecture and Design Review Checklist 156(9)
6.6 Summary 165(1)
6.7 References 165(2)
Chapter 7 Best Practices for Converting Requirements to Secure Software Designs 167(10)
7.1 Secure Design Approach 167(1)
7.2 Reusable Security APIs/Libraries 168(1)
7.3 Security Frameworks 168(1)
7.4 Establishing and Following Best Practices for Design 169(1)
7.5 Security Requirements 169(1)
7.6 Security Recommendations 170(1)
7.7 What's an Attack Surface? 171(2)
7.8 What Is Managed Code? 173(2)
7.9 Understanding Business Requirements for Security Design 175(1)
7.10 Summary 176(1)
7.11 References 176(1)
Chapter 8 Security Test Cases 177(40)
8.1 Standardized Testing Policy 177(1)
8.2 Security Test Cases 178(11)
8.2.1 Test Cases for Identification Requirements 179(2)
8.2.2 Test Cases for Authentication Requirements 181(8)
8.3 Test Cases for Authorization Requirements 189(26)
8.3.1 Test Cases for Security Auditing Requirements 195(4)
8.3.2 Test Cases for Confidentiality Requirements 199(4)
8.3.3 Test Cases for Integrity Requirements 203(3)
8.3.4 Test Cases for Availability Requirements 206(1)
8.3.5 Test Cases for Nonrepudiation Requirements 207(2)
8.3.6 Test Cases for Immunity Requirements 209(1)
8.3.7 Test Cases for Survivability Requirements 210(2)
8.3.8 Test Cases for Systems Maintenance Security Requirements 212(3)
8.4 Summary 215(2)
Chapter 9 Testing Methods and Best Practices 217(18)
9.1 Secure Testing Approach 217(1)
9.2 OWASP's Application Security Verification Standard (ASVS) 217(7)
9.2.1 Application Security Verification Levels 219(1)
9.2.2 Level 1---Automated Verification 220(1)
9.2.3 Level 2---Manual Verification 220(1)
9.2.4 Level 3---Design Verification 221(1)
9.2.5 Level 4---Internal Verification 222(2)
9.2.6 Security Testing Methods 224(1)
9.3 Manual Source Code Review 224(1)
9.4 Automated Source Code Analysis 225(6)
9.4.1 Automated Reviews Compared with Manual Reviews 226(1)
9.4.2 Automated Source Code Analysis Tools---Deployment Strategy 226(1)
9.4.3 IDE Integration for Developers 227(1)
9.4.4 Build Integration for Governance 227(1)
9.4.5 Automated Dynamic Analysis 228(1)
9.4.6 Limitations of Automated Dynamic Analysis Tools 229(1)
9.4.7 Automated Dynamic Analysis Tools---Deployment Strategy 229(1)
9.4.8 Developer Testing 230(1)
9.4.9 Centralized Quality Assurance Testing 230(1)
9.5 Penetration (Pen) Testing 231(1)
9.5.1 Gray Box Testing 232(1)
9.6 Summary 232(1)
9.7 References 232(3)
Chapter 10 Connecting the Moving Parts 235(16)
10.1 OpenSAMM 236(2)
10.2 Security Requirements 238(5)
10.2.1 Security Requirements: Level 1 239(2)
10.2.2 Security Requirements: Level 2 241(1)
10.2.3 Security Requirements: Level 3 242(1)
10.3 Security Testing 243(6)
10.3.1 Security Testing: Level 1 245(1)
10.3.2 Security Testing: Level 2 246(1)
10.3.3 Security Testing: Level 3 247(2)
10.4 Wrap-Up 249(1)
10.5 References 249(2)
Index 251
- 名称
- 类型
- 大小
光盘服务联系方式: 020-38250260 客服QQ:4006604884
云图客服:
用户发送的提问,这种方式就需要有位在线客服来回答用户的问题,这种 就属于对话式的,问题是这种提问是否需要用户登录才能提问
Video Player
×
Audio Player
×
pdf Player
×
亲爱的云图用户,
光盘内的文件都可以直接点击浏览哦
无需下载,在线查阅资料!
