Official (ISC)2 Guide to the CSSLP CBK, Second Edition ((ISC)2 Press) 2nd Edition

Купить бумажную книгу и читать

Название:Official (ISC)2 Guide to the CSSLP CBK, Second Edition ((ISC)2 Press) 2nd Edition

Автор:Mano Paul

Серия:(ISC)2 Press

Издательство: Auerbach Publications

Год: 2014

Страниц:800

Язык: English

Формат: pdf

Размер: 16,9 Mb

The text allows readers to learn about software security from a renowned security practitioner who is the appointed software assurance advisor for (ISC)2. Complete with numerous illustrations, it makes complex security concepts easy to understand and implement. In addition to being a valuable resource for those studying for the CSSLP examination, this book is also an indispensable software security reference for those already part of the certified elite.

A robust and comprehensive appendix makes this book a time-saving resource for anyone involved in secure software development.

Features

Updates the most authoritative review of the key concepts and requirements of the CSSLP® exam

Details the software security activities that need to be incorporated throughout the software development lifecycle

Provides comprehensive coverage that includes the people, processes, and technology components of software, networks, and host defenses

Supplies a pragmatic approach to implementing software assurances in the real-world

Summary

The text allows readers to learn about software security from a renowned security practitioner who is the appointed software assurance advisor for (ISC)2. Complete with numerous illustrations, it makes complex security concepts easy to understand and implement. In addition to being a valuable resource for those studying for the CSSLP examination, this book is also an indispensable software security reference for those already part of the certified elite. A robust and comprehensive appendix makes this book a time-saving resource for anyone involved in secure software development.

Share this Title

Related Titles

1 of 2

Cloud Computing: Implementation, Management, and Security

Domain 1 - Secure Software Concepts

Holistic Security

Implementation Challenges

Iron Triangle Constraints

Security as an Afterthought

Security vs. Usability

Quality and Security

Security Profile – What Makes Software Secure?

Core Security Concepts

Design Security Concepts

Risk Management

Terminology and Definitions

Risk Management for Software

Handling Risk

Risk Management Concept: Summary

Security Policies: The ‘What’ and ‘Why’ for Security

Scope of the Security Policies

Prerequisites for Security Policy Development

Security Policy Development Process

Security Standards

Types of Security Standards

Internal Coding Standards

NIST Standards

Federal Information Processing (FIPS) standards

ISO Standards

PCI Standards

Organization for the Advancement of Structured Information Standards (OASIS)

Benefits of Security Standards

Best Practices

Open Web Application Security Project (OWASP)

Information Technology Infrastructure Library (ITIL)

Software Development Methodologies

Waterfall Model

Iterative Model

Spiral Model

Agile Development Methodologies

Software Assurance Methodologies

Socratic Methodology

Six Sigma (6 σ) Capability Maturity Model Integration (CMMI)

Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE®)

STRIDE and DREAD

Open Source Security Testing Methodology Manual (OSSTMM)

Flaw Hypothesis Method (FHM)

Enterprise Application and Security Frameworks

Zachman Framework

Control Objectives for Information and related Technology (COBIT®)

Committee of Sponsoring Organizations (COSO)

Sherwood Applied Business Security Architecture (SABSA)

Regulations, Privacy and Compliance

Significant Regulations and Privacy Acts

Sarbanes-Oxley Act (SOX)

BASEL II

Gramm-Leach-Bliley Act (GLB Act)

Health Insurance Portability and Accountability Act (HIPAA)

Data Protection Act

Computer Misuse Act

Mobile Device Privacy Act

State Security Breach Laws

Privacy and Software Development

Data Anonymization

Disposition

Security Models

Trusted Computing

Ring Protection

Trust Boundary (or Security Perimeter)

Trusted Computing Base (TCB)

Reference Monitor

Acquisitions

Domain 2 - Secure Software Requirements

Sources for Security Requirements

Types of Security Requirements

Core Security Requirements

General Requirements

Operational Requirements

Other Requirements

Protection Needs Elicitation (PNE)

Brainstorming

Surveys (Questionnaires and Interviews)

Policy Decomposition

Data Classification

Subject/Object Matrix

Use Case & Misuse Case Modeling

Requirements Traceability Matrix (RTM)

Domain 3 - Secure Software Design

The Need for Secure Design

Flaws versus Bugs

Architecting Software with Core Security Concepts

Confidentiality Design

Integrity Design

Availability Design

Authentication Design

Authorization Design

Accountability Design

Architecting Software with Secure Design Principles

Least Privilege

Separation of Duties

Defense in Depth

Fail Secure

Economy of Mechanisms

Complete Mediation

Open Design

Least Common Mechanisms

Psychological Acceptability

Weakest Link

Leveraging Existing Components

Balancing Secure Design Principles

Other Design Considerations

Interface Design

Interconnectivity

Design Processes

Attack Surface Evaluation

Threat Modeling

Architectures

Mainframe Architecture

Distributed Computing

Service Oriented Architecture

Rich Internet Applications

Pervasive/Ubiquitous Computing

Cloud Computing

Mobile Applications

Integration with Existing Architectures

Technologies

Authentication

Identity Management

Credential Management

Flow Control

Auditing (Logging)

Trusted Computing

Database Security

Programming Language Environment

Operating Systems

Embedded Systems

Secure Design and Architecture Review

Domain 4 - Secure Software Implementation/Coding

Who is to be Blamed for Insecure Software?

Fundamental Concepts of Programming

Computer Architecture

Evolution of Programming Languages

Common Software Vulnerabilities and Controls

Buffer Overflow

Stack Overflow

Heap Overflow

Injection Flaws

Broken Authentication and Session Management

Cross-Site Scripting (XSS)

Non-persistent or Reflected XSS

Persistent or Stored XSS

DOM based XSS

Insecure Direct Object References

Security Misconfiguration

Sensitive Data Exposure

Missing Function Level Checks

Cross-Site Request Forgery (CSRF)

Using Known Vulnerable Components

Unvalidated Redirects and Forwards

File Attacks

Race Condition

Side Channel Attacks

Defensive Coding Practices – Concepts and Techniques

Input Validation

Canonicalization

Sanitization

Error Handling

Safe APIs

Memory Management

Exception Management

Session Management

Configuration Parameters Management

Secure Startup

Cryptography

Concurrency

Tokenization

Sandboxing

Anti-Tampering

Secure Software Processes

Version (Configuration Management)

Code Analysis

Code/Peer Review

Securing Build Environments

Domain 5 -Secure Software Testing

Quality Assurance

Testing Artifacts

Test Strategy

Test Plan

Test Case

Test Script

Test Suite

Test Harness

Types of Software QA Testing

Functional Testing

Non-Functional Testing

Other Testing

Attack Surface Validation (Security Testing)

Motives, Opportunities and Means

Testing of Security Functionality versus Security Testing

The Need for Security Testing

Security Testing Methods

White Box Testing

Black Box Testing

White Box Testing versus Black Box Testing

Types of Security Testing

Cryptographic Validation Testing

Scanning

Fuzzing

Software Security Testing

Testing for Input Validation

Testing for Injection Flaws Controls

Testing for Scripting Attacks Controls

Testing for Non-repudiation Controls

Testing for Spoofing Controls

Testing for Error and Exception Handling Controls (Failure Testing)

Testing for Privileges Escalations Controls

Anti-Reversing Protection Testing

Tools for Security Testing

Test Data Management

Defect Reporting and Tracking

Reporting Defects

Tracking Defects

Impact Assessment and Corrective Action

Domain 6 - Software Acceptance

Guidelines for Software Acceptance

Benefits of Accepting Software Formally

Software Acceptance Considerations

Completion Criteria

Change Management

Approval to Deploy or Release

Risk Acceptance and Exception Policy

Documentation of Software

Verification and Validation (V&V)

Reviews

Testing

Certification and Accreditation (C&A)

Domain 7 - Software Deployment, Operations, Maintenance, and Disposal

Installation and Deployment

Hardening

Environment Configuration

Release Management

Bootstrapping and Secure Startup

Operations and Maintenance

Monitoring

Incident Management

Problem Management

Change Management

Backups, Recovery and Archiving

Disposal

End-of-Life Policies

Sun-Setting Criteria

Sun-setting Processes

Information Disposal and Media Sanitization

Domain 8 - Supply Chain and Software Acquisition

Software Acquisition and the Supply Chain

Acquisition Lifecycle

Software Acquisition Models and Benefits

Supply Chain Software Goals

Threats to Supply Chain Software

Software Supply Chain Risk Management (SCRM)

Supplier Risk Assessment and Management

Supplier Sourcing

Contractual Controls

Intellectual Property (IP) Ownership and Responsibilities

Types of Intellectual Property (IP)

Licensing (Usage and Redistribution Terms)

Software Development and Testing

Assurance Requirement Conformance Validation

Code Review

Code Repository Security

Build Tools and Environment Integrity

Testing for Code Security

Software SCRM during Acceptance

Anti-Tampering Resistance and Controls

Authenticity and Anti-Counterfeiting Controls

Supplier Claims Verification

Software SCRM during Delivery (Handover)

Chain of Custody

Secure Transfer

Code Escrows

Export Control and Foreign Trade Data Regulations Compliance

Software SCRM during Deployment (Installation/Configuration)

Secure Configuration

Perimeter (Network) Security Controls

System-of-Systems (SoS) Security

Software SCRM during Operations and Maintenance

Runtime Integrity Assurance

Patching and Upgrades

Termination Access Controls

Custom Code Extensions Checks

Continuous Monitoring and Incident Management

Software SCRM during Retirement