Chapter 6 - Design and Development (A4): SDL Activities and Best Practices (8/8)

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

196 Core Software Security

2. Chmielewski, M., Clift, N., Fonrobert, S., and Ostwald, T. (2007, November).

“MSDN Magazine: Find and Fix Vulnerabilities Before Your Application Ships.”

Available at http://msdn.microsoft.com/en-us/magazine/cc163312.aspx.

3. Microsoft Corporation (2012). How To: Perform a Security Code Review for

Managed Code (.NET Framework 2.0). Available at http://msdn.microsoft.com/

en-us/library/ff649315.aspx.

4. Ibid.

5. Jackson, W. (2009, February). GCN—Technology, Tools and Tactics for Public

Sector IT: “Static vs. Dynamic Code Analysis: Advantages and Disadvantages.”

Available at http://gcn.com/Articles/2009/02/09/Static-vs-dynamic-code-analysis.

aspx?p=1.

6. Cornell, D. (2008, January). OWASP San Antonio Presentation:

“Static Analysis Techniques for Testing Application Security.”

Available at http://www.denimgroup.com/media/pdfs/DenimGroup_

StaticAnalysisTechniquesForTestingApplicationSecurity_OWASPSan

Antonio_20080131.pdf.

7. Jackson, W. (2009, February). GCN—Technology, Tools and Tactics for Public

Sector IT: “Static vs. Dynamic Code Analysis: Advantages and Disadvantages.”

Available at http://gcn.com/Articles/2009/02/09/Static-vs-dynamic-code-analysis.

aspx?p=1.

8. Cornell, D. (2008, January). OWASP San Antonio Presentation:

“Static Analysis Techniques for Testing Application Security.”

Available at http://www.denimgroup.com/media/pdfs/DenimGroup_

StaticAnalysisTechniquesForTestingApplicationSecurity_OWASPSan

Antonio_20080131.pdf.

9. Jackson, W. (2009, February). GCN—Technology, Tools and Tactics for Public

Sector IT: “Static vs. Dynamic Code Analysis: Advantages and Disadvantages.”

Available at http://gcn.com/Articles/2009/02/09/Static-vs-dynamic-code-analysis.

aspx?p=1.

10. Cornell, D. (2008, January). OWASP San Antonio Presentation:

“Static Analysis Techniques for Testing Application Security.”

Available at http://www.denimgroup.com/media/pdfs/DenimGroup_

StaticAnalysisTechniquesForTestingApplicationSecurity_OWASPSan

Antonio_20080131.pdf.

11. Jackson, W. (2009, February). GCN—Technology, Tools and Tactics for Public

Sector IT: “Static vs. Dynamic Code Analysis: Advantages and Disadvantages.”

Available at http://gcn.com/Articles/2009/02/09/Static-vs-dynamic-code-analysis.

aspx?p=1.

12. Cornell, D. (2008, January). OWASP San Antonio Presentation:

“Static Analysis Techniques for Testing Application Security.”

Available at http://www.denimgroup.com/media/pdfs/DenimGroup_

StaticAnalysisTechniquesForTestingApplicationSecurity_OWASPSan

Antonio_20080131.pdf.

13. The Open Web Application Security Project (OWASP) (2012). “Fuzzing.”

Available at https://www.owasp.org/index.php/Fuzzing.

Design and Development (A4): SDL Activities and Best Practices 197

14. R2Launch (2012). “Fuzz.” Available at http://www.r2launch.nl/index.php/

software-testing/fuzz.

15. The Open Web Application Security Project (OWASP) (2012). “Testing

Guide Introduction.” Available at https://www.owasp.org/index.php/

Testing_Guide_Introduction#Manual_Inspections_.26_Reviews.

16. Coverity (2012). Coverity Static Analysis webpage. Retrieved from http://www.

coverity.com/products/static-analysis.html.

17. HP (2012). HP Fortify Static Code Analyzer webpage. Retrieved from http://

www.hpenterprisesecurity.com/products/hp-fortify-software-security-center/

hp-fortify-static-code-analyzer.

18. IBM (2012). IBM Security AppScan Source webpage. Retrieved from http://

www-01.ibm.com/software/rational/products/appscan/source.

19. Klocwork (2012). Klocwork webpage. Retrieved from http://www.klocwork.

com/?utm_source=PPC-Google&utm_medium=text&utm_campaign=Search-

Klocwork&_kk=klocwork&gclid=CMy0_q6svbICFUjhQgodOGwAFg.

20. Parasoft (2012). Static Analysis webpage. Retrieved from http://www.parasoft.

com/jsp/capabilities/static_analysis.jsp?itemId=547.

21. Veracode (2012). Veracode webpage. Retrieved from http://www.veracode.com.

22. The Open Web Application Security Project (OWASP) (2012). “Static

Code Analysis.” Available at https://www.owasp.org/index.php/Static_

Code_Analysis.

23. Howard, M. (2006, July–August). “A Process for Performing Security Code

Reviews.” IEEE Security & Privacy, pp. 74–79.

24. Howard, M. (2004, November). “Mitigate Security Risks by Minimizing the

Code You Expose to Untrusted Users.” Available at http://msdn.microsoft.com/

msdnmag/issues/04/11/AttackSurface.

25. OWASP (2013). “Top 10 2013—Top 10.” Retrieved from https://www.owasp.

org/index.php/Top_10_2013-Top_10.

26. Hewlett-Packard (2012). Webinspect webpage. Retrieved from http://www.

hpenterprisesecurity.com/products/hp-fortify-software-security-center/

hp-webinspect.

27. Hewlett-Packard (2012). QAinspect webpage. Retrieved from http://www.hpen-

terprisesecurity.com/products/hp-fortify-software-security-center/hp-qainspect.

28. IBM (2012). IBM Security AppScan Enterprise webpage. Retrieved from http://

www-01.ibm.com/software/awdtools/appscan/enterprise.

29. Veracode (2012). Veracode webpage. Retrieved from http://www.veracode.com.

30. White Security (2012). “How the WhiteHat Sentinel Services Fit in Software

Development Lifecycle.” Retrieved from (SDLC)https://www.whitehatsec.com/

sentinel_services/SDLC.html.

31. Peng, W., and Wallace, D. (1993, March). NIST Special Publication 500-209,

Software Error Analysis. Available at http://hissa.nist.gov/SWERROR.

32. Ibid.

33. Ibid.

34. Ibid.

35. Ibid.

198 Core Software Security

36. Codenomicon (2012). Codenomicon website. Retrieved from http://www.

codenomicon.com.

37. Peachfuzzer.com (2012). Peach Fuzzing Platform webpage. Retrieved from http://

peachfuzzer.com/Tools.

38. Royal, M., and Pokorny, P. (2012, April). Cameron University IT 4444—

Capstone: “Dumb Fuzzing in Practice.” Available at http://www.cameron.edu/

uploads/8d/e3/8de36a6c024c2be6dff3c34448711075/5.pdf.

39. Manion, A., and Orlando, M. (2011, May). ICSJWG Presentation: “Fuzz Testing

for Dummies.” Available at: http://www.us-cert.gov/control_systems/icsjwg/

presentations/spring2011/ag_16b_ICSJWG_Spring_2011_Conf_Manion_

Orlando.pdf.

40. Royal, M., and Pokorny, P. (2012, April). Cameron University IT 4444—

Capstone: “Dumb Fuzzing in Practice.” Available at http://www.cameron.edu/

uploads/8d/e3/8de36a6c024c2be6dff3c34448711075/5.pdf.

41. Ibid.

42. Grembi, J. (2008). Secure Software Development: A Security Programmer’s Guide.

Course Technology, Boston.

43. Meier, J., et al. (2005, October). Microsoft Corporation—MSDN Library: How

To: Perform a Security Code Review for Managed Code (.NET Framework 2.0).

Available at http://msdn.microsoft.com/en-us/library/ff649315.aspx.

44. Ibid.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Chapter 6 - Design and Development (A4): SDL Activities and Best Practices (8/8)

Create new playlist

Sign In

Sign Up

Table of Contents for
Chapter 6 - Design and Development (A4): SDL Activities and Best Practices (8/8)