xix
Preface
The age of the software-driven machine has taken significant leaps over
the last few years. Human tasks such as those of fighter pilots, stock-
exchange floor traders, surgeons, industrial production and power-plant
operators that are critical to the operation of weapons systems, medical
systems, and key elements of our national infrastructure, have been, or
are rapidly being taken over by software. This is a revolutionary step
in the machine whose brain and nervous system is now controlled by
software-driven programs taking the place of complex nonrepetitive tasks
that formerly required the use of the human mind. This has resulted in
a paradigm shift in the way the state, military, criminals, activists, and
other adversaries can attempt to destroy, modify, or influence countries,
infrastructures, societies, and cultures. This is true even for corpora-
tions, as we have seen increasing cases of cyber corporate espionage over
the years. The previous use of large armies, expensive and devastating
weapons systems and platforms, armed robberies, the physical stealing of
information, violent protests, and armed insurrection are quickly being
replaced by what is called cyber warfare, crime, and activism.
In the end, the cyber approach may have just as profound affects as the
techniques used before in that the potential exploit of software vulner-
abilities could result in:
Entire or partial infrastructures taken down, including power
grids, nuclear power plants, communication media, and emergency
response systems
Chemical plants modified to create large-yield explosions and/or
highly toxic clouds
xx Core Software Security
Remote control, modification, or disablement of critical weapon sys-
tems or platforms
Disablement or modification of surveillance systems
Criminal financial exploitation and blackmail
Manipulation of financial markets and investments
Murder or harm to humans through the modification of medical
support systems or devices, surgery schedules, or pharmaceutical
prescriptions
Political insurrection and special-interest influence through the
modification of voting software, blackmail, or brand degradation
though website defacement or underlying Web application take-
down or destruction
A side effect of the cyber approach is that it has given us the abil-
ity to do the above at a scale, distance, and degree of anonymity pre-
viously unthought of from jurisdictionally protected locations through
remote exploitation and attacks. This gives government, criminal groups,
and activists abilities to proxy prime perpetuators to avoid responsibility,
detection, and political fallout.
Although there is much publicity regarding network security, the real
Achilles heel is the (insecure) software which provides the potential ability
for total control and/or modification of a target as described above. The
criticality of software security as we move quickly toward this new age of
tasks previously relegated to the human mind being replaced by software-
driven machines cannot be underestimated. It is for this reason that we
have written this book. In contrast, and for the foreseeable future, soft-
ware programs are and will be written by humans. This also means that
new software will keep building on legacy code or software that was writ-
ten prior to security being taken seriously, or before sophisticated attacks
became prevalent. As long as humans write the programs, the key to suc-
cessful security for these programs is in making the software development
program process more efficient and effective. Although the approach of
this book includes people, process, and technology approaches to soft-
ware security, we believe the people element of software security is still
the most important part to manage as long as software is developed, man-
aged, and exploited by humans. What follows is a step-by-step process for
software security that is relevant to todays technical, operational, busi-
ness, and development environments, with a focus on what humans can
Preface xxi
do to control and manage the process in the form of best practices and
metrics. We will always have security issues, but this book should help in
minimizing them when software is finally released or deployed. We hope
you enjoy our book as much as we have enjoyed writing it.
About the Book
This book outlines a step-by-step process for software security that is rele-
vant to today’s technical, operational, business, and development environ-
ments. The authors focus on what humans can do to control and manage
a secure software development process in the form of best practices and
metrics. Although security issues will always exist, this book will teach
you how to maximize your organizations ability to minimize vulnerabili-
ties in your software products before they are released or deployed, by
building security into the development process. The authors have worked
with Fortune 500 companies and have often seen examples of the break-
down of security development lifecycle (SDL) practices. In this book, we
take an experience-based approach to applying components of the best
available SDL models in dealing with the problems described above, in
the form of a SDL software security best practices model and framework.
Core Software Security: Security at the Source starts with an overview of
the SDL and then outlines a model for mapping SDL best practices to the
software development lifecycle, explaining how you can use this model
to build and manage a mature SDL program. Although security is not
a natural component of the way industry has been building software in
recent years, the authors believe that security improvements to develop-
ment processes are possible, practical, and essential. They trust that the
software security best practices and model presented in this book will
make this clear to all who read the book, including executives, managers,
and practitioners.
Audience
This book is targeted toward anyone who is interested in learning about
software security in an enterprise environment, including product security
and quality executives, software security architects, security consultants,
software development engineers, enterprise SDLC program managers,
xxii Core Software Security
chief information security officers, chief technology officers, and chief
privacy officers whose companies develop software. If you want to learn
about how software security should be implemented in developing enter-
prise software, this is a book you dont want to skip.
Support
Errata and support for this book are available on the CRC Press book
website.
Structure
This book is divided into three different sections and 10 chapters. Chapter
1 provides an introduction to the topic of software security and why it is
important that we get it right the first time. Chapter 2 introduces chal-
lenges of making software secure and the SDL framework. Chapters 3
through 8 provide mapping of our SDL with
its associated best practices
to a generic SDLC framework. Chapter 9 provides a seasoned software
security architect’s view on the successful application of the solutions
proposed in Chapters 3 through 8. Chapter 9 also explains real-world
approaches to the typical challenges that are presented when making
secure software. We conclude, in Chapter 10, by describing real-world
security threats that a properly architected, implemented, and managed
SDL program will mitigate against.
Assumptions
This book assumes that a reader is familiar with basics of software devel-
opment (and methodologies) and basic security concepts. Knowledge of
the SDL, different types of security testing, and security architecture is
recommended but not required. For most topics, we gently introduce
readers to the topic before diving deep into that particular topic.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset