- The Security Development Lifecycle: SDL: A Process for Developing Demonstrably More Secure Software
- Foreword
- Introduction
- I. The Need for the SDL
- Bibliography
- 2. Current Software Development Methods Fail to Produce Secure Software
- Bibliography
- 4. SDL for Management
- II. The Security Development Lifecycle Process
- 5. Stage 0: Education and Awareness
- 6. Stage 1: Project Inception
- Determine Whether the Application Is Covered by SDL
- Assign the Security Advisor
- Act as a Point of Contact Between the Development Team and the Security Team
- Holding an SDL Kick-Off Meeting for the Development Team
- Holding Design and Threat Model Reviews with the Development Team
- Analyzing and Triaging Security-Related and Privacy-Related Bugs
- Acting as a Security Sounding Board for the Development Team
- Preparing the Development Team for the Final Security Review
- Working with the Reactive Security Team
- Build the Security Leadership Team
- Make Sure the Bug-Tracking Process Includes Security and Privacy Bug Fields
- Determine the “Bug Bar”
- Summary
- References
- 7. Stage 2: Define and Follow Design Best Practices
- Bibliography
- Bibliography
- 10. Stage 5: Creating Security Documents, Tools, and Best Practices for Customers
- Bibliography
- 12. Stage 7: Secure Testing Policies
- 13. Stage 8: The Security Push
- 14. Stage 9: The Final Security Review
- 15. Stage 10: Security Response Planning
- 16. Stage 11: Product Release
- 17. Stage 12: Security Response Execution
- III. SDL Reference Material
- 18. Integrating SDL with Agile Methods
- 19. SDL Banned Function Calls
- The Banned APIs
- Banned String Copy Functions and Replacements
- Banned String Concatenation Functions and Replacements
- Banned sprintf Functions and Replacements
- Banned “n” sprintf Functions and Replacements
- Banned Variable Argument sprintf Functions and Replacements
- Banned Variable Argument “n” sprintf Functions and Replacements
- Banned “n” String Copy Functions and Replacements
- Banned “n” String Concatenation Functions and Replacements
- Banned String Tokenizing Functions and Replacements
- Banned Makepath Functions and Replacements
- Banned Splitpath Functions and Replacements
- Banned scanf Functions and Replacements
- Banned “n” scanf Functions and Replacements
- Banned Numeric Conversion Functions and Replacements
- Banned gets Functions and Replacements
- Banned IsBad* Functions and Replacements
- Banned OEM Conversion Functions and Replacements
- Banned Stack Dynamic Memory Allocation Functions and Replacements
- Banned String Length Functions and Replacements
- Why the “n” Functions Are Banned
- Important Caveat
- Choosing StrSafe vs. Safe CRT
- Using StrSafe
- Using Safe CRT
- Other Replacements
- Tools Support
- ROI and Cost Impact
- Metrics and Goals
- References
- The Banned APIs
- 20. SDL Minimum Cryptographic Standards
- 21. SDL-Required Tools and Compiler Options
- 22. Threat Tree Patterns
- Spoofing an External Entity or a Process
- Tampering with a Process
- Tampering with a Data Flow
- Tampering with a Data Store
- Repudiation
- Information Disclosure of a Process
- Information Disclosure of a Data Flow
- Information Disclosure of a Data Store
- Denial of Service Against a Process
- Denial of Service Against a Data Flow
- Denial of Service Against a Data Store
- Elevation of Privilege
- References
- Appendix
- Index
- About the Authors
[biblio19_01] (Howard, LeBlanc, and Viega 2005) Howard,Michael, DavidLeBlanc, and JohnViega. 19 Deadly Sins of Software Development. New York, NY: McGraw-Hill, 2005. Chapter 1, “Buffer Overruns.”
[biblio19_02] (Howard 2004) Howard,Michael. “Buffer Overflow in Apache 1.3.xx fixed on Bugtraq—the evils of strncpy and strncat,” http://blogs.msdn.com/michael_howard/archive/2004/10/29/249713.aspx. October 2004.
[biblio19_03] (Miller and de Raadt 1999) Miller,ToddC., and TheodeRaadt. USENIX Annual Technical Conference, “strlcpy and strlcat – Consistent, Safe String Copy and Concatenation,” http://www.usenix.org/events/usenix99/full_papers/millert/millert_html/index.html. June 1999.
-
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.