Core Software Security: Security at the Source

CRC Press
2
Free sample

"... an engaging book that will empower readers in both large and small software development and engineering organizations to build security into their products. ... Readers are armed with firm solutions for the fight against cyber threats."
—Dr. Dena Haritos Tsamitis. Carnegie Mellon University

"... a must read for security specialists, software developers and software engineers. ... should be part of every security professional’s library."
—Dr. Larry Ponemon, Ponemon Institute

"... the definitive how-to guide for software security professionals. Dr. Ransome, Anmol Misra, and Brook Schoenfield deftly outline the procedures and policies needed to integrate real security into the software development process. ...A must-have for anyone on the front lines of the Cyber War ..."
—Cedric Leighton, Colonel, USAF (Ret.), Cedric Leighton Associates

"Dr. Ransome, Anmol Misra, and Brook Schoenfield give you a magic formula in this book - the methodology and process to build security into the entire software development life cycle so that the software is secured at the source! "
—Eric S. Yuan, Zoom Video Communications

There is much publicity regarding network security, but the real cyber Achilles’ heel is insecure software. Millions of software vulnerabilities create a cyber house of cards, in which we conduct our digital lives. In response, security people build ever more elaborate cyber fortresses to protect this vulnerable software. Despite their efforts, cyber fortifications consistently fail to protect our digital treasures. Why? The security industry has failed to engage fully with the creative, innovative people who write software.

Core Software Security expounds developer-centric software security, a holistic process to engage creativity for security. As long as software is developed by humans, it requires the human element to fix it. Developer-centric security is not only feasible but also cost effective and operationally relevant. The methodology builds security into software development, which lies at the heart of our cyber infrastructure. Whatever development method is employed, software must be secured at the source.

Book Highlights:

  • Supplies a practitioner's view of the SDL
  • Considers Agile as a security enabler
  • Covers the privacy elements in an SDL
  • Outlines a holistic business-savvy SDL framework that includes people, process, and technology
  • Highlights the key success factors, deliverables, and metrics for each phase of the SDL
  • Examines cost efficiencies, optimized performance, and organizational structure of a developer-centric software security program and PSIRT
  • Includes a chapter by noted security architect Brook Schoenfield who shares his insights and experiences in applying the book’s SDL framework

View the authors' website at http://www.androidinsecurity.com/

Read more
Collapse

About the author

Dr. James Ransome is the Senior Director of Product Security and responsible for all aspects of McAfee’s Product Security Program, a corporate-wide initiative that supports McAfee’s business units in delivering best-in-class, secure software products to customers. In this role, James sets program strategy, manages security engagements with McAfee business units, maintains key relationships with McAfee product engineers, and works with other leaders to help define and build product security capabilities. His career has been marked by leadership positions in private and public industries, including three chief information security officer (CISO) and four chief security officer (CSO) roles. Prior to entering the corporate world, James had 23 years of government service in various roles supporting the U.S. intelligence community, federal law enforcement, and the Department of Defense.

James holds a Ph.D. in Information Systems. He developed/tested a security model, architecture, and provided leading practices for converged wired/wireless network security for his doctoral dissertation as part of a NSA/DHS Center of Academic Excellence in Information Assurance Education program. He is the author of several books on information security, and Core Software Security: Security at the Source is his 10th. James is a member of Upsilon Pi Epsilon, the International Honor Society for the Computing and Information Disciplines, and he is a Certified Information Security Manager (CISM), a Certified Information Systems Security Professional (CISSP), and a Ponemon Institute Distinguished Fellow.

Anmol Misra is an author and a security professional with a wide range of experience in the field of information security. His expertise includes mobile and application security, vulnerability management, application and infrastructure security assessments, and security code reviews. He is a Program Manager in Cisco’s Information Security group. In this role, he is responsible for developing and implementing security strategy and programs to drive security best practices into all aspects of Cisco’s hosted products. Prior to joining Cisco, Anmol was a Senior Consultant with Ernst & Young LLP. In this role, he advised Fortune 500 clients on defining and improving information security programs and practices. He helped corporations to reduce IT security risk and achieve regulatory compliance by improving their security posture.

Anmol is co-author of Android Security: Attacks and Defenses, and is a contributing author of Defending the Cloud: Waging War in Cyberspace. He holds a master’s degree in Information Networking from Carnegie Mellon University and a Bachelor of Engineering degree in Computer Engineering. He is based out of San Francisco, California.

Read more
Collapse
5.0
2 total
Loading...

Additional Information

Publisher
CRC Press
Read more
Collapse
Published on
Oct 3, 2018
Read more
Collapse
Pages
416
Read more
Collapse
ISBN
9781466560963
Read more
Collapse
Read more
Collapse
Best For
Read more
Collapse
Language
English
Read more
Collapse
Genres
Computers / Security / General
Computers / Software Development & Engineering / General
Read more
Collapse
Content Protection
This content is DRM protected.
Read more
Collapse
Eligible for Family Library

Reading information

Smartphones and Tablets

Install the Google Play Books app for Android and iPad/iPhone. It syncs automatically with your account and allows you to read online or offline wherever you are.

Laptops and Computers

You can read books purchased on Google Play using your computer's web browser.

eReaders and other devices

To read on e-ink devices like the Sony eReader or Barnes & Noble Nook, you'll need to download a file and transfer it to your device. Please follow the detailed Help center instructions to transfer the files to supported eReaders.
System Assurance teaches students how to use Object Management Group’s (OMG) expertise and unique standards to obtain accurate knowledge about existing software and compose objective metrics for system assurance.

OMG’s Assurance Ecosystem provides a common framework for discovering, integrating, analyzing, and distributing facts about existing enterprise software. Its foundation is the standard protocol for exchanging system facts, defined as the OMG Knowledge Discovery Metamodel (KDM). In addition, the Semantics of Business Vocabularies and Business Rules (SBVR) defines a standard protocol for exchanging security policy rules and assurance patterns. Using these standards together, students will learn how to leverage the knowledge of the cybersecurity community and bring automation to protect systems.

This book includes an overview of OMG Software Assurance Ecosystem protocols that integrate risk, architecture, and code analysis guided by the assurance argument. A case study illustrates the steps of the System Assurance Methodology using automated tools.

This book is recommended for technologists from a broad range of software companies and related industries; security analysts, computer systems analysts, computer software engineers-systems software, computer software engineers- applications, computer and information systems managers, network systems and data communication analysts.

Provides end-to-end methodology for systematic, repeatable, and affordable System Assurance.Includes an overview of OMG Software Assurance Ecosystem protocols that integrate risk, architecture and code analysis guided by the assurance argument.Case Study illustrating the steps of the System Assurance Methodology using automated tools.
Many organizations and government agencies require the use of Common Criteria certified products and systems and use the Common Criteria methodology in their acquisition process. In fact, in July 2002 the U.S. National Information Assurance Acquisition Policy (NSTISSP #11) mandated the use of CC evaluated IT security products in critical infrastructure systems. This standard provides a comprehensive methodology for specifying, implementing, and evaluating the security of IT products, systems, and networks. Because the Common Criteria (CC) for IT Security Evaluation is a relatively new international standard, little written material exists which explains this how-to knowledge, and it's not exactly easy to interpret.

Designed to be used by acquiring organizations, system integrators, manufacturers, and Common Criteria testing/certification labs, Using the Common Criteria for IT Security Evaluation explains how and why to use the Common Criteria during the acquisition, implementation or evaluation of an IT product, system, network, or services contract. The text describes the Common Criteria methodology; the major processes, steps, activities, concepts, terminology, and how the CC methodology is used throughout the life of a system. It illustrates how each category of user should employ the methodology as well as their different roles and responsibilities.

This text is an essential resource for all those involved in critical infrastructure systems, like those operated by the FAA, the Federal Reserve Bank, DoD, NATO, NASA, and the intelligence agencies. Organized to follow the Common Criteria lifecycle, Using the Common Criteria for IT Security Evaluation provides examples in each chapter to illustrate how the methodology can be applied in three different scenarios: a COTS product, a system or network, and a services contract. The discussion problems at the end of each chapter ensure the text's effectiveness in an educational setting and ensure that those government officials required to comply with Presidential Decision Directive 63 (PDD-63) will be able to do so with confidence.
Automate security-related tasks in a structured, modular fashion using the best open source automation tool availableAbout This BookLeverage the agentless, push-based power of Ansible 2 to automate security tasksLearn to write playbooks that apply security to any part of your systemThis recipe-based guide will teach you to use Ansible 2 for various use cases such as fraud detection, network security, governance, and moreWho This Book Is For

If you are a system administrator or a DevOps engineer with responsibility for finding loop holes in your system or application, then this book is for you. It's also useful for security consultants looking to automate their infrastructure's security model.

What You Will LearnUse Ansible playbooks, roles, modules, and templating to build generic, testable playbooksManage Linux and Windows hosts remotely in a repeatable and predictable mannerSee how to perform security patch management, and security hardening with scheduling and automationSet up AWS Lambda for a serverless automated defenseRun continuous security scans against your hosts and automatically fix and harden the gapsExtend Ansible to write your custom modules and use them as part of your already existing security automation programsPerform automation security audit checks for applications using AnsibleManage secrets in Ansible using Ansible VaultIn Detail

Security automation is one of the most interesting skills to have nowadays. Ansible allows you to write automation procedures once and use them across your entire infrastructure. This book will teach you the best way to use Ansible for seemingly complex tasks by using the various building blocks available and creating solutions that are easy to teach others, store for later, perform version control on, and repeat.

We'll start by covering various popular modules and writing simple playbooks to showcase those modules. You'll see how this can be applied over a variety of platforms and operating systems, whether they are Windows/Linux bare metal servers or containers on a cloud platform. Once the bare bones automation is in place, you'll learn how to leverage tools such as Ansible Tower or even Jenkins to create scheduled repeatable processes around security patching, security hardening, compliance reports, monitoring of systems, and so on.

Moving on, you'll delve into useful security automation techniques and approaches, and learn how to extend Ansible for enhanced security. While on the way, we will tackle topics like how to manage secrets, how to manage all the playbooks that we will create and how to enable collaboration using Ansible Galaxy. In the final stretch, we'll tackle how to extend the modules of Ansible for our use, and do all the previous tasks in a programmatic manner to get even more powerful automation frameworks and rigs.

Style and approach

This comprehensive guide will teach you to manage Linux and Windows hosts remotely in a repeatable and predictable manner. The book takes an in-depth approach and helps you understand how to set up complicated stacks of software with codified and easy-to-share best practices.

The world's most infamous hacker offers an insider's view of the low-tech threats to high-tech security
Kevin Mitnick's exploits as a cyber-desperado and fugitive form one of the most exhaustive FBI manhunts in history and have spawned dozens of articles, books, films, and documentaries. Since his release from federal prison, in 1998, Mitnick has turned his life around and established himself as one of the most sought-after computer security experts worldwide. Now, in The Art of Deception, the world's most notorious hacker gives new meaning to the old adage, "It takes a thief to catch a thief."
Focusing on the human factors involved with information security, Mitnick explains why all the firewalls and encryption protocols in the world will never be enough to stop a savvy grifter intent on rifling a corporate database or an irate employee determined to crash a system. With the help of many fascinating true stories of successful attacks on business and government, he illustrates just how susceptible even the most locked-down information systems are to a slick con artist impersonating an IRS agent. Narrating from the points of view of both the attacker and the victims, he explains why each attack was so successful and how it could have been prevented in an engaging and highly readable style reminiscent of a true-crime novel. And, perhaps most importantly, Mitnick offers advice for preventing these types of social engineering hacks through security protocols, training programs, and manuals that address the human element of security.
Hacker extraordinaire Kevin Mitnick delivers the explosive encore to his bestselling The Art of Deception
Kevin Mitnick, the world's most celebrated hacker, now devotes his life to helping businesses and governments combat data thieves, cybervandals, and other malicious computer intruders. In his bestselling The Art of Deception, Mitnick presented fictionalized case studies that illustrated how savvy computer crackers use "social engineering" to compromise even the most technically secure computer systems. Now, in his new book, Mitnick goes one step further, offering hair-raising stories of real-life computer break-ins-and showing how the victims could have prevented them. Mitnick's reputation within the hacker community gave him unique credibility with the perpetrators of these crimes, who freely shared their stories with him-and whose exploits Mitnick now reveals in detail for the first time, including: A group of friends who won nearly a million dollars in Las Vegas by reverse-engineering slot machines Two teenagers who were persuaded by terrorists to hack into the Lockheed Martin computer systems Two convicts who joined forces to become hackers inside a Texas prison A "Robin Hood" hacker who penetrated the computer systems of many prominent companies-andthen told them how he gained access With riveting "you are there" descriptions of real computer break-ins, indispensable tips on countermeasures security professionals need to implement now, and Mitnick's own acerbic commentary on the crimes he describes, this book is sure to reach a wide audience-and attract the attention of both law enforcement agencies and the media.
©2019 GoogleSite Terms of ServicePrivacyDevelopersArtistsAbout Google|Location: United StatesLanguage: English (United States)
By purchasing this item, you are transacting with Google Payments and agreeing to the Google Payments Terms of Service and Privacy Notice.