Beginning where the best-selling book Building Secure Software left off, Software Security teaches you how to put software security into practice. The software security best practices, or touchpoints, described in this book have their basis in good software engineering and involve explicitly pondering security throughout the software development lifecycle. This means knowing and understanding common risks (including implementation bugsand architectural flaws), designing for security, and subjecting all software artifacts to thorough, objective risk analyses and testing.
Software Security is about putting the touchpoints to work for you. Because you can apply these touchpoints to the software artifacts you already produce as you develop software, you can adopt this book's methods without radically changing the way you work. Inside you'll find detailed explanations of
- Risk management frameworks and processes
- Code review using static analysis tools
- Architectural risk analysis
- Penetration testing
- Security testing
- Abuse case development
In addition to the touchpoints, Software Security covers knowledge management, training and awareness, and enterprise-level software security programs.
Now that the world agrees that software security is central to computer security, it is time to put philosophy into practice. Create your own secure development lifecycle by enhancing your existing software development lifecycle with the touchpoints described in this book. Let this expert author show you how to build more secure software by building security in.
Review By: Arnoud Buzing
07/08/2010What do three pillars, two hats, and seven touchpoints have in common? They can all be found in Gary McGraw's new book and, no, it is not about two Chinese cowboys--as one might guess from the book's cover art. In “Software Security” McGraw blends two of his earlier books “Building Secure Software” (a white hat book) and “Exploiting Software” (a black hat book) with a series of articles written for the IEEE Security and Privacy magazine. Written in three parts (the three “pillars” of software security) McGraw explores applied risk management, software security touchpoints, and overall knowledge.
The applied risk management pillar discusses a framework for risk management, which is a tool to gather data and make good security decisions based on knowledge of security issues. The main idea here is to rank and track issues that emerge from applying security practices and a feedback loop model to continually improve the process.
The main chunk of the book and the second pillar, details a set of best practices organized into seven categories, which McGraw calls the “Software Security Touchpoints.” McGraw has ordered them in a rough order of effectiveness. The first two touchpoints, “code review” and “architectural risk analysis” are considered absolutely critical. Next are “penetration testing” (at the integration level) and “risk-based security testing” (at the unit level). To round things up McGraw considers “abuse cases” and “security requirements” at the start of the software development life cycle and “security operations” at the end. Because these touchpoints are presented in order of effectiveness (and not chronologically), McGraw includes a diagram how these seven touchpoints map into a six bucket model of the software development life cycle (requirements and use cases, architecture and design, test plans, code, tests and results, and feedback from the field). A large recycling type arrow in the background of the diagram signifies the constant effort these practices require.
The final pillar, “knowledge,” dissects how a collection of facts can be organized into context and deployed in a process or procedure. McGraw uses seven knowledge catalogs to achieve this goal: principles, guidelines, rules, attack patterns, historical risks, vulnerabilities, and exploits. These catalogs are then mapped onto the software development life cycle diagram with the seven touchpoints.
The discipline of software security is rapidly evolving. McGraw's attempt to organize many aspects of software security (white hat, black hat, risk management, best practices, and knowledge cataloging) largely pays off in the end; stuffed to the gills with useful information, this book is not some lazy introduction to the field. Highly experienced practitioners will enjoy reading this book from back to back. Less experienced practitioners will want to explore the meat and potato part first (the touchpoints pillar) and skip over the risk management pillar at first.
I have two minor gripes: It would have nice to have had a more balanced overview of code analysis tools other than the discussed “Fortify Source Code Analysis Suite”. Second, and this is common to a lot of books these days, is the many interruptions of the main text with multi-page side stories. This is nice when you're just browsing the book, but it doesn't help when you're in the middle of a sentence and you have to flip ahead. All in all, this is a highly recommendable and useful book and it succeeds in its mission to tie multiple aspects of secure software together.