Software Security Engineering - Build Security In - US-CERT

More documents

Recommendations

Info

Define, Influence, Leverage • To understand what makes software secure, we must be able to: • Define the properties that characterize secure software • Identify mechanisms to influence these properties • Leverage structures and tools for asserting the presence or absence of these properties © 2008 Cigital Inc. All Rights Reserved. Thursday, November 06, 2008 18
Core Properties of Secure Software • Confidentiality • The software must ensure that any of its characteristics (including its relationships with its execution environment and its users), its managed assets, and/or its content are obscured or hidden from unauthorized entities. • Integrity • The software and its managed assets must be resistant and resilient to subversion. Subversion is achieved through unauthorized modifications to the software code, managed assets, configuration, or behavior by authorized entities, or any modifications by unauthorized entities. Such modifications may include overwriting, corruption, tampering, destruction, insertion of unintended (including malicious) logic, or deletion. Integrity must be preserved both during the software’s development and during its execution. • Availability • The software must be operational and accessible to its intended, authorized users (humans and processes) whenever it is needed. At the same time, its functionality and privileges must be inaccessible to unauthorized users (humans and processes) at all times. • Accountability • All security-relevant actions of the software-as-user must be recorded and tracked, with attribution of responsibility. This tracking must be possible both while and after the recorded actions occur. • Non-repudiation • This property pertains to the ability to prevent the software-as-user from disproving or denying responsibility for actions it has performed. It ensures that the accountability property cannot be subverted or circumvented. © 2008 Cigital Inc. All Rights Reserved. Thursday, November 06, 2008 19
Page 1 and 2: Software Security Engineering Softw
Page 3 and 4: So What Is Software Security? Softw
Page 5 and 6: Build Security In: A Key Resource
Page 7 and 8: Why is Security a Software Issue?
Page 9 and 10: The Problem • Organizations incre
Page 11 and 12: Software that has been developed wi
Page 13 and 14: Software Security Always Has a Cost
Page 15 and 16: The Risk Management Framework • B
Page 17: What makes software secure? © 2008
Page 21 and 22: Influencing the Security Properties
Page 23 and 24: Addressing the Expected: Security A
Page 25 and 26: Addressing the Unexpected: Avoiding
Page 27 and 28: The Attacker’s Perspective • As
Page 29 and 30: Parting Thoughts on Secure Software
Page 31 and 32: SDLC With Defined Security Touchpoi
Page 33 and 34: Assess Security Risk Across the SDL
Page 35 and 36: Maturity Indicators Maturity Level
Page 37 and 38: Software Security Practices That Sp
Page 39 and 40: Software Security Practices That Sp
Page 41 and 42: Requirements Engineering Practices
Page 43 and 44: Architecture and Design Practices 2
Page 45 and 46: Coding and Testing Practices 2 Prac
Page 47 and 48: Coding and Testing Practices 4 Prac
Page 49 and 50: Security Analysis for System Comple
Page 51 and 52: Security Analysis for System Comple
Page 53 and 54: Governance and Management Practices
Page 55 and 56: Governance and Management Practices
Page 57 and 58: Recommendations Treat software secu
Page 59: Contact Information Sean Barnum Pri

Software Security Engineering - Build Security In - US-CERT

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?