Software Security Engineering - Build Security In - US-CERT

More documents

Recommendations

Info

Addressing the Unexpected: Avoiding, Removing, and Mitigating Weaknesses – Application Defense • Employing practices focused at detecting and mitigating weaknesses in software systems after they are deployed • Application defense techniques typically focus on the following issues: • Establishing a protective boundary around the application that enforces rules defining valid input or recognizes and either blocks or filters input that contains recognized patterns of attack • Constraining the extent and impact of damage that might result from the exploitation of a vulnerability in the application • Discovering points of vulnerability in the implemented application through black-box testing so as to help developers and administrators identify necessary countermeasures • Application defense measures should be used only because they are determined in the design process to be the best approach to solving a software security problem, not because they are the only possible approach after the software is deployed. © 2008 Cigital Inc. All Rights Reserved. Thursday, November 06, 2008 24
Addressing the Unexpected: Avoiding, Removing, and Mitigating Weaknesses – Software Security • “software security” focuses on preventing weaknesses from entering the software in the first place or, if that is unavoidable, at least removing them as early in the life cycle as possible and before the software is deployed • Build Security In!! • A wide variety of security-focused practices are available to software project managers and their development teams that can be seamlessly integrated throughout any typical software engineering SDLC © 2008 Cigital Inc. All Rights Reserved. Thursday, November 06, 2008 25
Page 1 and 2: Software Security Engineering Softw
Page 3 and 4: So What Is Software Security? Softw
Page 5 and 6: Build Security In: A Key Resource
Page 7 and 8: Why is Security a Software Issue?
Page 9 and 10: The Problem • Organizations incre
Page 11 and 12: Software that has been developed wi
Page 13 and 14: Software Security Always Has a Cost
Page 15 and 16: The Risk Management Framework • B
Page 17 and 18: What makes software secure? © 2008
Page 19 and 20: Core Properties of Secure Software
Page 21 and 22: Influencing the Security Properties
Page 23: Addressing the Expected: Security A
Page 27 and 28: The Attacker’s Perspective • As
Page 29 and 30: Parting Thoughts on Secure Software
Page 31 and 32: SDLC With Defined Security Touchpoi
Page 33 and 34: Assess Security Risk Across the SDL
Page 35 and 36: Maturity Indicators Maturity Level
Page 37 and 38: Software Security Practices That Sp
Page 39 and 40: Software Security Practices That Sp
Page 41 and 42: Requirements Engineering Practices
Page 43 and 44: Architecture and Design Practices 2
Page 45 and 46: Coding and Testing Practices 2 Prac
Page 47 and 48: Coding and Testing Practices 4 Prac
Page 49 and 50: Security Analysis for System Comple
Page 51 and 52: Security Analysis for System Comple
Page 53 and 54: Governance and Management Practices
Page 55 and 56: Governance and Management Practices
Page 57 and 58: Recommendations Treat software secu
Page 59: Contact Information Sean Barnum Pri

Software Security Engineering - Build Security In - US-CERT

Create successful ePaper yourself

Delete template?

Save as template?