Software Security Engineering - Build Security In - US-CERT

More documents

Recommendations

Info

Coding and Testing Practices 3 Practices in Recommended Order Description Maturity Audience Risk-based test cases for security Develop risk-based test cases (using, for example, misuse/abuse cases, attack patterns, or threat modeling) that exercise common mistakes, sus-pected software weak-nesses, and mitigations intended to reduce or eliminate risks to ensure they cannot be circum-vented (negative require-ments) Relevant for These Roles L3/4 M, L • Project manager • Security analyst • Test engineer Thursday, November 06, 2008 Software Security Engineering Nancy R. Mead, October 16, 2008 © 2008 Carnegie Mellon University 46
Coding and Testing Practices 4 Practices in Recommended Order Description Maturity Audience Test cases using a range of security test strategies Use a complement of testing strategies including whitebox testing (based on deep knowledge of the source code), black-box testing (focusing on the software’s externally visible behavior), and penetration testing (identifying and targeting specific vulnerabilities at the system level) Relevant for These Roles L4 M, L • Project manager • Security analyst • Test engineer Thursday, November 06, 2008 Software Security Engineering Nancy R. Mead, October 16, 2008 © 2008 Carnegie Mellon University 47
Page 1 and 2: Software Security Engineering Softw
Page 3 and 4: So What Is Software Security? Softw
Page 5 and 6: Build Security In: A Key Resource
Page 7 and 8: Why is Security a Software Issue?
Page 9 and 10: The Problem • Organizations incre
Page 11 and 12: Software that has been developed wi
Page 13 and 14: Software Security Always Has a Cost
Page 15 and 16: The Risk Management Framework • B
Page 17 and 18: What makes software secure? © 2008
Page 19 and 20: Core Properties of Secure Software
Page 21 and 22: Influencing the Security Properties
Page 23 and 24: Addressing the Expected: Security A
Page 25 and 26: Addressing the Unexpected: Avoiding
Page 27 and 28: The Attacker’s Perspective • As
Page 29 and 30: Parting Thoughts on Secure Software
Page 31 and 32: SDLC With Defined Security Touchpoi
Page 33 and 34: Assess Security Risk Across the SDL
Page 35 and 36: Maturity Indicators Maturity Level
Page 37 and 38: Software Security Practices That Sp
Page 39 and 40: Software Security Practices That Sp
Page 41 and 42: Requirements Engineering Practices
Page 43 and 44: Architecture and Design Practices 2
Page 45: Coding and Testing Practices 2 Prac
Page 49 and 50: Security Analysis for System Comple
Page 51 and 52: Security Analysis for System Comple
Page 53 and 54: Governance and Management Practices
Page 55 and 56: Governance and Management Practices
Page 57 and 58: Recommendations Treat software secu
Page 59: Contact Information Sean Barnum Pri

Software Security Engineering - Build Security In - US-CERT

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?