Security-Driven Software Development: Learn to analyze and mitigate risks in your software projects

Cover....1

Title Page....2

Copyright....3

Dedication....4

Contributors....5

Table of Contents....8

Preface....14

Part 1: Modeling a Secure Application....18

Chapter 1: Security Principles....20

What could go wrong?....20

Principles....21

Open Web Application Security Project....22

NIST’s Secure Software Development Framework....23

MITRE frameworks....24

Software development lifecycles....25

Microsoft’s Security Development Lifecycle....27

Confidentiality, integrity, and availability....28

Summary....29

Self-assessment questions....29

Answers....31

Chapter 2: Designing a Secure Functional Model....32

Requirements gathering and specification....32

Non-functional requirements and security....33

Capturing scenarios....35

Textual use cases and misuse cases....36

Graphical use cases and misuse cases....38

Graphical use case diagram....39

Graphical misuse case diagram....39

Example enterprise secure functional model....40

Purchase of tickets via self-service....40

Trying to purchase tickets beyond the patron limit....40

Summary....42

Self-assessment questions....42

Answers....43

Chapter 3: Designing a Secure Object Model....44

Identify objects and relationships....44

Class diagrams....46

Stereotypes....52

Invariants....53

Example of the enterprise secure object model....54

Summary....56

Self-assessment questions....56

Answers....58

Chapter 4: Designing a Secure Dynamic Model....60

Technical requirements....60

Object behavior....61

Modeling interactions between objects....64

UML sequence diagrams....66

UML activity diagrams....69

Constraints....72

Example of the enterprise secure dynamic model....74

Summary....76

Self-assessment questions....76

Answers....78

Chapter 5: Designing a Secure System Model....80

Partitions....80

Modeling interactions between partitions....82

UML component diagrams....83

Patterns....86

Example – developing an enterprise secure system model....94

Summary....95

Self-assessment questions....96

Answers....97

Chapter 6: Threat Modeling....98

Threat model overview....99

The STRIDE threat model....101

The DREAD threat model....103

Attack trees....105

Mitigations....108

Microsoft Threat Modeling Tool....109

Example of an enterprise threat model....111

Summary....112

Self-assessment questions....113

Answers....114

Part 2: Mitigating Risks in Implementation....116

Chapter 7: Authentication and Authorization....118

Authentication....119

Authorization....120

Security Models....121

Single sign-on and open authorization....122

Single sign-on (SSO)....123

Open authorization (OAuth)....123

Implementing SSO and OAuth with Google....125

Example of enterprise implementation....129

Summary....132

Self-assessment questions....132

Answers....133

Chapter 8: Input Validation and Sanitization....134

Input validation....134

Input sanitization....136

Language-specific defenses....137

Buffer overflows....140

Example of the enterprise input validation and sanitization....141

Summary....144

Self-assessment questions....144

Answers....145

Chapter 9: Standard Web Application Vulnerabilities....146

Injection attacks....146

Broken authentication and session management....148

Request forgery....150

Language-specific defenses....152

Example of enterprise web defenses....154

Summary....157

Self-assessment questions....157

Answers....158

Chapter 10: Database Security....160

Overview of SQL....160

SQL injection....162

Maintaining database correctness....163

Managing activity concurrency....165

Language-specific defenses....167

RBAC security in DBMS....169

Encryption in DBMS....171

An example of enterprise DB security....173

Summary....174

Self-assessment questions....175

Answers....176

Part 3: Security Validation....178

Chapter 11: Unit Testing....180

The principles of unit testing....180

The advantages of unit testing....181

Unit testing frameworks....182

An example of enterprise threat model....183

PHPUnit....184

JUnit....187

PyUnit....191

Summary....193

Self-assessment questions....193

Answers....194

Chapter 12: Regression Testing....196

Regression testing overview....196

Key concepts....197

Process....197

Benefits....198

Robotic process automation....198

The intersection of RPA and regression testing....199

Regression testing tools....199

Load testing....201

Integration and complementarity....202

UI.Vision RPA....203

Example of the enterprise regression tests....204

Summary....207

Self-assessment questions....207

Answers....208

Chapter 13: Integration, System, and Acceptance Testing....210

Types of integration tests....211

Mocks....212

Stubs....213

Examples of enterprise integration testing....214

System testing....216

Acceptance testing....217

Summary....219

Self-assessment questions....219

Answers....220

Chapter 14: Software Penetration Testing....222

Types of tests....222

Phases....224

Tools....226

Information gathering and reconnaissance....226

Vulnerability analysis and exploitation....228

Post-exploitation and privilege escalation....233

Network sniffing....234

Forensics and monitoring....236

Reporting and documentation....238

An example of an enterprise penetration test report....240

High-level summary....240

Host analysis....240

Summary....243

Self-assessment questions....243

Answers....244

Index....246

About PACKT....258

Other Books You May Enjoy....259

Trace security requirements through each development phase, mitigating multiple-layer attacks with practical examples, and emerge equipped with the skills to build resilient applications

Key Features

• Explore the practical application of secure software development methodologies
• Model security vulnerabilities throughout the software development lifecycle (SDLC)
• Develop the skills to trace requirements, from requirements gathering through to implementation
• Purchase of the print or Kindle book includes a free PDF eBook

Book Description

Extend your software development skills to integrate security into every aspect of your projects. Perfect for any programmer or developer working on mission-critical applications, this hands-on guide helps you adopt secure software development practices. Explore core concepts like security specifi cation, modeling, and threat mitigation with the iterative approach of this book that allows you to trace security requirements through each phase of software development. You won’t stop at the basics; you’ll delve into multiple-layer att acks and develop the mindset to prevent them. Through an example application project involving an entertainment ticketing software system, you’ll look at high-profi le security incidents that have aff ected popular music stars and performers. Drawing from the author’s decades of experience building secure applications in this domain, this book off ers comprehensive techniques where problem-solving meets practicality for secure development.

By the end of this book, you’ll have gained the expertise to systematically secure software projects, from crafting robust security specifi cations to adeptly mitigating multifaceted threats, ensuring your applications stand resilient in the face of evolving cybersecurity challenges.

What you will learn

• Find out non-functional requirements crucial for software security, performance, and reliability
• Develop the skills to identify and model vulnerabilities in software design and analysis
• Analyze and model various threat vectors that pose risks to software applications
• Acquire strategies to mitigate security threats specific to web applications
• Address threats to the database layer of an application
• Trace non-functional requirements through secure software design

Who this book is for

Many software development jobs require developing, maintaining, enhancing, administering, and defending software applications, websites, and scripts. This book is designed for software developers and web developers seeking to excel in these roles, offering concise explanations and applied example use-cases.