Securely Developing Software

Contents

1 Secure Software Fundamentals 

1.1 Introduction 

1.1.1 Roles

1.1.2 Security Manager 

1.1.3 IT Director 

1.1.4 Project Manager 

1.1.5 Software Program Manager 

1.1.6 Software Architect 

1.1.7 Software Engineer 

1.1.8 Software Developer 

1.1.9 Quality Assurance Tester

1.1.10 Software Procurement Analyst 

1.1.11 Penetration Tester

1.1.12 Application Security Specialist 

1.2 CIA Triad 

1.2.1 Confidentiality

1.2.2 Integrity 

1.2.3 Availability 

1.2.4 Traceability 

1.3 Common Security Processes

1.3.1 User Management 

1.3.2 Authentication 

1.3.3 Authorization 

1.3.4 Logging 

1.4 Design Concepts 

1.4.1 Least Privilege

1.4.2 Separation of Duties 

1.4.3 Defense in Depth 

1.4.4 Fail Secure

1.4.5 Weakest Link

1.4.6 Single Point of Failure

1.5 Review Questions 

2 Regulations, Privacy, and Compliance

2.1 Introduction

2.2 Policy to Procedure

2.3 Sarbanes-Oxley (SOX) Act 

2.4 Gramm-Leach-Bliley Act (GLBA)

2.5 Health Insurance Portability and Accountability Act (HIPAA)

2.6 Data Protection Act

2.7 Computer Misuse Act

2.8 State Security Breach Laws

2.9 Trusted Computing 

2.10 PCI DSS Compliance Software

2.10.1 File Integrity Monitoring (FIM)

2.10.2 SIEM Event Correlation 

2.10.3 Log Management & Monitoring

2.10.4 Compliance Reporting

2.11 Data

2.12 Privacy 

2.13 Review Questions

3 Secure Software Methodologies

3.1 Introduction 

3.2 Security is a people issue

3.3 Software Methodologies

3.4 DevSecOps = Secure DevOps 

3.4.1 Security Built-In 

3.4.2 Containers

3.4.3 Secure Application Programming Interface

3.4.4 Microservices 

3.4.5 Secure APIs

3.4.6 Automation 

3.4.7 CI/CD Pipeline

3.5 Agile

3.5.1 Agile Manifesto

3.5.2 Agile 12 Principles

3.5.3 Agile Terminology and Roles

3.5.4 Agile Process

3.6 Domain Driven Design 

3.6.1 What is Domain Driven Design 

3.6.2 Domain Models 

3.6.3 Building Blocks 

3.7 Review Questions 

4 Risk Management 

4.1 Introduction  

4.2 Information Technology 

4.3 NIST  

4.4 Vulnerabilities 

4.4.1 US-CERT 

4.4.2 CVE 

4.4.3 NVD  

4.4.4 CVSS 

4.4.5 CWE

4.4.6 Bugs Framework 

4.5 Identify and Classify Vulnerabilities  

4.5.1 Asset

4.5.2 Threat 

4.5.3 Threat Source 

4.5.4 Attack 

4.5.5 Probability 

4.5.6 Impact 

4.5.7 Exposure Factor

4.5.8 Controls 

4.5.9 Total Risk 

4.5.10 Residual Risk  

4.5.11 Calculation of Risk

4.6 CWSS Score Formula  

4.6.1 Attack Surface Subscore 

4.6.2 Environmental Subscore  

4.6.3 Additional Features of the Formula 

4.7 Organizational Policy 

4.8 Policy Scope

4.9 Policy Development 

4.9.1 Security Risk Assessment  

4.10 Review Questions 

5 Cryptography  

5.1 Introduction 

5.2 What is Cryptography?

5.2.1 Cipher 

5.2.2 Cryptosystem 

5.3 Hash Function 

5.3.1 Message Digest 

5.3.2 Secure Hashing Algorithm 

5.3.3 RIPEMD 

5.4 Symmetric  

5.4.1 Date Encryption Standard 

5.4.2 Triple Data Encryption Standard

5.4.3 Advanced Encryption Standard

5.5 Asymmetric 

5.6 Public Key Infrastructure 

5.6.1 Digital Certificate 

5.6.2 Root Certificate 

5.6.3 Smart Cards 

5.6.4 River Shamir Adleman 

5.6.5 Diffie Hellman 

5.6.6 ElGamal 

5.7 Digital Signatures

5.8 Review Questions

6 Gathering Software Requirements 

6.1 Introduction  

6.2 Software Security Requirements 

6.2.1 Requirements as User Stories 

6.2.2 Types of security requirements

6.3 Backlog 

6.3.1 Sprint

6.3.2 Requirements Traceability Matrix (RTM)

6.4 Use and Misuse Case Modeling 

6.4.1 Use Case Modeling 

6.4.2 Misuse Case Modeling

6.5 Review Questions

7 Designing Software Applications 

7.1 Introduction 

7.2 Design Considerations

7.2.1 Minimize the attack surface area 

7.2.2 Establish secure defaults  

7.2.3 Least Privilege  

7.2.4 Defense-in-depth

7.2.5 Fail Securely 

7.2.6 Don’t trust Services

7.2.7 Separation of duties

7.2.8 Avoid security by obscurity

7.2.9 Keep Security Simple

7.2.10 Fix security issues correctly

7.3 Internet of Things (IoT)

7.4 Data Loss Prevention

7.4.1 Data storage and sharing

7.4.2 Controlling administrative access to data

7.5 Cryptography

7.5.1 How to determine if you are vulnerable

7.5.2 How to protect yourself

7.5.3 Key Storage

7.5.4 Insecure transmission of secrets 

7.5.5 Reversible authentication tokens

7.6 Threat Modeling

8 Implementing Software Requirements

8.1 Introduction

8.2 Secure Programming Fundamentals

8.2.1 What makes the best programmer?

8.2.2 AppSecTools

8.2.3 Development Environment 

8.2.4 Staging Environment

8.3 Secure Software Implementation Processes

8.3.1 Versioning

8.3.2 Code Analysis

8.3.3 Code/Peer Reviews

8.4 Common Software Vulnerabilities

8.5 Review Questions

9 Testing Software Applications 

9.1 Introduction

9.2 Staging Environment

9.3 Quality Assurance 

9.4 Types of Testing

9.4.1 Unit Testing

9.4.2 Integration Testing

9.4.3 Logic Testing 

9.4.4 Regression Testing

9.4.5 Recoverability Testing 

9.4.6 Scalability Testing 

9.4.7 Acceptance Testing

9.5 Security Testing Methods\

9.5.1 White Box Testing

9.5.2 Black Box Testing

9.5.3 Fuzzing

9.5.4 Vulnerability Scanning 

9.5.5 Static Analysis Security Testing (SAST)

9.5.6 Dynamic Analysis Security Testing (DAST)

9.5.7 Penetration Testing

9.6 Review Questions 

10 Software Acceptance 

10.1 Introduction

10.2 Guidelines for Software Acceptance

10.2.1 Completion Criteria 

10.2.2 Change Management

10.2.3 Authority to Operate 

10.2.4 Risk Acceptance

10.3 COTS, GOTS, and Open Source

10.3.1 Software Assurance

10.4 Configuration Control Board 

10.4.1 Configuration Management 

10.5 Production Environments

10.6 Installation Process

10.6.1 Hardening 

10.7 Review Questions