Today's high-speed and rapidly changing development environments demand equally high-speed security practices. Still, achieving security remains a human endeavor, a core part of designing, generating and verifying software. Dr. James Ransome and Brook S.E. Schoenfield have built upon their previous works to explain that security starts with people; ultimately, humans generate software security. People collectively act through a particular and distinct set of methodologies, processes, and technologies that the authors have brought together into a newly designed, holistic, generic software development lifecycle facilitating software security at Agile, DevOps speed.
—Eric. S. Yuan, Founder and CEO, Zoom Video Communications, Inc.
It is essential that we embrace a mantra that ensures security is baked in throughout any development process. Ransome and Schoenfield leverage their abundance of experience and knowledge to clearly define why and how we need to build this new model around an understanding that the human element is the ultimate key to success.
—Jennifer Sunshine Steffens, CEO of IOActive
Both practical and strategic, Building in Security at Agile Speed is an invaluable resource for change leaders committed to building secure software solutions in a world characterized by increasing threats and uncertainty. Ransome and Schoenfield brilliantly demonstrate why creating robust software is a result of not only technical, but deeply human elements of agile ways of working.
—Jorgen Hesselberg, author of Unlocking Agility and Cofounder of Comparative Agility
The proliferation of open source components and distributed software services makes the principles detailed in Building in Security at Agile Speed more relevant than ever. Incorporating the principles and detailed guidance in this book into your SDLC is a must for all software developers and IT organizations. —George K Tsantes, CEO of Cyberphos, former partner at Accenture and Principal at EYDetailing the people, processes, and technical aspects of software security, Building in Security at Agile Speed emphasizes that the people element remains critical because software is developed, managed, and exploited by humans. This book presents a step-by-step process for software security that uses today’s technology, operational, business, and development methods with a focus on best practice, proven activities, processes, tools, and metrics for any size or type of organization and development practice.
Table of Contents
Dedications. Contents. Foreword by Dr. David Brumley. Preface. Acknowledgments. About the Authors. 1. Setting the Stage. 2. Software Development Security Management in an Agile World. 3. A Generic Security Development Lifecycle (SDL). 4. Secure Design through Threat Modeling. 5. Enhancing Software Development Security Management in an Agile World. 6. Culture Hacking. Appendix A: The Generic Security Development Lifecycle. Index.
Dr. James Ransome is the Chief Scientist for CyberPhos, an early-stage cybersecurity startup, and continues to do ad hoc consulting. He also serves on the Board of Directors for the Bay Area CSO Council. Most recently, Dr. Ransome was the Senior Director, Security Development Lifecycle (SDL) Engineering, in the Intel Product Security and Assurance, Governance and Operations (IPAS GO) Group, where he led and developed a team of SDL engineers, architects, and product security experts that implemented and drove security practices across all of Intel. Prior to that, he was the Senior Director of Product Security and PSIRT at Intel Security and McAfee, LLC. Over a six-year period, he built, managed, and enhanced a developer-centric, self-sustaining, and scalable software security program, with an extended team of 120 software security architects embedded in each product team. All of this was a result of implementing and enhancing the model described in his most recent book, Core Software Security: Security at the Source, which has become a standard reference for many corporate security leaders who are responsible for developing their own SDLs.
Brook S. E. Schoenfield is the author of Secrets of a Cyber Security Architect, Securing Systems: Applied Security Architecture and Threat Models, and Chapter 9: Applying the SDL Framework to the Real World in Core Software Security: Security at the Source. He has been published by CRC Press, Auerbach, SANS Institute, Cisco, SAFECode, and the IEEE. Occasionally, he even posts to his security architecture blog, brookschoenfield.com.