Secure and Resilient Software Development  book cover
1st Edition

Secure and Resilient Software Development

ISBN 9781439826966
Published June 16, 2010 by Auerbach Publications
392 Pages 57 B/W Illustrations

USD $130.00

Prices & shipping based on shipping country


Book Description

Although many software books highlight open problems in secure software development, few provide easily actionable, ground-level solutions. Breaking the mold, Secure and Resilient Software Development teaches you how to apply best practices and standards for consistent and secure software development. It details specific quality software development strategies and practices that stress resilience requirements with precise, actionable, and ground-level inputs.

Providing comprehensive coverage, the book illustrates all phases of the secure software development life cycle. It shows developers how to master non-functional requirements including reliability, security, and resilience. The authors provide expert-level guidance through all phases of the process and supply many best practices, principles, testing practices, and design methodologies.

For updates to this book and ongoing activities of interest to the secure and resilient software community, please visit:

"Secure and Resilient Software Development provides a strong foundation for anyone getting started in application security. Most application security books fall into two categories: business-oriented and vague or ridiculously super technical. Mark and Laksh draw on their extensive experience to bridge this gap effectively. The book consistently links important technical concepts back to the business reasons for application security with interesting stories about real companies dealing with application security issues."

—Jeff Williams, Chair, The OWASP Foundation

Table of Contents

How Does Software Fail Thee? Let Us Count the Ways
Vulnerabilities Abound
     Security Flaws Are Omnipresent
     Cars Have Their Share of Computer Problems Too
Tracing the Roots of Defective Software
What Are the True Costs of Insecure Software to Global Enterprises?
Addressing Security Questions Addresses Resilience

Characteristics of Secure and Resilient Software

Functional Versus Nonfunctional Requirements
Testing Nonfunctional Requirements
Families of Nonfunctional Requirements
Characteristics of Good Requirements
Eliciting Nonfunctional Requirements
Documenting Nonfunctional Requirements

Security and Resilience in the Software Development Life Cycle

Resilience and Security Begin from Within
Requirements Gathering and Analysis
Systems Design and Detailed Design
     Functional Decomposition
     Categorizing Threats
     Ranking Threats
     Mitigation Planning
Design Reviews
Development (Coding) Phase
    Static Analysis 
    Peer Review 
    Unit Testing
Security Training

Proven Best Practices for Resilient Applications

Critical Concepts
|The Security Perimeter
Attack Surface
     Mapping the Attack Surface
     Side Channel Attacks
Application Security and Resilience Principles
Practice 1: Apply Defense in Depth
Practice 2: Use a Positive Security Model
Practice 3: Fail Securely
Practice 4: Run with Least Privilege
Practice 5: Avoid Security by Obscurity
Practice 6: Keep Security Simple
Practice 7: Detect Intrusions
Log All Security-Relevant Information
Ensure That the Logs Are Monitored Regularly
Respond to Intrusions
Practice 8: Don’t Trust Infrastructure
Practice 9: Don’t Trust Services
Practice 10: Establish Secure Defaults
Mapping Best Practices to Nonfunctional Requirements

Designing Applications for Security and Resilience

Design Phase Recommendations
     Misuse Case Modeling
     Security Design and Architecture Review
     Threat and Risk Modeling
     Risk Analysis and Modeling
     Security Requirements and Test Case Generation
Design to Meet Nonfunctional Requirements
Design Patterns
Architecting for the Web
Architecture and Design Review Checklist

Programming Best Practices

The Evolution of Software Attacks
The OWASP Top 10
     A1: Injection
     A2: Cross-Site Scripting
     A3: Broken Authentication and Session Management
     A4: Insecure Direct Object References
     A5: Cross-Site Request Forgery 
     A6: Security Misconfiguration
     A7: Failure to Restrict URL Access 
     A8: Unvalidated Redirects and Forwards
     A9: Insecure Cryptographic Storage 
    A10: Insufficient Transport Layer Protection
OWASP Enterprise Security API (ESAPI)
     Input Validation and Handling
     Client-Side Versus Server-Side Validation
     Input Sanitization
     Examples of Attacks due to Improper Input Handling
     Approaches to Validating Input Data
     Handling Bad Input
     ESAPI Interfaces 
Cross-Site Scripting
     Same Origin Policy
     Attacks Through XSS
     Prevention of Cross-Site Scripting
     ESAPI Interfaces
Injection Attacks
     SQL Injection
     Stored Procedures
     Identifying SQL Injection and Exploitation
     Defending Against SQL Injection
     Creating SQL Queries
     Additional Controls to Prevent SQLInjection Attacks
     ESAPI Interfaces
Authentication and Session Management
     Attacking Log-in Functionality
     Attacking Password Resets
     Attacking Sensitive Transactions
Cross-Site Request Forgery
     CSRF Mitigation 
Session Management
     Attacking Log-out Functionality
     Defenses Against Log-out Attacks
     Defenses Against Cookie Attacks
     Session Identifiers
     ESAPI Interfaces
Access Control
     Avoiding Security Through Obscurity
     Access Control Issues
     Testing for Broken Access Control
     Defenses Against Access Control Attacks
     Administrator Interfaces
     Protecting Administrator Interfaces
     ESAPI Interfaces
     Hashing and Password Security
     Attacking the Hash
     Precomputed Attacks
     Message Authentication Code (MAC)
     Home-Grown Algorithms
     Randomness and Pseudo-Randomness
     ESAPI Interfaces 
Error Handling
     User Error Messages
     Log-in Error Messages—A Case Study
     Error Message Differentiation
     Developer Error Messages
     Information to Be Kept Private
     Structured Exception Handling
     ESAPI Interfaces
Ajax and Flash
     AJAX Application Traffic
     AJAX Client Requests
     Server Responses
     Typical Attacks Against AJAX Applications
     Security Recommendations for AJAX Applications
     Adobe Flash—Sandbox Security Model
     Cross-Domain Policy
     Restrict SWF Files Embedded in HTML
     Attacking Flash Applications
     Securing Flash Applications
Additional Best Practices for Software Resilience
     Externalize Variables
     EncryptedProperties—Method Summary
     Initialize Variables Properly
     Do Not Ignore Values Returned by Functions
     Avoid Integer Overflows
Top Secure Coding Practices
Fifty Questions to Improve Software Security

Special Considerations for Embedded Systems, Cloud Computing, and Mobile Computing Devices
Embedded Systems
     Bad Assumptions About Embedded Systems Programming
     New Mantras
     The Framework
Distributed Applications/Cloud Computing
     Representational State Transfer (REST)
     REST Stateless Authentication
     Attacking Distributed APIs
     Securing Distributed APIs
Mobile Applications
     Windows Mobile
     Mobile Application Security 

Security Testing of Custom Software Applications
Fixing Early Versus Fixing After Release
Testing Phases
Unit Testing
Manual Source Code Review
The Code Review Process
Automated Source Code Analysis
     Automated Reviews Compared with Manual Reviews
     Commercial and Free Source Code Analyzers
     Fortify 360
Acquiring Commercial or Open-Source Analysis Tools 
Deployment Strategy 
     IDE Integration for Developers 
     Build Integration for Governance
Regulatory Compliance
Benefits of Using Source Code Analyzers
Penetration (Pen) Testing
     Penetration Testing Tools
     Automated Black Box Scanning
     Deployment Strategy
     Gray Box Testing 
     Limitations and Constraints of Pen Testing Tools

Testing Commercial off-the-Shelf Systems

The Problems with Shrink-Wrapped Software
The Common Criteria for Information Technology Security Evaluation
     Harmonizing Evaluation Criteria
     Key Concepts of the Common Criteria
     The Security Framework
     The Common Criteria Approach
     The Security Environment
     The Common Criteria Portal
     Criticisms of the CC
The Commercial Community Responds
     The BITS/FSTC Security Assurance Initiative
Evaluation Methodology
Certification Criteria
ICSA Labs Testing and Certification Process
Veracode’s VerAfied Software Assurance
     Ratings Methodology
     Assessing Software for the VerAfied Mark

Implementing Security and Resilience Using CLASP

Comprehensive, Lightweight Application Security Process (CLASP)
CLASP Concepts
Overview of the CLASP Process
CLASP Key Best Practices
     Best Practice 1: Institute Awareness Programs
     Best Practice 2: Perform Application Assessments
     Best Practice 3: Capture Security Requirements
     Best Practice 4: Implement Secure Development Practices
     Best Practice 5: Build Vulnerability Remediation Procedures
     Best Practice 6: Define and Monitor Metrics
     Best Practice 7: Publish Operational Security Guidelines 
CLASP Security Activities to Augment Software Development Processes
Applying CLASP Security Activities to Roles
Re-engineering Your SDLC for CLASP
     Business Objectives
     Process Milestones
     Process Evaluation Criteria
     Forming the Process Re-engineering Team 
Sample CLASP Implementation Roadmaps
     Green-Field Roadmap 
     Legacy Roadmap

Metrics and Models for Security and Resilience Maturity

Maturity Models for Security and Resilience
Software Assurance Maturity Model—OpenSAMM
     Core Practice Areas
     Levels of Maturity
The Building Security In Maturity Model (BSIMM)
     BSIMM Software Security Framework
BSIMM Activities 
     Governance: Strategy and Metrics 
     Governance: Compliance and Policy 
     Governance: Training 
     Intelligence: Attack Models
     Intelligence: Security Features and Design
     Intelligence: Standards and Requirements 
     SSDL Touchpoints : Architecture Analysis
     SSDL Touchpoints: Code Review
     SSDL Touchpoints: Security Testing  
     Deployment: Penetration Testing
     Deployment: Software Environment
     Deployment: Configuration Management and Vulnerability Management Measuring Results with BSIMM
Helpful Resources For Implementing BSIMM
Applying BSIMM to the Financial Services Domain
     Working Group Methodology 

Taking It to the Streets
Getting Educated
     DEVELOPER 530: Defending Web Applications
     DEVELOPER 530: Essential Secure Coding in Java/JEE
     DEVELOPER 541: Secure Coding in Java/JEE: Developing Defensible Applications
     DEVELOPER 542: Web App Penetration Testing and Ethical Hacking
     DEVELOPER 544: Secure Coding in .NET: Developing Defensible Applications
     DEVELOPER 545: Secure Coding in PHP: Developing Defensible Applications
     DEVELOPER 534: Secure Code Review for Java Web Apps
     DEVELOPER 543: Secure Coding in C/C++: Developing Defensible Applications
     Aspect Security Inc.
     CERT Software Engineering Institute (SEI)
     SEI Secure Coding in C and C++ Course
Getting Certified
     Certified Secure Software Lifecycle Professional (CSSLP)
     Why Obtain the CSSLP?
     Benefits of Certification to the Professional
     Benefits of Certification to the Enterprise
Getting Involved
     Web Application Security Consortium
Reaching Out for Research
     DHS Research Program Areas
     The U.S. Treasury and the FSSCC
Last Call

Appendix A 20CWE/SANS Top Most Dangerous Programming Errors

A.1 Brief Listing of the Top
     A.1.1 Insecure Interaction Between Components
     A.1.2 Risky Resource Management
     A.1.3 Porous Defenses
A.2 Detailed CWE Descriptions 
     A.2.1 CWE-79: Failure to Preserve Web Page Structure (“Cross-Site Scripting”)
     A.2.2 CWE-89: Improper Sanitization of Special Elements Used in an SQL Command (“SQL Injection”)
     A.2.3 CWE-120: Buffer Copy Without Checking Size of Input (“Classic Buffer Overflow”)
     A.2.4 CWE-352: Cross-Site Request Forgery (CSRF)
     A.2.5 CWE-285: Improper Access Control (Authorization)
     A.2.6 CWE-807: Reliance on Un-trusted Inputs in a Security Decision
     A.2.7 CWE-22: Improper Limitation of a Pathname to a Restricted Directory (“Path Traversal”)
     A.2.8 CWE-434: Unrestricted Upload of File with Dangerous Type
     A.2.9 CWE-78: Improper Sanitization of Special Elements Used in an OS Command (“OS Command Injection”)
     A.2.10 CWE-311: Missing Encryption of Sensitive Data
     A.2.11 CWE-798: Use of Hard-Coded Credentials
     A.2.12 CWE-805: Buffer Access with Incorrect Length Value
     A.2.13 CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program (“PHP File Inclusion”)
     A.2.14 CWE-129: Improper Validation of Array Index
     A.2.15 CWE-754: Improper Check for Unusual or Exceptional Conditions
     A.2.16 CWE-209: Information Exposure Through an Error Message
     A.2.17 CWE-190: Integer Overflow or Wraparound A.2.18 CWE-131: Incorrect Calculation of Buffer Size
     A.2.19 CWE-306: Missing Authentication for Critical Function
     A.2.20 CWE-494: Download of Code Without Integrity Check
     A.2.21 CWE-732: Incorrect Permission Assignment for Critical Resource
     A.2.22 CWE-770: Allocation of Resources Without Limits or Throttling
     A.2.23 CWE-601: URL Redirection to Site (“Open Redirect”) Cryptographic Algorithm
     A.2.25 CWE-362: Race Condition

Appendix B Enterprise Security API
B.1 Interface Encoder
B.2 Interface User
B.3 Interface Authenticator
B.4 Interface AccessController
B.5 Interface AccessReferenceMap
B.6 Interface Encryptor
B.7 Interface HTTPUtilities
B.8 Interface Logger


Each chapter concludes with a "References" Section

View More



Mark S. Merkow, CISSP, CISM, CSSLP, works at PayPal Inc. (an eBay company) in Scottsdale, Arizona, as Manager of Security Consulting and IT Security Strategy in the Information Risk Management area. Mark has over 35 years of experience in information technology in a variety of roles, including applications development, systems analysis and design, security engineer, and security manager. Mark holds a Masters in Decision and Info Systems from Arizona State University (ASU), a Masters of Education in Distance Learning from ASU, and a BS in Computer Info Systems from ASU. In addition to his day job, Mark engages in a number of extracurricular activities, including consulting, course development, online course delivery, writing e-business columns, and writing books on information technology and information security.

Mark has authored or co-authored nine books on IT and has been a contributing editor to four others.

Mark remains very active in the information security community, working in a variety of roles for the Financial Services Information Sharing and Analysis Center (FS-ISAC), the Financial Services Technology Consortium (FSTC), and the Financial Services Sector Coordinating Council (FSCCC) on Homeland Security and Critical Infrastructure Protection.

Lakshmikanth Raghavan (Laksh) works at PayPal Inc. (an eBay company) as Staff Information Security Engineer in the Information Risk Management area. He has over eight years of experience in the areas of information security and information risk management and has been providing consulting services to Fortune 500 companies and financial services companies around the world in his previous stints. He is a Certified Ethical Hacker (CEH) and also maintains the Certified Information Security Manager (CISM) certificate from ISACA (previously known as the Information Systems Audit and Control Association). Laksh holds a Bachelor's degree in Electronics & Telecommunication Engineering from the University of Madras, India. Laksh enjoys writing security-related articles and has spoken on the various dimensions of software security at industry forums and security conferences.


... provides a strong foundation for anyone getting started in application security. Most application security books fall into two categories: business-oriented and vague or ridiculously super technical. Mark and Laksh draw on their extensive experience to bridge this gap effectively. The book consistently links important technical concepts back to the business reasons for application security with interesting stories about real companies dealing with application security issues.
-Jeff Williams, Chair, The OWASP Foundation