Secure and Resilient Software Development: 1st Edition (Hardback) book cover

Secure and Resilient Software Development

1st Edition

By Mark S. Merkow, Lakshmikanth Raghavan

Auerbach Publications

392 pages | 57 B/W Illus.

Purchasing Options:$ = USD
Hardback: 9781439826966
pub: 2010-06-16
SAVE ~$21.00
eBook (VitalSource) : 9780429152146
pub: 2010-06-16
from $49.48

FREE Standard Shipping!


Although many software books highlight open problems in secure software development, few provide easily actionable, ground-level solutions. Breaking the mold, Secure and Resilient Software Development teaches you how to apply best practices and standards for consistent and secure software development. It details specific quality software development strategies and practices that stress resilience requirements with precise, actionable, and ground-level inputs.

Providing comprehensive coverage, the book illustrates all phases of the secure software development life cycle. It shows developers how to master non-functional requirements including reliability, security, and resilience. The authors provide expert-level guidance through all phases of the process and supply many best practices, principles, testing practices, and design methodologies.

For updates to this book and ongoing activities of interest to the secure and resilient software community, please visit:

"Secure and Resilient Software Development provides a strong foundation for anyone getting started in application security. Most application security books fall into two categories: business-oriented and vague or ridiculously super technical. Mark and Laksh draw on their extensive experience to bridge this gap effectively. The book consistently links important technical concepts back to the business reasons for application security with interesting stories about real companies dealing with application security issues."

—Jeff Williams, Chair, The OWASP Foundation


… provides a strong foundation for anyone getting started in application security. Most application security books fall into two categories: business-oriented and vague or ridiculously super technical. Mark and Laksh draw on their extensive experience to bridge this gap effectively. The book consistently links important technical concepts back to the business reasons for application security with interesting stories about real companies dealing with application security issues.

-Jeff Williams, Chair, The OWASP Foundation

Table of Contents

How Does Software Fail Thee? Let Us Count the Ways

Vulnerabilities Abound

Security Flaws Are Omnipresent

Cars Have Their Share of Computer Problems Too

Tracing the Roots of Defective Software

What Are the True Costs of Insecure Software to Global Enterprises?

Addressing Security Questions Addresses Resilience

Characteristics of Secure and Resilient Software

Functional Versus Nonfunctional Requirements

Testing Nonfunctional Requirements

Families of Nonfunctional Requirements

















Characteristics of Good Requirements

Eliciting Nonfunctional Requirements

Documenting Nonfunctional Requirements

Security and Resilience in the Software Development Life Cycle

Resilience and Security Begin from Within

Requirements Gathering and Analysis

Systems Design and Detailed Design

Functional Decomposition

Categorizing Threats

Ranking Threats

Mitigation Planning

Design Reviews

Development (Coding) Phase

Static Analysis

Peer Review

Unit Testing



Security Training

Proven Best Practices for Resilient Applications

Critical Concepts

|The Security Perimeter

Attack Surface

Mapping the Attack Surface

Side Channel Attacks

Application Security and Resilience Principles

Practice 1: Apply Defense in Depth

Practice 2: Use a Positive Security Model

Practice 3: Fail Securely

Practice 4: Run with Least Privilege

Practice 5: Avoid Security by Obscurity

Practice 6: Keep Security Simple

Practice 7: Detect Intrusions

Log All Security-Relevant Information

Ensure That the Logs Are Monitored Regularly

Respond to Intrusions

Practice 8: Don’t Trust Infrastructure

Practice 9: Don’t Trust Services

Practice 10: Establish Secure Defaults

Mapping Best Practices to Nonfunctional Requirements

Designing Applications for Security and Resilience

Design Phase Recommendations

Misuse Case Modeling

Security Design and Architecture Review

Threat and Risk Modeling

Risk Analysis and Modeling

Security Requirements and Test Case Generation

Design to Meet Nonfunctional Requirements

Design Patterns

Architecting for the Web

Architecture and Design Review Checklist

Programming Best Practices

The Evolution of Software Attacks

The OWASP Top 10

A1: Injection

A2: Cross-Site Scripting

A3: Broken Authentication and Session Management

A4: Insecure Direct Object References

A5: Cross-Site Request Forgery

A6: Security Misconfiguration

A7: Failure to Restrict URL Access

A8: Unvalidated Redirects and Forwards

A9: Insecure Cryptographic Storage

A10: Insufficient Transport Layer Protection

OWASP Enterprise Security API (ESAPI)

Input Validation and Handling

Client-Side Versus Server-Side Validation

Input Sanitization


Examples of Attacks due to Improper Input Handling

Approaches to Validating Input Data

Handling Bad Input

ESAPI Interfaces

Cross-Site Scripting

Same Origin Policy

Attacks Through XSS

Prevention of Cross-Site Scripting

ESAPI Interfaces

Injection Attacks

SQL Injection

Stored Procedures

Identifying SQL Injection and Exploitation

Defending Against SQL Injection

Creating SQL Queries

Additional Controls to Prevent SQLInjection Attacks

ESAPI Interfaces

Authentication and Session Management

Attacking Log-in Functionality

Attacking Password Resets

Attacking Sensitive Transactions

Cross-Site Request Forgery

CSRF Mitigation

Session Management

Attacking Log-out Functionality

Defenses Against Log-out Attacks

Defenses Against Cookie Attacks

Session Identifiers

ESAPI Interfaces

Access Control

Avoiding Security Through Obscurity

Access Control Issues

Testing for Broken Access Control

Defenses Against Access Control Attacks

Administrator Interfaces

Protecting Administrator Interfaces

ESAPI Interfaces


Hashing and Password Security

Attacking the Hash

Precomputed Attacks

Message Authentication Code (MAC)

Home-Grown Algorithms

Randomness and Pseudo-Randomness

ESAPI Interfaces

Error Handling

User Error Messages

Log-in Error Messages—A Case Study

Error Message Differentiation

Developer Error Messages

Information to Be Kept Private

Structured Exception Handling

ESAPI Interfaces

Ajax and Flash

AJAX Application Traffic

AJAX Client Requests

Server Responses

Typical Attacks Against AJAX Applications

Security Recommendations for AJAX Applications

Adobe Flash—Sandbox Security Model

Cross-Domain Policy

Restrict SWF Files Embedded in HTML

Attacking Flash Applications

Securing Flash Applications

Additional Best Practices for Software Resilience

Externalize Variables

EncryptedProperties—Method Summary

Initialize Variables Properly

Do Not Ignore Values Returned by Functions

Avoid Integer Overflows

Top Secure Coding Practices

Fifty Questions to Improve Software Security

Special Considerations for Embedded Systems, Cloud Computing, and Mobile Computing Devices

Embedded Systems

Bad Assumptions About Embedded Systems Programming

New Mantras

The Framework

Distributed Applications/Cloud Computing

Representational State Transfer (REST)

REST Stateless Authentication

Attacking Distributed APIs

Securing Distributed APIs

Mobile Applications


Windows Mobile


Mobile Application Security

Security Testing of Custom Software Applications

Fixing Early Versus Fixing After Release

Testing Phases

Unit Testing

Manual Source Code Review

The Code Review Process

Automated Source Code Analysis

Automated Reviews Compared with Manual Reviews

Commercial and Free Source Code Analyzers

Fortify 360

Acquiring Commercial or Open-Source Analysis Tools

Deployment Strategy

IDE Integration for Developers

Build Integration for Governance

Regulatory Compliance

Benefits of Using Source Code Analyzers

Penetration (Pen) Testing

Penetration Testing Tools

Automated Black Box Scanning

Deployment Strategy

Gray Box Testing

Limitations and Constraints of Pen Testing Tools

Testing Commercial off-the-Shelf Systems

The Problems with Shrink-Wrapped Software

The Common Criteria for Information Technology Security Evaluation

Harmonizing Evaluation Criteria




Key Concepts of the Common Criteria

The Security Framework

The Common Criteria Approach

The Security Environment

The Common Criteria Portal

Criticisms of the CC

The Commercial Community Responds

The BITS/FSTC Security Assurance Initiative


Evaluation Methodology

Certification Criteria

ICSA Labs Testing and Certification Process

Veracode’s VerAfied Software Assurance

Ratings Methodology

Assessing Software for the VerAfied Mark

Implementing Security and Resilience Using CLASP

Comprehensive, Lightweight Application Security Process (CLASP)

CLASP Concepts

Overview of the CLASP Process

CLASP Key Best Practices

Best Practice 1: Institute Awareness Programs

Best Practice 2: Perform Application Assessments

Best Practice 3: Capture Security Requirements

Best Practice 4: Implement Secure Development Practices

Best Practice 5: Build Vulnerability Remediation Procedures

Best Practice 6: Define and Monitor Metrics

Best Practice 7: Publish Operational Security Guidelines

CLASP Security Activities to Augment Software Development Processes

Applying CLASP Security Activities to Roles

Re-engineering Your SDLC for CLASP

Business Objectives

Process Milestones

Process Evaluation Criteria

Forming the Process Re-engineering Team

Sample CLASP Implementation Roadmaps

Green-Field Roadmap

Legacy Roadmap

Metrics and Models for Security and Resilience Maturity

Maturity Models for Security and Resilience

Software Assurance Maturity Model—OpenSAMM

Core Practice Areas

Levels of Maturity


The Building Security In Maturity Model (BSIMM)

BSIMM Software Security Framework

BSIMM Activities

Governance: Strategy and Metrics

Governance: Compliance and Policy

Governance: Training

Intelligence: Attack Models

Intelligence: Security Features and Design

Intelligence: Standards and Requirements

SSDL Touchpoints : Architecture Analysis

SSDL Touchpoints: Code Review

SSDL Touchpoints: Security Testing

Deployment: Penetration Testing

Deployment: Software Environment

Deployment: Configuration Management and Vulnerability Management Measuring Results with BSIMM

Helpful Resources For Implementing BSIMM

Applying BSIMM to the Financial Services Domain

Working Group Methodology

Taking It to the Streets

Getting Educated

DEVELOPER 530: Defending Web Applications

DEVELOPER 530: Essential Secure Coding in Java/JEE

DEVELOPER 541: Secure Coding in Java/JEE: Developing Defensible Applications

DEVELOPER 542: Web App Penetration Testing and Ethical Hacking

DEVELOPER 544: Secure Coding in .NET: Developing Defensible Applications

DEVELOPER 545: Secure Coding in PHP: Developing Defensible Applications

DEVELOPER 534: Secure Code Review for Java Web Apps

DEVELOPER 543: Secure Coding in C/C++: Developing Defensible Applications

Aspect Security Inc.

CERT Software Engineering Institute (SEI)

SEI Secure Coding in C and C++ Course

Getting Certified

Certified Secure Software Lifecycle Professional (CSSLP)

Why Obtain the CSSLP?

Benefits of Certification to the Professional

Benefits of Certification to the Enterprise

Getting Involved

Web Application Security Consortium

Reaching Out for Research

DHS Research Program Areas

The U.S. Treasury and the FSSCC

Last Call



Appendix A 20CWE/SANS Top Most Dangerous Programming Errors

A.1 Brief Listing of the Top

A.1.1 Insecure Interaction Between Components

A.1.2 Risky Resource Management

A.1.3 Porous Defenses

A.2 Detailed CWE Descriptions

A.2.1 CWE-79: Failure to Preserve Web Page Structure (“Cross-Site Scripting”)

A.2.2 CWE-89: Improper Sanitization of Special Elements Used in an SQL Command (“SQL Injection”)

A.2.3 CWE-120: Buffer Copy Without Checking Size of Input (“Classic Buffer Overflow”)

A.2.4 CWE-352: Cross-Site Request Forgery (CSRF)

A.2.5 CWE-285: Improper Access Control (Authorization)

A.2.6 CWE-807: Reliance on Un-trusted Inputs in a Security Decision

A.2.7 CWE-22: Improper Limitation of a Pathname to a Restricted Directory (“Path Traversal”)

A.2.8 CWE-434: Unrestricted Upload of File with Dangerous Type

A.2.9 CWE-78: Improper Sanitization of Special Elements Used in an OS Command (“OS Command Injection”)

A.2.10 CWE-311: Missing Encryption of Sensitive Data

A.2.11 CWE-798: Use of Hard-Coded Credentials

A.2.12 CWE-805: Buffer Access with Incorrect Length Value

A.2.13 CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program (“PHP File Inclusion”)

A.2.14 CWE-129: Improper Validation of Array Index

A.2.15 CWE-754: Improper Check for Unusual or Exceptional Conditions

A.2.16 CWE-209: Information Exposure Through an Error Message

A.2.17 CWE-190: Integer Overflow or Wraparound A.2.18 CWE-131: Incorrect Calculation of Buffer Size

A.2.19 CWE-306: Missing Authentication for Critical Function

A.2.20 CWE-494: Download of Code Without Integrity Check

A.2.21 CWE-732: Incorrect Permission Assignment for Critical Resource

A.2.22 CWE-770: Allocation of Resources Without Limits or Throttling

A.2.23 CWE-601: URL Redirection to Site (“Open Redirect”) Cryptographic Algorithm

A.2.25 CWE-362: Race Condition

Appendix B Enterprise Security API

B.1 Interface Encoder

B.2 Interface User

B.3 Interface Authenticator

B.4 Interface AccessController

B.5 Interface AccessReferenceMap

B.6 Interface Encryptor

B.7 Interface HTTPUtilities

B.8 Interface Logger


Each chapter concludes with a "References" Section

About the Authors

Mark S. Merkow, CISSP, CISM, CSSLP, works at PayPal Inc. (an eBay company) in Scottsdale, Arizona, as Manager of Security Consulting and IT Security Strategy in the Information Risk Management area. Mark has over 35 years of experience in information technology in a variety of roles, including applications development, systems analysis and design, security engineer, and security manager. Mark holds a Masters in Decision and Info Systems from Arizona State University (ASU), a Masters of Education in Distance Learning from ASU, and a BS in Computer Info Systems from ASU. In addition to his day job, Mark engages in a number of extracurricular activities, including consulting, course development, online course delivery, writing e-business columns, and writing books on information technology and information security.

Mark has authored or co-authored nine books on IT and has been a contributing editor to four others.

Mark remains very active in the information security community, working in a variety of roles for the Financial Services Information Sharing and Analysis Center (FS-ISAC), the Financial Services Technology Consortium (FSTC), and the Financial Services Sector Coordinating Council (FSCCC) on Homeland Security and Critical Infrastructure Protection.

Lakshmikanth Raghavan (Laksh) works at PayPal Inc. (an eBay company) as Staff Information Security Engineer in the Information Risk Management area. He has over eight years of experience in the areas of information security and information risk management and has been providing consulting services to Fortune 500 companies and financial services companies around the world in his previous stints. He is a Certified Ethical Hacker (CEH) and also maintains the Certified Information Security Manager (CISM) certificate from ISACA (previously known as the Information Systems Audit and Control Association). Laksh holds a Bachelor's degree in Electronics & Telecommunication Engineering from the University of Madras, India. Laksh enjoys writing security-related articles and has spoken on the various dimensions of software security at industry forums and security conferences.

Subject Categories

BISAC Subject Codes/Headings:
COMPUTERS / Information Technology
COMPUTERS / Programming Languages / General
COMPUTERS / Software Development & Engineering / General
COMPUTERS / Security / General