Log In
Or create an account ->
Imperial Library
Home
About
News
Upload
Forum
Help
Login/SignUp
Index
Title Page
Copyright Page
About the Authors
About the Technical Editor
Contents at a Glance
Contents
Acknowledgments
Introduction
Why Focus on Software Development?
The Role of CSSLP
How to Use This Book
The Examination
Exam Readiness Checklist
Part I: Secure Software Concepts
Chapter 1: General Security Concepts
The CSSLP Knowledge Base
General Security Concepts
Security Basics
Accounting (Auditing)
System Tenets
Secure Design Principles
Security Models
Access Control Models
Multilevel Security Model
Integrity Models
Information Flow Models
Adversaries
Adversary Type
Adversary Groups
Threat Landscape Shift
Chapter Review
Quick Tips
Questions
Answers
Chapter 2: Risk Management
Definitions and Terminology
General Terms
Quantitative Terms
Risk Management Statements
Types of Risk
Business Risk
Technology Risk
Risk Controls
Qualitative Risk Management
Qualitative Matrix
Quantitative Risk Management
Comparison of Qualitative and Quantitative Methods
Governance, Risk, and Compliance
Regulations and Compliance
Legal
Standards
Risk Management Models
General Risk Management Model
Software Engineering Institute Model
Model Application
Risk Options
Chapter Review
Quick Tips
Questions
Answers
Chapter 3: Security Policies and Regulations
Regulations and Compliance
FISMA
Sarbanes-Oxley
Gramm-Leach-Bliley
HIPAA and HITECH
Payment Card Industry Data Security Standard (PCI DSS)
Other Regulations
Legal Issues
Intellectual Property
Chapter 4: Software Development Methodologies
Secure Development Lifecycle
Principles
Security vs. Quality
Security Features != Secure Software
Secure Development Lifecycle Components
Software Team Awareness and Education
Gates and Security Requirements
Bug Tracking
Threat Modeling
Fuzzing
Security Reviews
Part II: Secure Software Requirements
Chapter 5: Policy Decomposition
Confidentiality, Integrity, and Availability Requirements
Confidentiality
Integrity
Availability
Authentication, Authorization, and Auditing Requirements
Identification and Authentication
Authorization
Auditing
Internal and External Requirements
Internal
External
Chapter Review
Quick Tips
Questions
Answers
Chapter 6: Data Classification and Categorization
Data Classification
Data States
Data Usage
Data Risk Impact
Data Ownership
Data Owner
Data Custodian
Labeling
Sensitivity
Impact
Types of Data
Structured
Unstructured
Data Lifecycle
Generation
Retention
Disposal
Chapter Review
Quick Tips
Questions
Answers
Chapter 7: Requirements
Functional Requirements
Role and User Definitions
Objects
Activities/Actions
Subject-Object-Activity Matrix
Use Cases
Abuse Cases (Inside and Outside Adversaries)
Sequencing and Timing
Secure Coding Standards
Operational Requirements
Deployment Environment
Requirements Traceability Matrix
Chapter Review
Quick Tips
Questions
Answers
Part III: Secure Software Design
Chapter 8: Design Processes
Attack Surface Evaluation
Attack Surface Measurement
Attack Surface Minimization
Threat Modeling
Threat Model Development
Control Identification and Prioritization
Risk Assessment for Code Reuse
Chapter 9: Design Considerations
Application of Methods to Address Core Security Concepts
Confidentiality, Integrity, and Availability
Authentication, Authorization, and Auditing
Secure Design Principles
Interconnectivity
Interfaces
Chapter Review
Quick Tips
Questions
Answers
Chapter 10: Securing Commonly Used Architecture
Distributed Computing
Client Server
Peer-to-Peer
Message Queuing
Service-Oriented Architecture
Enterprise Service Bus
Web Services
Rich Internet Applications
Client-Side Exploits or Threats
Remote Code Execution
Chapter 11: Technologies
Authentication and Identity Management
Identity Management
Authentication
Credential Management
X.509 Credentials
Single Sign-On
Flow Control (Proxies, Firewalls, Middleware)
Firewalls
Proxies
Application Firewalls
Queuing Technology
Logging
Syslog
Data Loss Prevention
Virtualization
Digital Rights Management
Trusted Computing
TCB
TPM
Malware
Code Signing
Database Security
Encryption
Triggers
Views
Privilege Management
Programming Language Environment
CLR
JVM
Compiler Switches
Sandboxing
Managed vs. Unmanaged Code
Operating Systems
Embedded Systems
Control Systems
Firmware
Chapter Review
Quick Tips
Questions
Answers
Part IV: Secure Software Implementation/Coding
Chapter 12: Common Software Vulnerabilities and Countermeasures
CWE/SANS Top 25 Vulnerability Categories
OWASP Vulnerability Categories
Common Vulnerabilities and Countermeasures
Injection Attacks
Cryptographic Failures
Input Validation Failures
Buffer Overflow
Canonical Form
Missing Defense Functions
General Programming Failures
Common Enumerations
Common Weakness Enumerations (CWE)
Common Vulnerabilities and Exposures (CVE)
Virtualization
Embedded Systems
Side Channel
Social Engineering Attacks
Phishing
Chapter Review
Quick Tips
Questions
Answers
Chapter 13: Defensive Coding Practices
Declarative vs. Programmatic Security
Bootstrapping
Cryptographic Agility
Handling Configuration Parameters
Memory Management
Type Safe Practice
Locality
Error Handling
Exception Management
Interface Coding
Primary Mitigations
Chapter Review
Quick Tips
Questions
Answers
Chapter 14: Secure Software Coding Operations
Code Analysis (Static and Dynamic)
Static
Dynamic
Code/Peer Review
Build Environment
Integrated Development Environment (IDE)
Antitampering Techniques
Configuration Management: Source Code and Versioning
Chapter Review
Quick Tips
Questions
Answers
Part V: Secure Software Testing
Chapter 15: Security Quality Assurance Testing
Standards for Software Quality Assurance
ISO 9216
SSE-CMM
OSSTMM
Functional Testing
Unit Testing
Integration or Systems Testing
Performance Testing
Security Testing
White-Box Testing
Black-Box Testing
Grey-Box Testing
Chapter 16: Security Testing
Scanning
Attack Surface Analyzer
Penetration Testing
Fuzzing
Simulation Testing
Testing for Failure
Cryptographic Validation
FIPS 140-2
Regression Testing
Part VI: Secure Software Acceptance
Chapter 17: Secure Software Acceptance
Introduction to Acceptance
Software Qualification Testing
Qualification Testing Plan
The Qualification Testing Hierarchy
Pre-release Activities
Implementing the Pre-release Testing Process
Completion Criteria
Risk Acceptance
Post-release Activities
Validation and Verification
Independent Testing
Chapter Review
Quick Tips
Questions
Answers
Part VII: Secure Software Installation, Deployment, Operations, Maintenance, and Disposal
Chapter 18: Secure Software Installation and Deployment
Secure Software Installation and Its Subsequent Deployment
Installation Validation and Verification
Planning for Operational Use
Configuration Management
Organizing the Configuration Management Process
Configuration Management Roles
The Configuration Management Plan
The Configuration Management Process
Chapter Review
Quick Tips
Questions
Answers
Chapter 19: Secure Software Operations and Maintenance
Secure Software Operations
Operation Process Implementation
The Software Maintenance Process
Monitoring
Incident Management
Problem Management
Change Management
Backup, Recovery, and Archiving
Secure Software Disposal
Software Disposal Planning
Software Disposal Execution
Chapter Review
Quick Tips
Questions
Answers
Chapter 20: Supply Chain and Software Acquisition
Supplier Risk Assessment
What Is Supplier Risk Assessment?
Risk Assessment for Code Reuse
Intellectual Property
Legal Compliance
Supplier Prequalification
Supplier Sourcing
Contractual Integrity Controls
Vendor Technical Integrity Controls for Third-party Suppliers
Managed Services
Service Level Agreements
Software Development and Testing
Code Testing
Security Testing Controls
Software Requirements Testing and Validation
Software Requirements Testing and Validation for Subcontractors
Software Delivery, Operations, and Maintenance
Chain of Custody
Publishing and Dissemination Controls
Systems-of-systems Integration
Software Authenticity and Integrity
Product Deployment and Sustainment Controls
Monitoring and Incident Management
Vulnerability Management, Tracking, and Resolution
Supplier Transitioning
Chapter Review
Quick Tips
Questions
Answers
Appendix A: About the Download
Downloadable MasterExam
System Requirements
MasterExam
Help
Removing Installation
Technical Support
LearnKey Technical Support
McGraw-Hill Education Technical Support and Customer Service
Appendix B: Practice Exam
Glossary
Index
Privacy
Privacy Policy
Personally Identifiable Information
Personal Health Information
Breach Notifications
Data Protection Principles
Security Standards
ISO
NIST
Secure Software Architecture
Security Frameworks
Trusted Computing
Principles
Trusted Computing Base
Trusted Platform Module
Microsoft Trustworthy Computing Initiative
Acquisition
Definitions and Terminology
Build vs. Buy Decision
Outsourcing
Contractual Terms and Service Level Agreements
Chapter Review
Quick Tips
Questions
Answers
Software Development Models
Waterfall
Spiral
Prototype
Agile Methods
Open Source
Microsoft Security Development Lifecycle
History
SDL Foundation
SDL Components
Chapter Review
Quick Tips
Questions
Answers
Documentation
Design and Architecture Technical Review
Chapter Review
Quick Tips
Questions
Answers
Pervasive/Ubiquitous Computing
Wireless
Location-Based
Constant Connectivity
Radio Frequency Identification
Near-Field Communication
Sensor Networks
Mobile Applications
Integration with Existing Architectures
Cloud Architectures
Software as a Service
Platform as a Service
Infrastructure as a Service
Chapter Review
Quick Tips
Questions
Answers
Environment
Bug Tracking
Defects
Errors
Vulnerabilities
Bug Bar
Attack Surface Validation
Testing Artifacts
Test Data Lifecycle Management
Chapter Review
Quick Tips
Questions
Answers
Impact Assessment and Corrective Action
Chapter Review
Quick Tips
Questions
Answers
← Prev
Back
Next →
← Prev
Back
Next →