Cover Page Page: i Half-Title Page Page: i Title Page Page: iii Copyright Page Page: iv Dedication Page: vii Table of Contents Page: vii Preface Page: xxi How This Book Is Organized Page: xxii Chapter 1: Today’s Software Development Practices Shatter Old Security Practices Page: xxv Chapter Overview Page: 1 Chapter Takeaways Page: 1 1.1 Over the Waterfall Page: 2 1.2 What Is Agile? Page: 3 1.3 Shift Left! Page: 3 1.4 Principles First! Page: 5 1.5 Summary Page: 6 Chapter Quick Check Page: 6 Exercises Page: 7 References Page: 7 Chapter 2: Deconstructing Agile and Scrum Page: 7 Chapter Overview Page: 9 Chapter Takeaways Page: 9 2.1 The Goals of Agile and Scrum Page: 10 2.2 Agile/Scrum Terminology Page: 11 2.3 Agile/Scrum Roles Page: 11 2.4 Unwinding Sprint Loops Page: 13 2.5 Development and Operations Teams Get Married Page: 15 2.6 Summary Page: 16 Chapter Quick Check Page: 18 Exercises Page: 18 References Page: 19 Chapter 3: Learning Is FUNdamental! Page: 19 Chapter Overview Page: 21 Chapter Takeaways Page: 21 3.1 Education Provides Context, and Context Is Key Page: 22 3.2 Principles for Software Security Education Page: 22 3.3 Getting People’s Attention Page: 23 3.4 Awareness versus Education Page: 24 3.5 Moving into the Education Phase Page: 25 3.6 Strategies for Rolling Out Training Page: 27 3.7 Encouraging Training Engagement and Completion Page: 27 3.8 Measuring Success Page: 28 3.9 Keeping the Drumbeat Alive Page: 28 3.10 Create and Mature a Security Champion Network Page: 29 3.11 A Checklist for Establishing a Software Security Education, Training, and Awareness Program Page: 29 3.12 Summary Page: 30 Chapter Quick Check Page: 30 Exercises Page: 31 References Page: 31 Chapter 4: Product Backlog Development—Building Security In Page: 32 Chapter Overview Page: 33 Chapter Takeaways Page: 33 4.1 Functional versus Nonfunctional Requirements Page: 34 4.2 Testing NFRs Page: 34 4.3 Families of Nonfunctional Requirements Page: 36 4.3.1 Availability Page: 37 4.4 Capacity Page: 38 4.5 Efficiency Page: 38 4.6 Interoperability Page: 39 4.7 Manageability Page: 39 4.7.1 Cohesion Page: 39 4.7.2 Coupling Page: 40 4.8 Maintainability Page: 40 4.9 Performance Page: 40 4.10 Portability Page: 41 4.11 Privacy Page: 41 4.12 Recoverability Page: 42 4.13 Reliability Page: 43 4.14 Scalability Page: 44 4.15 Security Page: 44 4.16 Serviceability/Supportability Page: 45 4.17 Characteristics of Good Requirements Page: 46 4.18 Eliciting Nonfunctional Requirements Page: 47 4.19 NFRs as Acceptance Criteria and Definition of Done Page: 48 4.20 Summary Page: 48 Chapter Quick Check Page: 49 Exercises Page: 49 References Page: 49 Chapter 5: Secure Design Considerations Page: 50 Chapter Overview Page: 51 Chapter Takeaways Page: 51 5.1 Essential Concepts Page: 51 5.2 The Security Perimeter Page: 52 5.3 Attack Surface Page: 53 5.3.1 Mapping the Attack Surface Page: 54 5.3.2 Side Channel Attacks Page: 54 5.4 Application Security and Resilience Principles Page: 55 5.4.1 Practice 1: Apply Defense in Depth Page: 55 5.4.2 Practice 2: Use a Positive Security Model Page: 55 5.4.3 Practice 3: Fail Securely Page: 55 5.4.4 Practice 4: Run with Least Privilege Page: 55 5.4.5 Practice 5: Avoid Security by Obscurity Page: 55 5.4.6 Practice 6: Keep Security Simple Page: 55 5.4.7 Practice 7: Detect Intrusions Page: 55 5.4.8 Practice 8: Don’t Trust Infrastructure Page: 55 5.4.9 Practice 9: Don’t Trust Services Page: 55 5.4.10 Practice 10: Establish Secure Defaults Page: 55 5.5 Mapping Best Practices to Nonfunctional Requirements (NFRs) as Acceptance Criteria Page: 61 5.6 Summary Page: 61 Chapter Quick Check Page: 62 Exercises Page: 63 References Page: 63 Chapter 6: Security in the Design Sprint Page: 64 Chapter Overview Page: 65 CHAPTER TAKEAWAYS Page: 65 6.1 Design Phase Recommendations Page: 65 6.2 Modeling Misuse Cases Page: 66 6.3 Conduct Security Design and Architecture Reviews in Design Sprint Page: 67 6.4 Perform Threat and Application Risk Modeling Page: 67 6.4.1 Brainstorming Threats Page: 69 6.5 Risk Analysis and Assessment Page: 70 6.5.1 Damage Potential Page: 70 6.5.2 Reproducibility Page: 71 6.5.3 Exploitability Page: 71 6.5.4 Affected Users Page: 71 6.5.5 Discoverability Page: 71 6.6 Don’t Forget These Risks! Page: 72 6.7 Rules of Thumb for Defect Removal or Mitigation Page: 72 6.8 Further Needs for Information Assurance Page: 73 6.9 Countering Threats through Proactive Controls Page: 74 6.10 Architecture and Design Review Checklist Page: 76 6.11 Summary Page: 78 Chapter Quick Check Page: 78 Exercises Page: 79 References Page: 80 Chapter 7: Defensive Programming Page: 80 Chapter Overview Page: 81 Chapter Takeaways Page: 81 7.1 The Evolution of Attacks Page: 82 7.2 Threat and Vulnerability Taxonomies Page: 82 7.2.1 MITRE’s Common Weaknesses Enumeration (CWE) Page: 83 7.2.2 OWASP Top 10—2017 Page: 83 7.3 Failure to Sanitize Inputs Is the Scourge of Software Development Page: 85 7.4 Input Validation and Handling Page: 86 7.4.1 Client-Side versus Server-Side Validation Page: 87 7.4.2 Input Sanitization Page: 89 7.4.3 Canonicalization Page: 89 7.5 Common Examples of Attacks Due to Improper Input Handling Page: 90 7.5.1 Buffer Overflow Page: 90 7.5.2 OS Commanding Page: 90 7.6 Best Practices in Validating Input Data Page: 91 7.6.1 Exact Match Validation Page: 91 7.6.2 Exact Match Validation Example Page: 91 7.6.3 Known Good Validation Page: 92 7.6.4 Known Bad Validation Page: 93 7.6.5 Handling Bad Input Page: 93 7.7 OWASP’s Secure Coding Practices Page: 94 7.8 Summary Page: 95 Chapter Quick Check Page: 95 Exercises Page: 95 References Page: 96 Chapter 8: Testing Part 1: Static Code Analysis Page: 96 Chapter Overview Page: 97 Chapter Takeaways Page: 97 8.1 Fixing Early versus Fixing Later Page: 97 8.2 Testing Phases Page: 98 8.2.1 Unit Testing Page: 98 8.2.2 Manual Source Code Reviews Page: 99 8.2.3 The Code Review Process Page: 100 8.3 Static Source Code Analysis Page: 101 8.4 Automated Reviews Compared with Manual Reviews Page: 102 8.5 Peeking Inside SAST Tools Page: 103 8.6 SAST Policies Page: 107 8.7 Using SAST in Development Sprints Page: 107 8.8 Software Composition Analysis (SCA) Page: 110 8.9 SAST is NOT for the Faint of Heart! Page: 111 8.10 Commercial and Free SAST Tools Page: 112 8.11 Summary Page: 112 Chapter Quick Check Page: 112 Exercises Page: 113 References Page: 113 Chapter 9: Testing Part 2: Penetration Testing/Dynamic Analysis/IAST/RASP Page: 114 Chapter Overview Page: 115 Chapter Takeaways Page: 115 9.1 Penetration (Pen) Testing Page: 116 9.2 Open Source Security Testing Methodology Manual (OSSTMM) Page: 116 9.3 OWASP’s ASVS Page: 117 9.4 Penetration Testing Tools Page: 119 9.5 Automated Pen Testing with Black Box Scanners Page: 119 9.6 Deployment Strategies Page: 120 9.6.1 Developer Testing Page: 120 9.6.2 Centralized Quality Assurance Testing Page: 121 9.7 Gray Box Testing Page: 121 9.8 Limitations and Constraints of Pen Testing Page: 121 9.9 Interactive Application Security Testing (IAST) Page: 122 9.10 Runtime Application Self-Protection (RASP) Page: 122 9.11 Summary Page: 123 Chapter Quick Check Page: 123 Exercises Page: 124 References Page: 124 Chapter 10: Securing DevOps Page: 125 Chapter Overview Page: 127 Chapter Takeaways Page: 127 10.1 Shifting Left All Around Page: 127 10.1.1 Changing the Business Culture Page: 128 10.2 The Three Ways That Make DevOps Work Page: 130 10.3 The Three Ways Applied to AppSec Page: 132 10.4 OWASP’s DevSecOps Maturity Model Page: 134 10.5 OWASP’s DevSecOps Studio Page: 135 10.6 Summary Page: 135 Chapter Quick Check Page: 135 Exercises Page: 136 References Page: 136 Chapter 11: Metrics and Models for AppSec Maturity Page: 137 Chapter Overview Page: 139 Chapter Takeaways Page: 139 11.1 Maturity Models for Security and Resilience Page: 139 11.2 Software Assurance Maturity Model—OpenSAMM Page: 140 11.2.1 OpenSAMM Business Functions Page: 141 11.2.2 Core Practice Areas Page: 142 11.3 Levels of Maturity Page: 143 11.3.1 Objective Page: 144 11.3.2 Activities Page: 144 11.3.3 Results Page: 144 11.3.4 Success Metrics Page: 144 11.3.5 Costs Page: 144 11.3.6 Personnel Page: 144 11.3.7 Related Levels Page: 145 11.3.8 Assurance Page: 145 11.4 Using OpenSAMM to Assess Maturity Levels Page: 145 11.5 The Building Security In Maturity Model (BSIMM) Page: 147 11.6 BSIMM Organization Page: 150 11.7 BSIMM Software Security Framework Page: 150 11.7.1 Governance Page: 150 11.7.2 Intelligence Page: 151 11.7.3 SSDL Touchpoints Page: 152 11.7.4 Deployment Page: 152 11.8 BSIMM’s 12 Practice Areas Page: 153 11.9 Measuring Results with BSIMM Page: 153 11.10 The BSIMM Community Page: 153 11.11 Conducting a BSIMM Assessment Page: 153 11.12 Summary Page: 157 Chapter Quick Check Page: 157 Exercises Page: 157 References Page: 158 Chapter 12: Frontiers for AppSec Page: 158 Chapter Overview Page: 159 Chapter Takeaways Page: 159 12.1 Internet of Things (IoT) Page: 159 12.1.1 The Industry Responds Page: 159 12.1.2 The Government Responds Page: 159 12.2 Blockchain Page: 161 12.2.1 Security Risks with Blockchain Implementations Page: 161 12.2.2 Securing the Chain Page: 163 12.3 Microservices and APIs Page: 163 12.4 Containers Page: 165 12.4.1 Container Security Issues Page: 165 12.4.2 NIST to the Rescue Again! Page: 166 12.5 Autonomous Vehicles Page: 167 12.6 Web Application Firewalls (WAFs) Page: 167 12.7 Machine Learning/Artificial Intelligence Page: 168 12.8 Big Data Page: 169 12.8.1 Vulnerability to Fake Data Generation Page: 169 12.8.2 Potential Presence of Untrusted Mappers Page: 170 12.8.3 Lack of Cryptographic Protection Page: 170 12.8.4 Possibility of Sensitive Information Mining Page: 170 12.8.5 Problems with Granularity of Access Controls Page: 170 12.8.6 Data Provenance Difficulties Page: 170 12.8.7 High Speed of NoSQL Databases’ Evolution and Lack of Security Focus Page: 171 12.8.8 Absent Security Audits Page: 171 12.9 Summary Page: 171 Chapter Quick Check Page: 171 Exercises Page: 172 References Page: 172 Chapter 13: AppSec Is a Marathon—Not a Sprint Page: 173 Chapter Overview Page: 175 Chapter Takeaways Page: 175 13.1 Hit the Road Page: 176 13.2 Getting Involved with OWASP Page: 176 13.3 Certified Secure Software Lifecycle Professional (CSSLP®) Page: 177 13.3.1 Why Obtain the CSSLP? Page: 177 13.4 Higher Education Page: 177 13.5 Conclusion Page: 178 Chapter Quick Check Page: 178 Exercises Page: 180 References Page: 180 Appendix A: Security Acceptance Criteria Page: 180 Sample Acceptance Criteria for Seven Categories of Application Security Functions or Attributes Page: 181 Appendix B: Resources for AppSec Page: 185 Training Page: 187 Cyber Ranges Page: 187 Requirements Management Tools Page: 188 Threat Modeling Page: 188 Static Code Scanners: Open Source Page: 188 Static Code Scanners: Commercial Page: 188 Dynamic Code Scanners: Open Source Page: 189 Dynamic Code Scanners: Commercial Page: 189 Maturity Models Page: 189 Software Composition Analysis Page: 190 IAST Tools Page: 190 API Security Testing Page: 190 Runtime Application Self-Protection (RASP) Page: 190 Web Application Firewalls (WAFs) Page: 190 Browser-centric Protection Page: 191 Appendix C: Answers to Chapter Quick Check Questions Page: 191 Glossary Page: 203 Index Page: 205
Description: