RESILIENT. SECURE and SOFTWARE. Requirements, Test Cases, and Testing Methods. Mark S. Merkow and Lakshmikanth Raghavan. CRC Press



Similar documents
Development. Resilient Software. Secure and. Mark S. Merkow Lakshmikanth Raghavan. CRC Press. Taylor& Francis Croup. Taylor St Francis Group,

Development and Management

SOFTWARE TESTING AS A SERVICE

ANDROID SECURITY ATTACKS AND DEFENSES ABHISHEK DUBEY I ANMOL MISRA. ( r öc) CRC Press VV J Taylor & Francis Group ^ "^ Boca Raton London New York

Management. Project. Software. Ashfaque Ahmed. A Process-Driven Approach. CRC Press. Taylor Si Francis Group Boca Raton London New York

THE COMPLETE PROJECT MANAGEMENT METHODOLOGY AND TOOLKIT

SECOND EDITION THE SECURITY RISK ASSESSMENT HANDBOOK. A Complete Guide for Performing Security Risk Assessments DOUGLAS J. LANDOLL

Ctfo MANAGEMENT SECURITY PATCH. Felicia M. Nicastro. Second Edition. CRC Press. VC#*' J Taylor & Francis Group / Boca Raton London New York

Networking. Systems Design and. Development. CRC Press. Taylor & Francis Croup. Boca Raton London New York. CRC Press is an imprint of the

CHAPMAN & HALL/CRC INNOVATIONS IN SOFTWARE ENGINEERING AND SOFTWARE DEVELOPMENT. Software Test Attacks to Break Mobile and Embedded Devices

Schneps, Leila; Colmez, Coralie. Math on Trial : How Numbers Get Used and Abused in the Courtroom. New York, NY, USA: Basic Books, p i.

Securing the Cloud. Cloud Computer Security Techniques and Tactics. Vic (J.R.) Winkler. Technical Editor Bill Meine ELSEVIER

Management. ITIL Release. Dave Howard. A Hands-on Guide. CRC Press. Taylor & Francis Group. Taylor St Francis Croup, an Informa business

Engineering Design. Software. Theory and Practice. Carlos E. Otero. CRC Press. Taylor & Francis Croup. Taylor St Francis Croup, an Informa business

Quality Management. Theory and Application PETER D. MAUCH. Ltfi) CRC Press. \ V J Taylor & Francis Group. ^ ^ Boca Raton London New York

Implementing the Project Management Balanced Scorecard

Computer Security Literacy

Advances in Network Management

for Research and Guiding Innovation for Positive R&D Outcomes Lory Mitchell Wingate

Security, and Intelligence

Effective Methods for Software and Systems Integration

Study Guide. ScrumMaster. The. James Schiel. CRC Press. Taylor & Francis Croup, an Inform* business AN AUERBACH BOOK. CRC Press (s an imprint of the

Information Technology and Organizational Learning

Governance Simplified

Improving Business Process Performance

Networking. Cloud and Virtual. Data Storage. Greg Schulz. Your journey. effective information services. to efficient and.

Requirements Engineering for Software

Oracle Embedded Programming and Application Development

Introduction to Supply Chain Management Technologies

in Business Technology Management

Customer and Business Analytic

Implementation. Business-Driven IT-Wide Agile (Scrum) and Kanban (Lean) Andrew T. Pham and David K. Pham. An Action Guide for Business and IT Leaders

Contents. xvii. Preface. xxi. Foreword. 1 Introduction 1. Preamble 1. Scope and Structure of the Book 3. Acknowledgments 4 Endnotes 5

for Information Technology

Design of Enterprise Systems

Cloud Computing. and Scheduling. Data-Intensive Computing. Frederic Magoules, Jie Pan, and Fei Teng SILKQH. CRC Press. Taylor & Francis Group

Cloud Computing. Implementation, Management, and Security. John W. Rittinghouse James F. Ransome

1 of 7 31/10/ :34

MS Information Security (MSIS)

Open Source Data Warehousing and Business Intelligence

Cyber Attacks. Protecting National Infrastructure Student Edition. Edward G. Amoroso

Lean Management System LMS:2OI2

Deliuery Networks. A Practical Guide to Content. Gilbert Held. Second Edition. CRC Press. Taylor & Francis Group

CREATING A THIRD EDITION DAVID MANN

Designing and Coding Secure Systems

Introduction to Financial Models for Management and Planning

Data Center Storage. Hubbert Smith. Implementation, and Management »C) Cost-Effective Strategies, CRC Press J Taylor & Francis Group

A Simulation-Based lntroduction Using Excel

Supply Chain Risk. An Emerging Discipline. Gregory L. Schlegel. Robert J. Trent

GFSU Certified Cyber Crime Investigator GFSU-CCCI. Training Partner. Important dates for all batches

Detection. Perspective. Network Anomaly. Bhattacharyya. Jugal. A Machine Learning »C) Dhruba Kumar. Kumar KaKta. CRC Press J Taylor & Francis Croup

The Green and Virtual Data Center

Project Management Concepts, Methods, and Techniques

External Supplier Control Requirements

EFFECTIVE NON-PROFIT MANAGEMENT

Expert Oracle Application. Express Security. Scott Spendolini. Apress"

Regulatory Story. RNS Number : 8343I. DCD Media PLC. 08 July TR-1: NOTIFICATION OF MAJOR INTEREST IN SHARES i

Mining. Practical. Data. Monte F. Hancock, Jr. Chief Scientist, Celestech, Inc. CRC Press. Taylor & Francis Group

Secure Code Development

Workflow Administration of Windchill 10.2

Annex B - Content Management System (CMS) Qualifying Procedure

SOFTWARE TESTING. A Craftsmcm's Approach THIRD EDITION. Paul C. Jorgensen. Auerbach Publications. Taylor &. Francis Croup. Boca Raton New York

Introduction. Acknowledgments Support & Feedback Preparing for the Exam. Chapter 1 Plan and deploy a server infrastructure 1

Electronic Payment Schemes Guidelines

! Resident of Kauai, Hawaii

It Won t Happen To Me! A Network and PCI Security Webinar Presented By FMS and VendorSafe

Network Security. Windows 2012 Server. Securing Your Windows. Infrastructure. Network Systems and. Derrick Rountree. Richard Hicks, Technical Editor

Developing. and Securing. the Cloud. Bhavani Thuraisingham CRC. Press. Taylor & Francis Group. Taylor & Francis Croup, an Informs business

The Geography of International terrorism

Security Metrics. A Beginner's Guide. Caroline Wong. Mc Graw Hill. Singapore Sydney Toronto. Lisbon London Madrid Mexico City Milan New Delhi San Juan

CISO's Guide to. Penetration Testing. James. S. Tiller. A Framework to Plan, Manage, and Maximize Benefits. CRC Press. Taylor & Francis Group

Security Software Engineering: Do it the right way

Out of the Present Crisis

Stratex International Plc ('Stratex' or 'the Company') Holdings in Company

Expert PHP and MySQL. Application Desscpi and Development. Apress" Marc Rochkind

Green Project Management

THE MODERN THEORY OF THE TOYOTA PRODUCTION SYSTEM

Telephone and Electronic Account Wagering Rules and Regulations

Practical Hadoop. Security. Bhushan Lakhe

SHARED ASSESSMENTS PROGRAM STANDARD INFORMATION GATHERING (SIG) QUESTIONNAIRE 2014 MAPPING TO OCC GUIDANCE ( ) ON THIRD PARTY RELATIONSHIPS

^H 3RD EDITION ITGOVERNANCE A MANAGER'S GUIOE TO OATA SECURITY ANO DS 7799/IS ALAN CALDER STEVE WATKINS. KOGAN PAGE London and Sterling, VA

Computer Security Basics

15 Organisation/ICT/02/01/15 Back- up

"Charting the Course to Your Success!" MOC D Windows 7 Enterprise Desktop Support Technician Course Summary

PAPER-6 PART-5 OF 5 CA A.RAFEQ, FCA

Project Management Theory and Practice

Customer Relationship Management

BUSINESS ANALYSIS FDR INTELLIGENCE

Contents. Foreword. Acknowledgments

Learn AX: A Beginner s Guide to Microsoft Dynamics AX. Managing Users and Role Based Security in Microsoft Dynamics AX Dynamics101 ACADEMY

INFORMATION SECURITY A MULTIDISCIPLINARY. Stig F. Mjolsnes INTRODUCTION TO. Norwegian University ofscience & Technology. CRC Press

GODADDY INC. CORPORATE GOVERNANCE GUIDELINES. Adopted as of February 3, 2015

West African Minerals Corporation ("West African" or the "Company") Holding in Company

CUSTOMER RELATIONSHIP MANAGEMENT. Concepts and technologies. Third edition FRANCIS BUTTLE AND STAN MAKLAN

FINAL JOINT PRETRIAL ORDER. This matter is before the Court on a Final Pretrial Conference pursuant to R. 4:25-1.

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

METHODS IN MEDICAL INFORMATICS

Business Information Systems and Technology

Contents. Intended Audience for This Book How This Book Is Structured. Acknowledgements

Automatic vs. Manual Code Analysis

Transcription:

SECURE and RESILIENT SOFTWARE Requirements, Test Cases, and Testing Methods Mark S. Merkow and Lakshmikanth Raghavan CRC Press Taylor & Francis Group Boca Raton London New York CRC Press Is an imprint of the Taylor & Francis Group, an informa business AN AUERBACH BOOK

Contents Preface xi How This Book Is Organized xii What's On the CD? xv About the Authors xvii Acknowledgements From Mark Merkow From Laksh Raghavan xix xvii xviii Chapter 1 Introduction 1 1.1 Secure and Resilient 1 1.2 Bad Design Choices Led to the Vulnerable Internet We Know Today 2 1.3 HTTP Has Its Problems, Too 4 1.4 Design Errors Continue Haunting Us Today 6 1.5 Requirements & Design: The Keys to a Successful Project 7 1.6 How Design Flaws Play Out 10 1.6.1 DNS Vulnerability 10 1.6.2 The London Stock Exchange 10 1.6.3 Medical Equipment 11 1.6.4 Airbus A380 12 1.7 Solutions Are In Sight! 12 1.8 Notes 13 V

vi Contents Chapter 2 Nonfunctional Requirements (NFRs) in Context 15 2.1 System Quality Requirements Engineering (SQUARE) 15 2.1.1 Agree on Definitions 16 2.1.2 Identify Assets and Security/Quality Coals 17 2.1.3 Perform Risk Assessments 17 2.1.4 Elicit Security Requirements 18 2.1.5 Prioritize Requirements 20 2.2 Characteristics of Good Requirements 21 2.3 Summary 22 2.4 Notes 23 Chapter 3 Resilience and Quality Considerations for Application Software and the Application Runtime Environment 25 3.1 Relationships among Nonfunctional Requirements 26 3.2 Considerations for Developing NFRs for your Applications and Runtime Environment 26 3.3 Checking Your Work 51 3.4 Summary 52 3.5 Notes 52 Chapter 4 Security Requirements for Application Software 55 4.1 Security Control Types 55 4.2 Think Like an Attacker 56 4.3 Detailed Security Requirements 57 4.4 Identification Requirements 57 4.5 Authentication Requirements 61 4.6 Authorization Requirements 71 4.7 Security Auditing Requirements 79 4.8 Confidentiality Requirements 85 4.9 Integrity Requirements 91 4.10 Availability Requirements 96 4.11 Nonrepudiation Requirements 97 4.12 Immunity Requirements 99 4.13 Survivability Requirements 102 4.14 Systems Maintenance Security Requirements 104 4.15 Privacy Requirements 110 4.16 Summary 134 4.1 7 References 135

. Contents vii Chapter 5 Security Services for the Application Operating Environment 137 5.1 The Open Group Architecture Framework (TOGAF)138 5.2 Standardizing Tools for an Enterprise Architecture 139 5.3 Security Technical Reference Model (TRM) 140 5.3.1 Identification and Authentication 141 5.3.2 System Entry Control 141 5.3.3 Audit 142 5.3.4 Access Control 143 5.3.5 Nonrepudiation 143 5.3.6 Security Management 144 5.3.7 Trusted Recovery 144 5.3.8 Encryption 144 5.3.9 Trusted Communications 145 5.4 Summary 146 5.5 References 146 Chapter 6 Software Design Considerations for Security and Resilience 147 6.1 Design Issues 147 6.2 Architecture and Design Considerations 150 6.3 Special Security Design Considerations for Payment Applications on Mobile Communications Devices 154 6.4 Designing for Integrity 155 6.5 Architecture and Design Review Checklist 156 6.6 Summary 165 6.7 References 165 Chapter 7 Best Practices for Converting Requirements to Secure Software Designs 167 7.1 Secure Design Approach 167 7.2 Reusable Security APIs/Libraries 168 7.3 Security Frameworks 168 7.4 Establishing and Following Best Practices for Design 169 7.5 Security Requirements 169 7.6 Security Recommendations 170 7.7 What's an Attack Surface? 171 7.8 What Is Managed Code? 173

viii Contents 7.9 Understanding Business Requirements for Security Design 1 75 7.10 Summary 1 76 7.11 References 176 Chapter 8 Security Test Cases 177 8.1 Standardized Testing Policy 177 8.2 Security Test Cases 178 8.2.1 Test Cases for Identification Requirements 179 8.2.2 Test Cases for Authentication Requirements 181 8.3 Test Cases for Authorization Requirements 189 8.3.1 Test Cases for Security Auditing Requirements 195 8.3.2 Test Cases for Confidentiality Requirements 199 8.3.3 Test Cases for Integrity Requirements 203 8.3.4 Test Cases for Availability Requirements 206 8.3.5 Test Cases for Nonrepudiation Requirements 207 8.3.6 Test Cases for Immunity Requirements 209 8.3.7 Test Cases for Survivability Requirements 210 8.3.8 Test Cases for Systems Maintenance Security Requirements 212 8.4 Summary 215 Chapter 9 Testing Methods and Best Practices 217 9.1 Secure Testing Approach 217 9.2 OWASP's Application Security Verification Standard (ASVS) 217 9.2.1 Application Security Verification Levels 219 9.2.2 Level 1 Automated Verification 220 9.2.3 Level 2 Manual Verification 220 9.2.4 Level 3 Design Verification 221 9.2.5 Level 4 Internal Verification 222 9.2.6 Security Testing Methods 224 9.3 Manual Source Code Review 224 9.4 Automated Source Code Analysis 225

Contents ix 9.4.1 Automated Reviews Compared with Manual Reviews 226 9.4.2 Automated Source Code Analysis Tools Deployment Strategy 226 9.4.3 IDE Integration for Developers 227 9.4.4 Build Integration for Governance 227 9.4.5 Automated Dynamic Analysis 228 9.4.6 Limitations of Automated Dynamic Analysis Tools 229 9.4.7 Automated Dynamic Analysis Tools Deployment Strategy 229 9.4.8 Developer Testing 230 9.4.9 Centralized Quality Assurance Testing 230 9.5 Penetration (Pen) Testing 231 9.5.1 Gray Box Testing 232 9.6 Summary 232 9.7 References 232 Chapter 10 Connecting the Moving Parts 235 10.1 OpenSAMM 236 10.2 238 Security Requirements Level 1 239 10.2.1 Security Requirements: 10.2.2 Security Requirements: Level 2 241 10.2.3 Security Requirements: Level 3 242 243 10.3 Security Testing 10.3.1 Security Testing: Level 1 245 10.3.2 Security Testing: Level 2 246 10.3.3 Security Testing: Level 3 247 249 10.4Wrap-Up 10.5 References 249 Index 251

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information