Security-Driven Software Development: Learn to analyze and mitigate risks in your software projects

Cover
Title Page
Copyright
Dedication
Contributors
Table of Contents
Preface
Part 1: Modeling a Secure Application
Chapter 1: Security Principles
	What could go wrong?
	Principles
	Open Web Application Security Project
	NIST’s Secure Software Development Framework
	MITRE frameworks
	Software development lifecycles
	Microsoft’s Security Development Lifecycle
	Confidentiality, integrity, and availability
	Summary
	Self-assessment questions
	Answers
Chapter 2: Designing a Secure Functional Model
	Requirements gathering and specification
	Non-functional requirements and security
	Capturing scenarios
	Textual use cases and misuse cases
	Graphical use cases and misuse cases
		Graphical use case diagram
		Graphical misuse case diagram
	Example enterprise secure functional model
		Purchase of tickets via self-service
		Trying to purchase tickets beyond the patron limit
	Summary
	Self-assessment questions
	Answers
Chapter 3: Designing a Secure Object Model
	Identify objects and relationships
	Class diagrams
	Stereotypes
	Invariants
	Example of the enterprise secure object model
	Summary
	Self-assessment questions
	Answers
Chapter 4: Designing a Secure Dynamic Model
	Technical requirements
	Object behavior
	Modeling interactions between objects
		UML sequence diagrams
		UML activity diagrams
	Constraints
	Example of the enterprise secure dynamic model
	Summary
	Self-assessment questions
	Answers
Chapter 5: Designing a Secure System Model
	Partitions
	Modeling interactions between partitions
	UML component diagrams
	Patterns
	Example – developing an enterprise secure system model
	Summary
	Self-assessment questions
	Answers
Chapter 6: Threat Modeling
	Threat model overview
		The STRIDE threat model
		The DREAD threat model
	Attack trees
	Mitigations
	Microsoft Threat Modeling Tool
	Example of an enterprise threat model
	Summary
	Self-assessment questions
	Answers
Part 2: Mitigating Risks in Implementation
Chapter 7: Authentication and Authorization
	Authentication
	Authorization
	Security Models
	Single sign-on and open authorization
		Single sign-on (SSO)
		Open authorization (OAuth)
	Implementing SSO and OAuth with Google
	Example of enterprise implementation
	Summary
	Self-assessment questions
	Answers
Chapter 8: Input Validation and Sanitization
	Input validation
	Input sanitization
	Language-specific defenses
	Buffer overflows
	Example of the enterprise input validation and sanitization
	Summary
	Self-assessment questions
	Answers
Chapter 9: Standard Web Application Vulnerabilities
	Injection attacks
	Broken authentication and session management
	Request forgery
	Language-specific defenses
	Example of enterprise web defenses
	Summary
	Self-assessment questions
	Answers
Chapter 10: Database Security
	Overview of SQL
	SQL injection
	Maintaining database correctness
	Managing activity concurrency
	Language-specific defenses
	RBAC security in DBMS
	Encryption in DBMS
	An example of enterprise DB security
	Summary
	Self-assessment questions
	Answers
Part 3: Security Validation
Chapter 11: Unit Testing
	The principles of unit testing
	The advantages of unit testing
	Unit testing frameworks
	An example of enterprise threat model
		PHPUnit
		JUnit
		PyUnit
	Summary
	Self-assessment questions
	Answers
Chapter 12: Regression Testing
	Regression testing overview
		Key concepts
		Process
		Benefits
	Robotic process automation
		The intersection of RPA and regression testing
	Regression testing tools
	Load testing
		Integration and complementarity
	UI.Vision RPA
	Example of the enterprise regression tests
	Summary
	Self-assessment questions
	Answers
Chapter 13: Integration, System, and Acceptance Testing
	Types of integration tests
	Mocks
	Stubs
	Examples of enterprise integration testing
	System testing
	Acceptance testing
	Summary
	Self-assessment questions
	Answers
Chapter 14: Software Penetration Testing
	Types of tests
	Phases
	Tools
		Information gathering and reconnaissance
		Vulnerability analysis and exploitation
		Post-exploitation and privilege escalation
		Network sniffing
		Forensics and monitoring
		Reporting and documentation
	An example of an enterprise penetration test report
		High-level summary
		Host analysis
	Summary
	Self-assessment questions
	Answers
Index
About PACKT
Other Books You May Enjoy