Software Security Engineering: A Guide for Project Managers -- Chapter 3, Requirements Engineering f

Julia H. Allen, Sean Barnum, Robert J. Ellison, Gary McGraw and Nancy R. Mead

As a registered member of SearchSoftwareQuality.com, you're entitled to a complimentary copy of Chapter 3 of Software Security Engineering: A Guide for Project Managers written by Julia H. Allen, Sean Barnum, Robert J. Ellison, Gary McGraw and Nancy R. Mead and published by Addison-Wesley Professional. "

Requires Free Membership to View

Requirements Engineering for Secure Software" discusses systematic approaches to security requirements. These approaches take into account the perspective of the potential attacker, through which much greater security coverage is attained.

Book description:

Software that is developed from the beginning with security in mind will resist, tolerate, and recover from attacks more effectively than would otherwise be possible. While there may be no silver bullet for security, there are practices that project managers will find beneficial. With this management guide, you can select from a number of sound practices likely to increase the security and dependability of your software, both during its development and subsequently in its operation.

Software Security Engineering draws extensively on the systematic approach developed for the Build Security In (BSI) website. Sponsored by the Department of Homeland Security Software Assurance Program, the BSI site offers a host of tools, guidelines, rules, principles, and other resources to help project managers address security issues in every phase of the software development lifecycle (SDLC). The book's expert authors, themselves frequent contributors to the BSI site, represent two well-known resources in the security world: the CERT Program at the Software Engineering Institute (SEI) and Cigital, Inc., a consulting firm specializing in software security.

This book will help you understand why:

  • Software security is about more than just eliminating vulnerabilities and conducting penetration tests.

  • Network security mechanisms and IT infrastructure security services do not sufficiently protect application software from security risks.

  • Software security initiatives should follow a risk-management approach to identify priorities and to define what is "good enough" -- understanding that software security risks will change throughout the SDLC.

  • Project managers and software engineers need to learn to think like an attacker in order to address the range of functions that software should not do, and how software can better resist, tolerate, and recover when under attack.

>> Read Chapter 3: Requirements Engineering for Secure Software.

>> Buy the book

This chapter is excerpted from the book, Software Security Engineering: A Guide for Project Managers, authored by Julia H. Allen, Sean Barnum, Robert J. Ellison, Gary McGraw and Nancy R. Mead, published by Addison-Wesley Professional, May 2008. This book is part of both The SEI Series in Software Engineering and The Addison-Wesley Software Security Series. ISBN 9780321509178. For more information please visit SafariBooksOnline.com.

This was first published in May 2008

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.