As a registered member of SearchSoftwareQuality.com, you're entitled to a complimentary copy of Chapter 3 of Software Security Engineering: A Guide for Project Managers written by Julia H. Allen, Sean Barnum, Robert J. Ellison, Gary McGraw and Nancy R. Mead and published by Addison-Wesley Professional. " Requirements Engineering for Secure Software" discusses systematic approaches to security requirements. These approaches take into account the perspective of the potential attacker, through which much greater security coverage is attained.
Software that is developed from the beginning with security in mind will resist, tolerate, and recover from attacks more effectively than would otherwise be possible. While there may be no silver bullet for security, there are practices that project managers will find beneficial. With this management guide, you can select from a number of sound practices likely to increase the security and dependability of your software, both during its development and subsequently in its operation.
Software Security Engineering draws extensively on the systematic approach developed for the Build Security In (BSI) website. Sponsored by the Department of Homeland Security Software Assurance Program, the BSI site offers a host of tools, guidelines, rules, principles, and other resources to help project managers address security issues in every phase of the software development lifecycle (SDLC). The book's expert authors, themselves frequent contributors to the BSI site, represent two well-known resources in the security world: the CERT Program at the Software Engineering Institute (SEI) and Cigital, Inc., a consulting firm specializing in software security.
This book will help you understand why:
- Software security is about more than just eliminating vulnerabilities and conducting penetration tests.
- Network security mechanisms and IT infrastructure security services do not sufficiently protect application software from security risks.
- Software security initiatives should follow a risk-management approach to identify priorities and to define what is "good enough" -- understanding that software security risks will change throughout the SDLC.
- Project managers and software engineers need to learn to think like an attacker in order to address the range of functions that software should not do, and how software can better resist, tolerate, and recover when under attack.
>> Buy the book
This chapter is excerpted from the book, Software Security Engineering: A Guide for Project Managers, authored by Julia H. Allen, Sean Barnum, Robert J. Ellison, Gary McGraw and Nancy R. Mead, published by Addison-Wesley Professional, May 2008. This book is part of both The SEI Series in Software Engineering and The Addison-Wesley Software Security Series. ISBN 9780321509178. For more information please visit SafariBooksOnline.com.
Dig Deeper on Building security into the SDLC (Software development life cycle)