Table Of ContentCover Page Page: i
Half-Title Page Page: i
Title Page Page: iii
Copyright Page Page: iv
Dedication Page: vii
Table of Contents Page: vii
Preface Page: xxi
How This Book Is Organized Page: xxii
Chapter 1: Today’s Software Development Practices Shatter Old Security Practices Page: xxv
Chapter Overview Page: 1
Chapter Takeaways Page: 1
1.1 Over the Waterfall Page: 2
1.2 What Is Agile? Page: 3
1.3 Shift Left! Page: 3
1.4 Principles First! Page: 5
1.5 Summary Page: 6
Chapter Quick Check Page: 6
Exercises Page: 7
References Page: 7
Chapter 2: Deconstructing Agile and Scrum Page: 7
Chapter Overview Page: 9
Chapter Takeaways Page: 9
2.1 The Goals of Agile and Scrum Page: 10
2.2 Agile/Scrum Terminology Page: 11
2.3 Agile/Scrum Roles Page: 11
2.4 Unwinding Sprint Loops Page: 13
2.5 Development and Operations Teams Get Married Page: 15
2.6 Summary Page: 16
Chapter Quick Check Page: 18
Exercises Page: 18
References Page: 19
Chapter 3: Learning Is FUNdamental! Page: 19
Chapter Overview Page: 21
Chapter Takeaways Page: 21
3.1 Education Provides Context, and Context Is Key Page: 22
3.2 Principles for Software Security Education Page: 22
3.3 Getting People’s Attention Page: 23
3.4 Awareness versus Education Page: 24
3.5 Moving into the Education Phase Page: 25
3.6 Strategies for Rolling Out Training Page: 27
3.7 Encouraging Training Engagement and Completion Page: 27
3.8 Measuring Success Page: 28
3.9 Keeping the Drumbeat Alive Page: 28
3.10 Create and Mature a Security Champion Network Page: 29
3.11 A Checklist for Establishing a Software Security Education, Training, and Awareness Program Page: 29
3.12 Summary Page: 30
Chapter Quick Check Page: 30
Exercises Page: 31
References Page: 31
Chapter 4: Product Backlog Development—Building Security In Page: 32
Chapter Overview Page: 33
Chapter Takeaways Page: 33
4.1 Functional versus Nonfunctional Requirements Page: 34
4.2 Testing NFRs Page: 34
4.3 Families of Nonfunctional Requirements Page: 36
4.3.1 Availability Page: 37
4.4 Capacity Page: 38
4.5 Efficiency Page: 38
4.6 Interoperability Page: 39
4.7 Manageability Page: 39
4.7.1 Cohesion Page: 39
4.7.2 Coupling Page: 40
4.8 Maintainability Page: 40
4.9 Performance Page: 40
4.10 Portability Page: 41
4.11 Privacy Page: 41
4.12 Recoverability Page: 42
4.13 Reliability Page: 43
4.14 Scalability Page: 44
4.15 Security Page: 44
4.16 Serviceability/Supportability Page: 45
4.17 Characteristics of Good Requirements Page: 46
4.18 Eliciting Nonfunctional Requirements Page: 47
4.19 NFRs as Acceptance Criteria and Definition of Done Page: 48
4.20 Summary Page: 48
Chapter Quick Check Page: 49
Exercises Page: 49
References Page: 49
Chapter 5: Secure Design Considerations Page: 50
Chapter Overview Page: 51
Chapter Takeaways Page: 51
5.1 Essential Concepts Page: 51
5.2 The Security Perimeter Page: 52
5.3 Attack Surface Page: 53
5.3.1 Mapping the Attack Surface Page: 54
5.3.2 Side Channel Attacks Page: 54
5.4 Application Security and Resilience Principles Page: 55
5.4.1 Practice 1: Apply Defense in Depth Page: 55
5.4.2 Practice 2: Use a Positive Security Model Page: 55
5.4.3 Practice 3: Fail Securely Page: 55
5.4.4 Practice 4: Run with Least Privilege Page: 55
5.4.5 Practice 5: Avoid Security by Obscurity Page: 55
5.4.6 Practice 6: Keep Security Simple Page: 55
5.4.7 Practice 7: Detect Intrusions Page: 55
5.4.8 Practice 8: Don’t Trust Infrastructure Page: 55
5.4.9 Practice 9: Don’t Trust Services Page: 55
5.4.10 Practice 10: Establish Secure Defaults Page: 55
5.5 Mapping Best Practices to Nonfunctional Requirements (NFRs) as Acceptance Criteria Page: 61
5.6 Summary Page: 61
Chapter Quick Check Page: 62
Exercises Page: 63
References Page: 63
Chapter 6: Security in the Design Sprint Page: 64
Chapter Overview Page: 65
CHAPTER TAKEAWAYS Page: 65
6.1 Design Phase Recommendations Page: 65
6.2 Modeling Misuse Cases Page: 66
6.3 Conduct Security Design and Architecture Reviews in Design Sprint Page: 67
6.4 Perform Threat and Application Risk Modeling Page: 67
6.4.1 Brainstorming Threats Page: 69
6.5 Risk Analysis and Assessment Page: 70
6.5.1 Damage Potential Page: 70
6.5.2 Reproducibility Page: 71
6.5.3 Exploitability Page: 71
6.5.4 Affected Users Page: 71
6.5.5 Discoverability Page: 71
6.6 Don’t Forget These Risks! Page: 72
6.7 Rules of Thumb for Defect Removal or Mitigation Page: 72
6.8 Further Needs for Information Assurance Page: 73
6.9 Countering Threats through Proactive Controls Page: 74
6.10 Architecture and Design Review Checklist Page: 76
6.11 Summary Page: 78
Chapter Quick Check Page: 78
Exercises Page: 79
References Page: 80
Chapter 7: Defensive Programming Page: 80
Chapter Overview Page: 81
Chapter Takeaways Page: 81
7.1 The Evolution of Attacks Page: 82
7.2 Threat and Vulnerability Taxonomies Page: 82
7.2.1 MITRE’s Common Weaknesses Enumeration (CWE) Page: 83
7.2.2 OWASP Top 10—2017 Page: 83
7.3 Failure to Sanitize Inputs Is the Scourge of Software Development Page: 85
7.4 Input Validation and Handling Page: 86
7.4.1 Client-Side versus Server-Side Validation Page: 87
7.4.2 Input Sanitization Page: 89
7.4.3 Canonicalization Page: 89
7.5 Common Examples of Attacks Due to Improper Input Handling Page: 90
7.5.1 Buffer Overflow Page: 90
7.5.2 OS Commanding Page: 90
7.6 Best Practices in Validating Input Data Page: 91
7.6.1 Exact Match Validation Page: 91
7.6.2 Exact Match Validation Example Page: 91
7.6.3 Known Good Validation Page: 92
7.6.4 Known Bad Validation Page: 93
7.6.5 Handling Bad Input Page: 93
7.7 OWASP’s Secure Coding Practices Page: 94
7.8 Summary Page: 95
Chapter Quick Check Page: 95
Exercises Page: 95
References Page: 96
Chapter 8: Testing Part 1: Static Code Analysis Page: 96
Chapter Overview Page: 97
Chapter Takeaways Page: 97
8.1 Fixing Early versus Fixing Later Page: 97
8.2 Testing Phases Page: 98
8.2.1 Unit Testing Page: 98
8.2.2 Manual Source Code Reviews Page: 99
8.2.3 The Code Review Process Page: 100
8.3 Static Source Code Analysis Page: 101
8.4 Automated Reviews Compared with Manual Reviews Page: 102
8.5 Peeking Inside SAST Tools Page: 103
8.6 SAST Policies Page: 107
8.7 Using SAST in Development Sprints Page: 107
8.8 Software Composition Analysis (SCA) Page: 110
8.9 SAST is NOT for the Faint of Heart! Page: 111
8.10 Commercial and Free SAST Tools Page: 112
8.11 Summary Page: 112
Chapter Quick Check Page: 112
Exercises Page: 113
References Page: 113
Chapter 9: Testing Part 2: Penetration Testing/Dynamic Analysis/IAST/RASP Page: 114
Chapter Overview Page: 115
Chapter Takeaways Page: 115
9.1 Penetration (Pen) Testing Page: 116
9.2 Open Source Security Testing Methodology Manual (OSSTMM) Page: 116
9.3 OWASP’s ASVS Page: 117
9.4 Penetration Testing Tools Page: 119
9.5 Automated Pen Testing with Black Box Scanners Page: 119
9.6 Deployment Strategies Page: 120
9.6.1 Developer Testing Page: 120
9.6.2 Centralized Quality Assurance Testing Page: 121
9.7 Gray Box Testing Page: 121
9.8 Limitations and Constraints of Pen Testing Page: 121
9.9 Interactive Application Security Testing (IAST) Page: 122
9.10 Runtime Application Self-Protection (RASP) Page: 122
9.11 Summary Page: 123
Chapter Quick Check Page: 123
Exercises Page: 124
References Page: 124
Chapter 10: Securing DevOps Page: 125
Chapter Overview Page: 127
Chapter Takeaways Page: 127
10.1 Shifting Left All Around Page: 127
10.1.1 Changing the Business Culture Page: 128
10.2 The Three Ways That Make DevOps Work Page: 130
10.3 The Three Ways Applied to AppSec Page: 132
10.4 OWASP’s DevSecOps Maturity Model Page: 134
10.5 OWASP’s DevSecOps Studio Page: 135
10.6 Summary Page: 135
Chapter Quick Check Page: 135
Exercises Page: 136
References Page: 136
Chapter 11: Metrics and Models for AppSec Maturity Page: 137
Chapter Overview Page: 139
Chapter Takeaways Page: 139
11.1 Maturity Models for Security and Resilience Page: 139
11.2 Software Assurance Maturity Model—OpenSAMM Page: 140
11.2.1 OpenSAMM Business Functions Page: 141
11.2.2 Core Practice Areas Page: 142
11.3 Levels of Maturity Page: 143
11.3.1 Objective Page: 144
11.3.2 Activities Page: 144
11.3.3 Results Page: 144
11.3.4 Success Metrics Page: 144
11.3.5 Costs Page: 144
11.3.6 Personnel Page: 144
11.3.7 Related Levels Page: 145
11.3.8 Assurance Page: 145
11.4 Using OpenSAMM to Assess Maturity Levels Page: 145
11.5 The Building Security In Maturity Model (BSIMM) Page: 147
11.6 BSIMM Organization Page: 150
11.7 BSIMM Software Security Framework Page: 150
11.7.1 Governance Page: 150
11.7.2 Intelligence Page: 151
11.7.3 SSDL Touchpoints Page: 152
11.7.4 Deployment Page: 152
11.8 BSIMM’s 12 Practice Areas Page: 153
11.9 Measuring Results with BSIMM Page: 153
11.10 The BSIMM Community Page: 153
11.11 Conducting a BSIMM Assessment Page: 153
11.12 Summary Page: 157
Chapter Quick Check Page: 157
Exercises Page: 157
References Page: 158
Chapter 12: Frontiers for AppSec Page: 158
Chapter Overview Page: 159
Chapter Takeaways Page: 159
12.1 Internet of Things (IoT) Page: 159
12.1.1 The Industry Responds Page: 159
12.1.2 The Government Responds Page: 159
12.2 Blockchain Page: 161
12.2.1 Security Risks with Blockchain Implementations Page: 161
12.2.2 Securing the Chain Page: 163
12.3 Microservices and APIs Page: 163
12.4 Containers Page: 165
12.4.1 Container Security Issues Page: 165
12.4.2 NIST to the Rescue Again! Page: 166
12.5 Autonomous Vehicles Page: 167
12.6 Web Application Firewalls (WAFs) Page: 167
12.7 Machine Learning/Artificial Intelligence Page: 168
12.8 Big Data Page: 169
12.8.1 Vulnerability to Fake Data Generation Page: 169
12.8.2 Potential Presence of Untrusted Mappers Page: 170
12.8.3 Lack of Cryptographic Protection Page: 170
12.8.4 Possibility of Sensitive Information Mining Page: 170
12.8.5 Problems with Granularity of Access Controls Page: 170
12.8.6 Data Provenance Difficulties Page: 170
12.8.7 High Speed of NoSQL Databases’ Evolution and Lack of Security Focus Page: 171
12.8.8 Absent Security Audits Page: 171
12.9 Summary Page: 171
Chapter Quick Check Page: 171
Exercises Page: 172
References Page: 172
Chapter 13: AppSec Is a Marathon—Not a Sprint Page: 173
Chapter Overview Page: 175
Chapter Takeaways Page: 175
13.1 Hit the Road Page: 176
13.2 Getting Involved with OWASP Page: 176
13.3 Certified Secure Software Lifecycle Professional (CSSLP®) Page: 177
13.3.1 Why Obtain the CSSLP? Page: 177
13.4 Higher Education Page: 177
13.5 Conclusion Page: 178
Chapter Quick Check Page: 178
Exercises Page: 180
References Page: 180
Appendix A: Security Acceptance Criteria Page: 180
Sample Acceptance Criteria for Seven Categories of Application Security Functions or Attributes Page: 181
Appendix B: Resources for AppSec Page: 185
Training Page: 187
Cyber Ranges Page: 187
Requirements Management Tools Page: 188
Threat Modeling Page: 188
Static Code Scanners: Open Source Page: 188
Static Code Scanners: Commercial Page: 188
Dynamic Code Scanners: Open Source Page: 189
Dynamic Code Scanners: Commercial Page: 189
Maturity Models Page: 189
Software Composition Analysis Page: 190
IAST Tools Page: 190
API Security Testing Page: 190
Runtime Application Self-Protection (RASP) Page: 190
Web Application Firewalls (WAFs) Page: 190
Browser-centric Protection Page: 191
Appendix C: Answers to Chapter Quick Check Questions Page: 191
Glossary Page: 203
Index Page: 205
Description:This textbook was written from the perspective of someone who began his software security career in 2005, long before the industry began focusing on it. This is an excellent perspective for students who want to learn about securing application development. After having made all the rookie mistakes, the author realized that software security is a human factors issue rather than a technical or process issue alone. Throwing technology into an environment that expects people to deal with it but failing to prepare them technically and psychologically with the knowledge and skills needed is a certain recipe for bad results. Practical Security for Agile and DevOps is a collection of best practices and effective implementation recommendations that are proven to work. The text leaves the boring details of software security theory out of the discussion as much as possible to concentrate on practical applied software security that is useful to professionals. It is as much a book for students’ own benefit as it is for the benefit of their academic careers and organizations. Professionals who are skilled in secure and resilient software development and related tasks are in tremendous demand. This demand will increase exponentially for the foreseeable future. As students integrate the text’s best practices into their daily duties, their value increases to their companies, management, community, and industry. The textbook was written for the following readers: Students in higher education programs in business or engineering disciplines AppSec architects and program managers in information security organizations Enterprise architecture teams with a focus on application development Scrum Teams including: Scrum Masters Engineers/developers Analysts Architects Testers DevOps teams Product owners and their management Project managers Application security auditors Agile coaches and trainers Instructors and trainers in academia and private organizations
