Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security CISSP-Discussion
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[CISSP-D] REVIEW: "Software Security: Building Security In", Gary McGraw

from [Rob, grandpa of Ryan, Trevor, Devon & Hannah] Network Security [Permanent Link]
Subject: [CISSP-D] REVIEW: "Software Security: Building Security In", Gary McGraw
Date: Mon, 12 Jun 2006 11:54:22 -0800 
BKSWSBSI.RVW   20060518

"Software Security: Building Security In", Gary McGraw, 2006,
0-321-35670-5, U$49.99/C$66.99
%A   Gary McGraw swsec.com www.buildingsecurityin.com gem@cigital.com
%C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario  M3C 2T8
%D   2006
%G   0-321-35670-5
%I   Addison-Wesley Publishing Co.
%O   U$49.99/C$66.99 416-447-5101 800-822-6339 bkexpress@aw.com
%O  http://www.amazon.com/exec/obidos/ASIN/0321356705/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/0321356705/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0321356705/robsladesin03-20
%O   Audience a+ Tech 3 Writing 2 (see revfaq.htm for explanation)
%P   408 p. + CD-ROM
%T   "Software Security: Building Security In"

The preface states that the audience for the book is comprised of
developers (particularly those interested in secure software),
security professionals (in places), managers (in places), and
academics (there are a couple of chapters that indicate where further
research might be useful).  McGraw also introduces the major
components of the book.  His "thee pillars" are not the usual
confidentiality, integrity and availability, but risk management,
"touchpoints," and knowledge.  The touchpoints are code analysis, risk
analysis, penetration (vulnerability) testing, security tests, abuse
cases, security requirements, and security operations.

Part one outlines the basics of software security.  Chapter one
informs us that problems exist in software, and notes the differences
betweens bugs (due to careless implementation) and flaws (due to poor
design).  McGraw also suggests his three pillars as a means of
addressing the difficulty.  Using an example software project, chapter
two takes us through a risk management framework in some detail.

Part two examines the touchpoints.  Chapter three introduces them in a
diagram related to the steps in the software development process (they
are numbered, although in a seemingly random pattern which turns out
to be the suggested order of effectiveness).  (The latter half of the
chapter seems to be more of a sermon on software security.)  Source
code review tools (for finding bugs) are described in chapter four. 
Chapter five starts off with traditional risk analysis definitions and
then extends the concept with details of the application of the
process to software design.  (Sidebars on software tools for program
risk analysis, and other related items, are dropped in seemingly at
random.  The information is valuable, but the reading flow is somewhat
disjointed.)  Penetration testing of software sounds like a good idea,
but chapter six doesn't really define what the topic involves.  (The
sidebar on tools is a case in point: the tools are listed and
recommended, but the descriptions don't say what they actually do.) 
Risk-based security testing seems, by the end of chapter seven, to be
a special case of spanning tree analysis, but along the way a number
of the other touchpoints seem to overlap with it.  "Abuse cases" is
the application of known common vulnerabilities and attacks
(perpetrated on systems similar to yours), and analysis of means of
protection while still in the design phase.  Chapter eight provides a
handy list of such attacks (if you are building a Web application). 
"Security operations," in chapter nine, appears to be a discussion of
how software developers and security professionals should relate to
each other.  (Touchpoint six, "security requirements," is not
covered.)

Part three covers additional topics.  Chapter ten outlines advice for
a software security program in a large company.  "Knowledge for
software security," in chapter eleven, is mostly an overview of
material already covered, but does include some additional tools. 
Chapter twelve is a taxonomy of coding errors, which should be
valuable both for those working on analysis of their own program
security, and also researchers in the field.

One fairly consistent weakness is that the book seems to assume that
all software applications are network-based, and that all software
problems result from malicious attacks.  While Web-based applications
are definitely of great importance, and also subject to a larger range
of difficulties, this does limit the application of some of the
material of the text in regard to standalone programs where the major
concern is integrity of data, prevention of errors, and reliability of
operation.

The writing and structure could use some work: in many situations it
is not easy to follow the thread of McGraw's argument.  However, there
is no denying the value of having all these ideas about software
security brought together in one volume.  There is a great deal of
useful and interesting material here, and, with commitment from the
reader, much that will be helpful in building more robust and reliable
software.

copyright Robert M. Slade, 2006   BKSWSBSI.RVW   20060518


======================  (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca     slade@victoria.tc.ca     rslade@computercrime.org
"Dictionary of Information Security" Syngress (forthcoming) 1597491152
When I consider how my days are spent, squatting like a toad in
this fetid little cell, waiting for that challenging moment every
half hour to say `CBL Toronto,' I'm engulfed in black clouds of
despair.                                              - Allan McFee
http://victoria.tc.ca/techrev/rms.htm


------------------------ Yahoo! Groups Sponsor --------------------~--> 
Protect your PC from spy ware with award winning anti spy technology. It's free.
http://us.click.yahoo.com/97bhrC/LGxNAA/yQLSAA/kgFolB/TM
--------------------------------------------------------------------~-> 

 
Yahoo! Groups Links

<*> To visit your group on the web, go to:
    http://groups.yahoo.com/group/CISSP-Discuss/

<*> To unsubscribe from this group, send an email to:
    CISSP-Discuss-unsubscribe@yahoogroups.com

<*> Your use of Yahoo! Groups is subject to:
    http://docs.yahoo.com/info/terms/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [CISSP-D] REVIEW: "Software Security: Building Security In", Gary McGraw, Rob, grandpa of Ryan, Trevor, Devon & Hannah <=
Previous by Date:  [CISSP-D] CISSP groups around Mumbai., mkalpesh
Next by Date:  [CISSP-D] Sign off, Rob Rohe
Previous by Thread:  [CISSP-D] CISSP groups around Mumbai., mkalpesh
Next by Thread:  [CISSP-D] Sign off, Rob Rohe
Indexes:  [Date] [Thread] [Top] [All Lists]