Solid Application Security Frame ?

16 Jan

The Practical Software Security book will have five main sections *subject to change and a work in progress of course*. To recap the book is being aimed at pure developers (not security people) and aiming to be a single book developers and development teams need for their security knowledge. Those five main sections are:

  • Introduction
  • Security Concepts
  • Tools & Technologies
  • Building a Software Security Program
  • Engineering Scenarios

I want to syncronize the book so that the generic security advice in the security concepts section is then made specific in the tools & technologies section and then further builds with code level samples in the engineering scenarios section. For example in the “Security Concepts” section there is a sub-section on cryptography in which we describe the key concepts and types of cryptography, how those types of cryptography works and when certain types of cryptography can and should be used. In the “Tools & Technologies” and technologies section we will cover a security overview of major development frameworks such as Java, JavaScript and PHP in which I want help the developers know how to implement those cryptographic concepts described earlier in their scoped framework and describe important cryptographic libraries and what they support.

I would love to hear peoples opinions about the “security frame” I plan to use (see below). The frame will be used to tie together the sections of the book. I have been using this (or a variant of it) for many years and it has always worked for me. J.D.Meier used a similar one in Building Secure ASP.NET Applications (I was a reviewer of this back in 2006).

  • Cryptography
  • Authentication
  • User Management
  • Authorization
  • Configuration Management
  • Audit and Logging
  • Data Validation
  • Data Security (in transport & storage)
  • Session Management
  • Error Handling

Does it work for you?

Is it missing any sections?

Would you add any sections?

At the end of the day it is just a taxonomy and over the years doing things like OASIS WAS and similar projects, I have concluded that more important than the taxonomy is using any taxonomy consistently. No taxonomy will ever work for everyone, I just want to make sure this works for the majority. Please throw darts at this. Ask me where I would put x or y or z. If I don’t have a good answer I have a problem!

Cheers!

 

Mark

7 Responses to “Solid Application Security Frame ?”

  1. Andrew Yeomans January 16, 2012 at 11:00 pm #

    Architecture.
    In particular which of the components should be designed as generic services and which should be specific to your project.

    Reply
    • Anonymous January 17, 2012 at 8:20 am #

      Thanks Andrew, trust you are doing fine in London. Architecture is something we are grappling with how to slot in. It either warrants its own section or we need to figure out how to slot it into relevant individual sections. Bubbled higher on my TODO list so thanks!

      Reply
      • Andrew Yeomans January 17, 2012 at 11:07 pm #

        And to add the other bookend – Testing. In particular designing software testing with security in mind, e.g. fuzzing around boundary conditions.

      • Anonymous January 18, 2012 at 12:07 am #

        There will be lots of testing but in a different section of the book. There will be a section in Building A Software Security Program which will be organized by People, Process and Tools. In this well talk about test automation and cover the various tools. 

        ## Process ##
        ### Policies & Guidance (or manifestos) ###
        ### Agile & Friends ###
        ### Certifications for Systems ###
        ### Budgets ###
        ### Cyber-Insurance ###
        ### Security Requirements ###
        ### Design & Architecture ###
        ### DevOps ###
        ### Metrics & Measurement ###
        ### Sustaining Software ###
        ### Test Automation ###

        ### Tracking Vulnerabilities & Security Patches ###

        ## Tools ##
        ### A reference model for end to end tools ###

        ### Planning & Issue Management ###
        ### IDE ###
        ### Unit Testing ###
        ### Manual Code Review ###
        ### Functional Test Tools – Selenium & Friends ###

        ### Behavior Driven Development ###
        ### Static Code Analysis ###
        ### Dynamic Analysis ###
        ### Debuggers ###
        ### Continuous Integration & Deployment ###
        ### Defect Management ###

  2. Alvaro Picapau January 20, 2012 at 2:45 am #

    I miss output encoding here, if its included in Data validation then I suggest changing the name to something like “Input and output handling”

    Reply
  3. Dennis Groves February 28, 2012 at 2:21 pm #

    Key management. Where every you have Cryptography or Data Security – you have a key management problem. People are still hard coding secrets.

    Reply

Leave a comment