The Practical Software Security book will have five main sections *subject to change and a work in progress of course*. To recap the book is being aimed at pure developers (not security people) and aiming to be a single book developers and development teams need for their security knowledge. Those five main sections are:
- Introduction
- Security Concepts
- Tools & Technologies
- Building a Software Security Program
- Engineering Scenarios
I want to syncronize the book so that the generic security advice in the security concepts section is then made specific in the tools & technologies section and then further builds with code level samples in the engineering scenarios section. For example in the “Security Concepts” section there is a sub-section on cryptography in which we describe the key concepts and types of cryptography, how those types of cryptography works and when certain types of cryptography can and should be used. In the “Tools & Technologies” and technologies section we will cover a security overview of major development frameworks such as Java, JavaScript and PHP in which I want help the developers know how to implement those cryptographic concepts described earlier in their scoped framework and describe important cryptographic libraries and what they support.
I would love to hear peoples opinions about the “security frame” I plan to use (see below). The frame will be used to tie together the sections of the book. I have been using this (or a variant of it) for many years and it has always worked for me. J.D.Meier used a similar one in Building Secure ASP.NET Applications (I was a reviewer of this back in 2006).
- Cryptography
- Authentication
- User Management
- Authorization
- Configuration Management
- Audit and Logging
- Data Validation
- Data Security (in transport & storage)
- Session Management
- Error Handling
Does it work for you?
Is it missing any sections?
Would you add any sections?
At the end of the day it is just a taxonomy and over the years doing things like OASIS WAS and similar projects, I have concluded that more important than the taxonomy is using any taxonomy consistently. No taxonomy will ever work for everyone, I just want to make sure this works for the majority. Please throw darts at this. Ask me where I would put x or y or z. If I don’t have a good answer I have a problem!
Cheers!
Mark
Architecture.
In particular which of the components should be designed as generic services and which should be specific to your project.
Thanks Andrew, trust you are doing fine in London. Architecture is something we are grappling with how to slot in. It either warrants its own section or we need to figure out how to slot it into relevant individual sections. Bubbled higher on my TODO list so thanks!
And to add the other bookend – Testing. In particular designing software testing with security in mind, e.g. fuzzing around boundary conditions.
There will be lots of testing but in a different section of the book. There will be a section in Building A Software Security Program which will be organized by People, Process and Tools. In this well talk about test automation and cover the various tools.
## Process ##
### Policies & Guidance (or manifestos) ###
### Agile & Friends ###
### Certifications for Systems ###
### Budgets ###
### Cyber-Insurance ###
### Security Requirements ###
### Design & Architecture ###
### DevOps ###
### Metrics & Measurement ###
### Sustaining Software ###
### Test Automation ###
### Tracking Vulnerabilities & Security Patches ###
## Tools ##
### A reference model for end to end tools ###
### Planning & Issue Management ###
### IDE ###
### Unit Testing ###
### Manual Code Review ###
### Functional Test Tools – Selenium & Friends ###
### Behavior Driven Development ###
### Static Code Analysis ###
### Dynamic Analysis ###
### Debuggers ###
### Continuous Integration & Deployment ###
### Defect Management ###
I miss output encoding here, if its included in Data validation then I suggest changing the name to something like “Input and output handling”
yeah all in data validation.
Key management. Where every you have Cryptography or Data Security – you have a key management problem. People are still hard coding secrets.