SSS Facultt jit in y of Engineering, .OU, BE (CSB) With effect from Academie Year 2023 - 24 [Course Code Coutse. Cail Course Title | Core / Bective Secure Software Engineering t Flective Contact Hous per Week — | i | [7 So cw | see Crean 7 ww m | 3 | Course Objectives > Tounderstand that how the security aspects of software deve system to be developed. ’ edteveopment > Able to learn secure architecture design, secure eoding, ite ean scare ite desi, sete cing sce deployment and sce sol are embedded into the | | | Course Outcomes Upon successfill completion of this course, the stuclent will be able to: > Explain why security is software iste | ® Detail the principles and practices of sex fi > Detail th \d practices of secure sofware design > Describe the principles and practices of secure software coding and testing. > Integrate biblical principles within the field of secure software engineering. UNIT Security a software Issue: Introduction, The Problem, Software Assurance and Software S: to software security, Sources of software insecurity, Benefits of detecting software sect managing secure software development What Makes Software Secure: Defining Properties of secure software, Influencing the secu vare, Asserting and specifying desired sccurity properties? of sof UNIT-11 Requirements Engineering for secure software: Introduction, The SQUARE process Requirements elicitation and prioritization UNIT -1T Secure Software Architecture and Design:Introduction, Software Security Practices for Architectur. Design: Architectural risk analysis, Software Security Knowledge for Architecture and Design: S. Principles, Security Guidelines, and Attack Patterns Secure Coding and Testing: Introduction, Code analysis, Coding Prac ty Testi Security Testing considerations throughout the SDLC. ices, Software Secu UNIT -IV Security and Complexity: _ System’ Assembly Challenges: Introduction, Security Failur Sccurity Analysis, System Complexity Drivers and Security, Deep Technical Problem Complexity. Functional and Attacker Perspet UNIT-V Governance and Managing for More Secure Software: Governance and security, Adopting an Enterprise Software Security Framework, How much security is enough?, Security and project management, Maturity of Practice, a2‘aculty of Engineering, OU BE (CSE) With effect from Academic Year 2023 - 24 Suggested Reading! 1. Julia H Allen, Sean J Barnum, Robert J Ellison, Gary MeGraw, Naney R Mead, “Software Security Engineering: A Guide for Proj ley, 2008 Anderson, “Security Engineering: A Guide to Building Dey dition, Wiley, 2008. 3. Howard, M. and LeBlane, D., “Writing Secure Code”, 2 mn, Microsoft Press, 2003 4. Jason Grembi, “Developing Secure Software”, First Edition, Cengage Learning, 2008, ndable Distributed Systems”, 2"! Gary R. McGraw, “Software Security: Building Security”, AddisonWesley Software Security Edition, 2006. : 6 Richard Sinn, “Software Security: Theory, Programming and Practice”, First Edition, Cengage Learning, 2009.Software Security Engineering A Guide for Project Managers Julia H. Allen Sean Barnum Robert J. Ellison Gary McGraw Nancy R. Mead vy Addison-Wesley : pea Upper Saddle River, NJ + Boston + Indianapolis + San Francisco Neb York © Toronto * Montreal « London + Munich + Paris * Madrid Capetown + Sydney + Tokyo + Singapore * Mexico CityContents Foreword Preface About tlie Authors... Chapter 1: Why Is Security a Software Issue? 1.1 Introduction 1.2) The Problem 1.2.1 System Complexity: The Context within Which Software Lives ... Software Assurance and Software Security AC 1.3.1 The Role of Processes and Practices in 0 »® Software Security .. Threats to Software Security jources of Software Insecurity .. 1.6) The Benefits of Detecting Software Security Defects Early .... 1.6.1 Making the Business Case for Software Security: Current State ... ‘Managing Secure Software Development 1.7.1 Which Security Strategy Questions Should I Ask? 1.7.2 A Risk Management Framework for Software Security ... ’ 1.7.3 Software Security Practices in the Development Life Cycle 1.8 Summary A Chapter 2: What Makes Software Secure? .. 1 Introduction o 22 Detining Properties of Secure Software a“ 2.2.1 Core Properties of Secure Software ... py 2.2.2 Influential Properties of Secure Software ...“1 v y ‘yi CONTENTS (0 ') 2.3)H i Qe low to Influence the Security Properties of 2a4 The Defensive Perspee .3.2 The Attacker’s Perspect 6, ,COHow to ify D A Properti 2.4.1 Building a Security Assurance Case > 2.4.2 A Security Assurance Case Example J 2.4.3 Incorporating Assurance Cases into the SDLC 2.4.4 Relitted Security Assurance and Compliance ining and Benefitting from Assurance 2.5 Summary mre Requirements Engineering for Secure Software Introduction 3.1.1 The Importance of Requirements Engineering 3.1.2 Quality Requirements .. 3.1.3 Security Requirements Engineering .. 3.2 Misuse and Abuse Cases ... 3.2.1 Security Is Not a Set of Features 3.2.2 Thinking About What You Can't Do 3.2.3 Creating Useful Misuse Cases & 3.2.4 An Abuse Case Example SY e SQUARE Process Model & 3.3.1 A Brief Description of SQUARE ~ 3.3.2 Tools y 3.3.3 Expected Results 3.4 SQUARE Sample Outputs 3.4.1 Output from SQUARE Steps 3.4.2 SQUARE Final Results . Requirements Elicitation ‘ 3.5.1 Overview of Several Eli 3.5.2 Elicitation Evaluation Criteria (9 Requirements Prioritization .. 3.6.1 Identify Candidate Prioritization Methods 3.6.2 Prioritization Technique Comparison . 3.6.3 Recommendations for Requirements Prioritization 3.7 Summary .yy - > Chapter : Considerations for Secure Coding and Testing Gp G3)Coding Practices . / & 3) Contents Chapter 4: Secure Softwa: a introduction Afchitecture and Design ie 4.1.1 The Crit cal Role of Archite (Droits and Challenges. i”® ad Design Boftware Securi eee . lesign: ‘Architeck Practices for Architecture and ctural Risk Analysi 4.2.1 Software Characterization 2 aes Threat Analysis te «42.3 Architectural Vulnerabilit “+ “4.2.4 Risk Likelihood Determination crt 4.2.5 Risk Impact Determination 4.2.6 Risk Mitigation Planning 4.2.7 Recapping Architectural Risk Analysis Software Security Knowledge for Architecture and Design: Security Principles, Security Guidelines, and Attack Patterns 4.3.1 Security Principles 4.3.2 Security Guidelines 4.3.3 Attack Patterns 4.4 Summary Introduction Code Analysis 5.2.1 Common Software Code Vulnerabilities . 5.2.2 Source Code Review . 5.3.1 Sources of Additional Information on Secure Coding 161 Software Security Testing 5.4.1 Contrasting Software Testing and Software in Security Testing a 5.4.2 Functional Testing «. 5.4.3 Risk-Based Testing ‘ecurity Testing Considerations Throughout the SDLC ... 5.5.1 Unit Testing : 5.5.2 Testing Libraries and Executable Files 5.5.3 Integration Testing 5.5.4 System Testing .. viiWD © ii Contenns ™ 5 5.5.5 Sources of Additional So} oS onal Information on 56 Sum oe Security Testing . Chapter 6: Securi : Securi i Challenger’ Complexity: System Assembly J Introduction 6.2) Security Failures 6.2.1 Categories of Errors 6.2.2 Athiicker Behavior XN 63 Functional and Attacker Perspectives for eC Y) Security Analysis: Two Examples 6.3.1 Web Services: Functional Perspective .. 6.3.2 Web Services: Attacker’s Perspective 6.3.3 Identity Management: Functional Perspective 6.3.4 Identity Management: Attacker’s Perspective 6.3.5 Identity Management and Software Development (6.4)System Complexity Drivers and Security 6.4.1 Wider Spectrum of Failures 6.4.2 Incremental and Evolutionary Development .. 6.4.3 Conflicting or Changing Goals Complexity 65)beep Technical Problem Complexity 66 Summary ... Chapter 7: Governance, and Managing for More Secure Software 7.1 Introduction ... 23 Governance and Security 7.2.1 Definitions of Security Governance A %2.2 Characteristics of Effective Security Governance ‘ and Management .. & dopting an Enterprise Software Security Sx 7 Framework 7.3.1 Common Pitfalls 7.3.2 Framing the Solution 7.3.3 Define a Roadmap... (74)How Much Security Is Enough? 7.4.1 Defining Adequate Security . 7.4.2 A Risk Management Framework for Software Security - 226 235, 236 - 236vOLeL ) ContTENTS (73)Secuxity and Pro ts Peon Soe Management 244 7.5.2 Project Plan 7.5.3 Resources .. 4 Estimating the Nature and Duration of Required Resources ... 7.5.5 Project and Product Risks 7.5.6 Measuring Software Security Maturity of Practice ... 7.6.1 Protecting Information 7.6.2 Audit’s Role... 7.6.3 Operational Resilience and Convergence 7.6.4 A Legal View . 7.6.5 A Software Engineering View 7.6.6 Exemplars 7.7 Summary Chapter 8: Getting Started 8.1 Where to Begin .. 8.2 In Closing «-. Glossary References Build Security In We Index b Site References