Testing Code Security 1st Edition by Maura A Van Der Linden ISBN 0849392519 9780849392511
Original price was: $50.00.$35.00Current price is: $35.00.
Testing Code Security 1st Edition by Maura A Van Der Linden – Ebook PDF Instant Download/Delivery: 0849392519, 9780849392511
Full download Testing Code Security 1st Edition after payment
Product details:
ISBN 10: 0849392519
ISBN 13: 9780849392511
Author: Maura A Van Der Linden
Testing Code Security 1st Table of contents:
1. Introduction
-
Why Is This Book Being Written?
-
Why Am I Writing This Book
-
Goals of This Book
-
Intended Audience
-
How This Book Is Organized
2. Security Vocabulary
-
Virus or Attack Naming
-
Security Terminology
3. Software Testing and Changes in the Security Landscape
-
Software Testing as a Discipline
-
Security Has Become More of a Priority
-
The Number of Computers Has Increased
-
The Use of the Internet Has Increased
-
More Activities Are Performed Online
-
Security Efforts Have Become More Visible
-
Introduction of the Trustworthy Computing Security Development Lifecycle
-
The Enormous Costs of Security Exploits Recognized
-
In-House Software Is No Longer Immune
-
Perimeter Security Just Isn’t Enough
-
Bibliography
4. All Trust Is Misplaced
5. Security Testing Considerations
-
Security Testing Versus Functional Testing
-
Change Your Focus
-
All Consumers Are Not Customers
-
The Intent of Security Testing Versus Functional Testing
-
“Positive” Versus “Negative” Testing
-
Test Overlap and Streamlining
-
Changing Your Prioritizations
-
Code Maturity
-
Code Complexity
-
Code Coverage
-
Discovery of Software Vulnerabilities
-
Accidental Discovery
-
Insider Information
-
Deliberate Search Efforts
-
Assume Attackers Know Everything You Do
-
Source Code Compromise Is Common
-
Tools Are Readily Available
-
Secrecy Is Not Security
-
Vulnerabilities Are Quickly Exploited
-
Social Engineering Works All Over
-
Know Your Attackers
-
What?
-
Why?
-
Who?
-
-
Create a Matrix
-
Exploiting Software Vulnerabilities
-
Trojan
-
Trojan Horse Virus
-
Virus
-
Boot Sector Viruses
-
Master Boot Record (MBR) Viruses
-
File Infector Viruses
-
Macro Viruses
-
Multi-Partite Virus
-
Worm
-
Logic Bomb
-
-
The Role of Social Engineering
-
Active Attacks
-
Passive Attacks
-
Phishing
-
Urban Legends
-
Nigerian (419) Scams
-
Lost in the Cracks
-
Common Security Hindering Phrases
-
Software Development Life Cycle Versus Security-Testing Life Cycle
-
The Generally Accepted Software Development Life Cycle
-
Requirements Phase
-
Design Phase
-
Implementation Phase
-
Verification Phase
-
Release Phase
-
Support Phase
-
-
The Trustworthy Computing Security Development Lifecycle (SDL)
-
Secure by Design
-
Secure by Default
-
Secure in Deployment
-
Communications
-
Requirements Phase
-
Design Phase
-
Implementation Phase
-
Verification Phase
-
Release Phase
-
Support and Servicing
-
-
Extreme Programming and Security Testing
-
Black-Box Versus White-Box Security Testing
-
Many Attacks Require Little Coding
-
Security Testing Is a Part of All Testing Efforts
-
The Differences Between Black-Box and White-Box Security Testing
-
Guard Your Own Gates
-
Reliance Solely on Outside Protection Is False Security
-
Your Application Must Defend Itself
-
Don’t Let Your Application Be the Achilles’ Heel
-
Mitigation of Damages Must Be Considered
-
There Is No Perfect Security
-
The Role of Security Testing
-
What Developers Want
-
What Program Managers Want
-
What Management Wants
-
What Testers Want
-
-
Effectively Presenting Security Issues
-
Carefully Evaluate All Factors
-
Risk
-
Cost to Fix
-
Cost if Exploited
-
Trickle-Down Effect to Dependents
-
Trickle-Up Effect to Dependencies
-
-
Think Outside the Box
-
Possible Solutions
-
Possible Mitigations
-
Pick Your Battles but Continue the War
-
Make Bug Reports Accurate
-
Include Appropriate Information
-
If You Don’t Agree with the Decision
-
Don’t Fight Every Decision
-
Foster a Security-Conscious Environment
-
Be Persistent
-
Share Knowledge
-
Advertise Success and Failure
-
Bibliography
6. Threat Modeling and Risk Assessment Processes
-
Threat Modeling Terms
-
Assets
-
Attack Path
-
Condition
-
Entry Points
-
External Dependency
-
Exit Points
-
Risk
-
System
-
Threat
-
Threat Model
-
Threat Profile
-
Trust Levels
-
Use Scenario
-
Vulnerability
-
-
Initial Modeling Of Threats
-
Document Entry and Exit Points
-
Document Assets
-
Document Trust Levels
-
Document Use Cases and Use Scenarios
-
Document External Dependencies
-
Document External Security Notes
-
Document Internal Security Notes
-
Model the Application
-
Create Threat Profile
-
Create Attack Hypotheses
-
Classify Threats
-
Analyze Threats to Determine Vulnerabilities
-
Prioritize Vulnerabilities
-
Mitigate Vulnerabilities
-
Update Threat Model
-
-
Pitfalls of Threat Modeling
-
Blindness to Interactions with Downstream Dependents
-
Threat Model Tunnel Vision
-
Failing to Track Dependency Changes
-
All Copies of Data Aren’t Addressed as Assets
-
Temporary Files
-
Database Backups
-
Log Files
-
Copies of Production Data Outside Production
-
Failover Data
-
Who Has Access or Control
-
Physical Disks or Devices
-
Security Becomes Single Layered — No Defense in Depth
-
Vulnerabilities with Lower Priorities Are Ignored
-
Modeling Becomes a Time Sink
-
Forgetting Physical Access
-
Forgetting the Registry
-
Threat Trees
-
Attack Path
-
-
DREAD
-
Damage Potential
-
Reproducibility
-
Exploitability
-
Affected Users
-
Discoverability
-
-
STRIDE
-
Spoofing Identity
-
Tampering with Data
-
Repudiation
-
Information Disclosure
-
Denial of Service
-
Elevation of Privilege
-
-
MERIT
-
Insider Threat Study Items of Note
-
Analysis
-
Attacker Behavioral Aspects
-
Access Path Control Aspects
-
Attacker Technical Aspects
-
Defense Aspects
-
-
OCTAVE and OCTAVE-S
-
Phase 1 — Build Asset-Based Threat Profiles
-
Phase 2 — Identify Infrastructure Vulnerabilities
-
Phase 3 — Develop Security Strategy and Plans
-
-
Bibliography
7. Personas and Testing
-
Creating Personas
-
Using Personas
-
Pitfalls of Personas
-
Persona Tunnel Vision
-
Personas Are Customers, Not Consumers or Attackers
-
Persona Flaws
-
Security Personas
-
-
Bibliography
8. Security Test Planning
-
Overview of the Process
-
Start Drafting Your Test Documents
-
Test Plan
-
Test Case Outline/Test Case Documentation
-
-
Dissect the System
-
Separate the System into Security Areas
-
Incoming Information
-
Outgoing Information
-
Dependencies
-
Interactions/Interoperability
-
-
Gather Information
-
Look At Existing Product Bugs and Known Security Issues
-
Your Own System
-
Competitive Systems
-
Systems You Interface or Interact With
-
Review System Specifications
-
-
Begin as Early as Possible
-
Always Question Security Concerns
-
Review Existing Test Plans and Cases
-
Review Existing Test Automation
-
Develop Security Cases
-
Known Vulnerabilities
-
Your System
-
Other Known Vulnerabilities
-
Unknown Vulnerabilities
-
-
Prioritize Tests
-
Use Threat Modeling/Risk Assessment Charts
-
Use Personal Experience Data
-
Talk to the Developers for Special Concerns
-
-
Develop a Test Plan of Attack
-
Using “Normal” or “By Design” Test Methods
-
Using Commercial Tools
-
Using Custom Tools
-
Don’t Forget Validation Tools
-
-
Remember the Downsides
-
Untestable Code Is Unshippable Code
-
Draft a Schedule
-
Review the Plan and Test Cases
-
Review with Other Disciplines
-
Review with Other Testers
-
Share the Plan with Others
-
-
Run Test Passes
-
Postmortem the Results
People also search for Testing Code Security 1st:
credit card number for testing with security code
code security testing
source code review security testing
code security testing tools
security testing and code review