

Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Secure Software Design Summary
Typology: Summaries
1 / 3
This page cannot be seen from the preview
Don't miss anything!


Chapter 1 – Introduction Discusses the critical importance of building software security into the development process. Emphasizes that software is foundational to modern infrastructure, and that defects introduced during coding are costly and often unfixable post-release. The chapter differentiates between software security (built-in) and application security (post-release protection) and stress-tests conventional assumptions about quality vs security. It sets the stage for the authors’ SDL framework grounded in people-centric best practices and metrics. PagePlace+1eBay+ Chapter 2 – The Security Development Lifecycle (SDL) Introduces the authors’ tailored SDL, mapping best practices from models like Microsoft SDL, NIST, ISO, and SAFECode into a cohesive reference framework. It outlines the need for measurable metrics , alignment across SDLC methodologies (waterfall, agile), and embedding least-privilege principles. This chapter presents how organizations can operationalize secure development in ways that scale. Taylor & FrancisPagePlace Chapters 3 to 8: SDL Phases A1–A5 and PRSA Chapter 3 – A1: Security Assessment Focuses on early-stage assessment , including discovery sessions, risk identification, compliance scoping, and threat modeling initiation. Emphasizes setting up project plans, baseline control frameworks, and relevant metrics like the number of findings and scope coverage. It introduces how to embed preventive and detective controls even before architecture begins. Scribd+12Taylor & Francis+12ResearchGate+ Chapter 4 – A2: Architecture Covers high-level architectural design , threat modeling (STRIDE, data flow diagrams), and defining architectural security controls. The chapter walks through threat ranking, selection of preventive and compensating controls, and artifacts like security-enhanced architecture diagrams and remediation plans. Metrics may include coverage ratios and residual risk estimates. ResearchGateTaylor & Francis Chapter 5 – A3: Design & Development
Describes detailed design and coding practices , integrating secure coding standards, least privilege, authentication/authorization controls, and input validation. Establishes security test planning, compliance-driven checklists, and regular review of threat model updates. Success metrics include tests vs. design coverage and code complexity. Taylor & FrancisPagePlace Chapter 6 – A4: Design & Development Testing Describes execution of security testing , including static analysis, dynamic testing, fuzzing, manual code reviews, and penetration simulations. Introduces detective and corrective controls like runtime logging, security issue triage, and defect remediation workflows. Key metrics: number of vulnerabilities found, time-to-remediation, and test coverage levels. ResearchGateTaylor & Francis Chapter 7 – A5: Ship Focuses on pre-release checkpoints , final vulnerability scans, penetration tests (including code-assisted tools), open source software license reviews, and final security/privacy sign-offs. Deliverables include secure-release documentation, defect closing reports, and gated approvals. Metrics focus on scan coverage, open defect counts, and compliance assurance. Taylor & FrancisPagePlace Chapter 8 – PRSA: Post-Release Support Covers post-deployment security , including PSIRT incident handling, security patches/disclosures, product updates, and third-party audits. Includes ongoing threat assessments, vulnerability disclosures, legacy system reviews, and tracking incident remediation and residual risk over time. Taylor & FrancisPagePlace Chapter 9 – Adapting the Reference Framework Explains how organizations can customize the SDL framework to their context—whether large enterprises or startups. Includes guidance on control set selection, scaling documentation, integrating with existing quality or compliance processes, and adjusting for resource constraints. Taylor & FrancisNational Assembly Library Chapter 10 – Pulling It All Together