Computing Reviews
Today's Issue Hot Topics Search Browse Recommended My Account Log In
Review Help
Search
Core software security : security at the source
Ransome J., Misra A., Auerbach Publications, Boston, MA, 2014. 416 pp. Type: Book (978-1-466560-95-6)
Date Reviewed: Jan 28 2015

There are many meanings of the term software security in computing, with each meaning depending on the point of view. Loosely speaking, in the process view of security, there are two essential complementary concepts: organizational security and operational security. In the product view, one can distinguish between security as a state and security as a property. This book looks at software security from the process perspective, emphasizing the life cycle for security, calling it the security development lifecycle (SDL), and listing as goals of SDL reducing the number of vulnerabilities and reducing the severity of vulnerabilities that remain non-removed or undetected.

As one might expect, the book advocates “security by design,” thus it discusses security measures applied to the particular phases of the life cycle, roughly following the waterfall model. After a brief introduction and setting the scene in the first two chapters, the authors launch into a journey through five phases of development, addressed in the next five chapters. Phase A1 is named security assessment, which is a little misleading because it sounds like assessment is being done after the fact, while in reality it concerns specifications of security criteria, and is a part of the requirements specification. Phase A2, architecture, corresponds to the design phase, with the most important activity being the threat modeling for architecture security analysis. This is the most extensive and probably the most important phase of SDL.

Phases A3 and A4, both named design and development, should probably be combined since the reasons for their separation are not clear. From my perspective, they clearly relate to the implementation phase, with code reviews and analyses. Phase A5, for reasons unclear to me, is called ship, and concerns security testing. It includes aspects such as vulnerability scan, penetration testing, and open-source licensing review.

What follows is a chapter on post-release support and two chapters on applications: one on applying the SDL framework and another on “pulling it all together,” both of which claim that they relate to the real world. These last chapters are definitely much less interesting than the core part of the book. They are full of very general statements, which don’t help much in building security into software. While the processes described by the authors in phases A1 through A5 make a lot of sense, supporting them in practice with specific techniques and tools is needed. The chapters on application fail to convince me that such processes can be effective.

Despite some criticisms, the book is worthwhile reading due to its coherent view of SDL. It may be useful as a guidebook for undergraduate college courses on software security, if supported by the extensive use of tools.

More reviews about this item: Amazon

Reviewer:  Janusz Zalewski Review #: CR143122 (1505-0386)
Bookmark and Share
  Featured Reviewer  
 
Software Development (K.6.3 ... )
 
 
Security (K.6.m ... )
 
Would you recommend this review?
yes
no
Other reviews under "Software Development": Date
Strategies for software engineering
Ould M., John Wiley & Sons, Inc., New York, NY, 1990. Type: Book (9780471926283)
Oct 1 1991
Applications strategies for risk analysis
Charette R., Intertext Pubs./McGraw-Hill Book Co., New York, NY, 1990. Type: Book (9780070108882)
Aug 1 1992
A survey of exploratory software development
Trenouth J. The Computer Journal 34(2): 153-163, 1991. Type: Article
Nov 1 1991
more...

E-Mail This Printer-Friendly
Send Your Comments
Contact Us
Reproduction in whole or in part without permission is prohibited.   Copyright 1999-2024 ThinkLoud®
Terms of Use
| Privacy Policy