Software EngineeringSecurity
Software security is important, especially in distributed systems, to protect the integrity of the information stored and used by a software system. Questions about security requirements should be asked of the customers during requirements solicitation. The best practice for providing a secure system to customers is to ensure that security concerns are provided for upfront, and during all phases of development. Adding security features to an application, after development of the main functionality is complete, is difficult.
Author: Laurie Williams and Sarah Heckman
Maintained By: Sarah Heckman
Last Updated: 2008-08-15
Sub-modules
- Input Validation Vulnerabilities
- Access Control
- Audit/Logging; Repudiation
- Information Leakage
- Database Security
- Encryption
- Denial of Service
- Buffer Overflow
- Security and Usability
- Security Inspections
- Static Analysis for Security
- Architecture and Design Principles
- Security Testing
- Security Metrics
- Threat Modeling
- Security Requirements
- Building Security In Maturity Model (BSIMM)
- Protection Poker
- Obligations in Security Policies
Previous
Assignments
Relevant Links
Westervelt: XSS bugs, information leakage top the list
Lectures
Williams: Introduction to Software Security
Williams: Secure Software Development Lifecycle
Williams: Risk Based Security Testing
Williams: Input Validation XSS
Gegick: Intro to Security Testing
Williams: Security Testing
Williams: Software Security
McGraw: Security Testing podcast
Sherriff, Mark: Database Security
Readings
Williams, Earp, Anton: Security Plan
Howard: SSDL at Microsoft
Sindre and Opdahl: Capturing Security Requirements through Misuse Cases
Thompson: Why Security Testing is Hard
Galvin: Unix Secure Programming FAQ
McGraw and Viega: Make your software behave : Assuring your software is secure
Viega and McGraw: Building secure software: Selecting technologies, Part 2
McGraw and Viega: Make your software behave: Learning the basics of buffer overflows
Viega and McGraw: Building secure software: Selecting technologies, Part 1
McGraw and Viega: Make your software behave: Preventing buffer overflows
McGraw and Viega: Make your software behave: Security by obscurity
Gilliam, Wolfe, Sherif, and Bishop: Software Security Checklist for the Software Life Cycle
McGraw and Viega: Software security principals: Part 5
McGraw and Viega: Software security principles: Part 4
Premkumar T. Devanbu and Stuart Stubblebine: Software Engineering for Security
McGraw and Viega: Making software behave
Sites
Sans: Sans Security
McGraw, Felten: Securing Java
Mitre: Common Weakness Enumeration
Dept. of Homeland Security: Build Security In
Gegick and Isakson: WARD
Tutorials
Meneely and Williams: Using HttpUnit for Security Testing
OWASP: WebScarab Getting Started
Altman: WebScarab Tutorial 1
Altman: WebScarab Tutorial 3 (Fuzzing)
Dawes: WebScarab Video Tutorial
Gegick: WARD
Required Article Lecture
Site
