0%

Designing Secure Software consolidates Loren Kohnfelder's more than twenty years of experience into a concise, elegant guide to improving the security of technology products. Written for a wide range of software professionals, it emphasizes building security into software design early and involving the entire team in the process.



The book begins with a discussion of core concepts like trust, threats, mitigation, secure design patterns, and cryptography. The second part, perhaps this book's most unique and important contribution to the field, covers the process of designing and reviewing a software design with security considerations in mind. The final section details the most common coding flaws that create vulnerabilities, making copious use of code snippets written in C and Python to illustrate implementation vulnerabilities.



You'll learn how to:



Identify important assets, the attack surface, and the trust boundaries in a system

Evaluate the effectiveness of various threat mitigation candidates

Work with well-known secure coding patterns and libraries

Understand and prevent vulnerabilities like XSS and CSRF, memory flaws, and more

Use security testing to proactively identify vulnerabilities introduced into code

Review a software design for security flaws effectively and without judgment

Table of Contents

  1. Title Page
  2. Copyright
  3. Dedication
  4. About the Author
  5. Foreword
  6. Preface
  7. Acknowledgments
  8. Introduction
    1. Who Should Read This Book?
    2. What Topics Does the Book Cover?
    3. Part I: Concepts
    4. Part II: Design
    5. Part III: Implementation
    6. Conclusion
    7. Appendices
    8. Good, Safe Fun
  9. Part I: Concepts
    1. Chapter 1: Foundations
    2. Understanding Security
    3. Trust
    4. Feeling Trust
    5. You Cannot See Bits
    6. Competence and Imperfection
    7. Trust Is a Spectrum
    8. Trust Decisions
    9. Implicitly Trusted Components
    10. Being Trustworthy
    11. Classic Principles
    12. Information Security’s C-I-A
    13. The Gold Standard
    14. Privacy
    15. Chapter 2: Threats
    16. The Adversarial Perspective
    17. The Four Questions
    18. Threat Modeling
    19. Work from a Model
    20. Identify Assets
    21. Identify Attack Surfaces
    22. Identify Trust Boundaries
    23. Identify Threats
    24. Mitigate Threats
    25. Privacy Considerations
    26. Threat Modeling Everywhere
    27. Chapter 3: Mitigation
    28. Addressing Threats
    29. Structural Mitigation Strategies
    30. Minimize Attack Surfaces
    31. Narrow Windows of Vulnerability
    32. Minimize Data Exposure
    33. Access Policy and Access Controls
    34. Interfaces
    35. Communication
    36. Storage
    37. Chapter 4: Patterns
    38. Design Attributes
    39. Economy of Design
    40. Transparent Design
    41. Exposure Minimization
    42. Least Privilege
    43. Least Information
    44. Secure by Default
    45. Allowlists over Blocklists
    46. Avoid Predictability
    47. Fail Securely
    48. Strong Enforcement
    49. Complete Mediation
    50. Least Common Mechanism
    51. Redundancy
    52. Defense in Depth
    53. Separation of Privilege
    54. Trust and Responsibility
    55. Reluctance to Trust
    56. Accept Security Responsibility
    57. Anti-Patterns
    58. Confused Deputy
    59. Backflow of Trust
    60. Third-Party Hooks
    61. Unpatchable Components
    62. Chapter 5: Cryptography
    63. Crypto Tools
    64. Random Numbers
    65. Pseudo-Random Numbers
    66. Cryptographically Secure Pseudo-Random Numbers
    67. Message Authentication Codes
    68. Using MACs to Prevent Tampering
    69. Replay Attacks
    70. Secure MAC Communications
    71. Symmetric Encryption
    72. One-Time Pad
    73. Advanced Encryption Standard
    74. Using Symmetric Cryptography
    75. Asymmetric Encryption
    76. The RSA Cryptosystem
    77. Digital Signatures
    78. Digital Certificates
    79. Key Exchange
    80. Using Crypto
  10. Part II: Design
    1. Chapter 6: Secure Design
    2. Integrating Security in Design
    3. Making Design Assumptions Explicit
    4. Defining the Scope
    5. Setting Security Requirements
    6. Threat Modeling
    7. Building in Mitigations
    8. Designing Interfaces
    9. Designing Data Handling
    10. Integrating Privacy into Design
    11. Planning for the Full Software Life Cycle
    12. Making Trade-offs
    13. Design Simplicity
    14. Chapter 7: Security Design Reviews
    15. SDR Logistics
    16. Why Conduct an SDR?
    17. When to Conduct an SDR
    18. Documentation Is Essential
    19. The SDR Process
    20. 1. Study
    21. 2. Inquire
    22. 3. Identify
    23. 4. Collaborate
    24. 5. Write
    25. 6. Follow Up
    26. Assessing Design Security
    27. Using the Four Questions as Guidance
    28. Where to Dig
    29. Privacy Reviews
    30. Reviewing Updates
    31. Managing Disagreement
    32. Communicate Tactfully
    33. Case Study: A Difficult Review
    34. Escalating Disagreements
    35. Practice, Practice, Practice
  11. Part III: Implementation
    1. Chapter 8: Secure Programming
    2. The Challenge
    3. Malicious Influence
    4. Vulnerabilities Are Bugs
    5. Vulnerability Chains
    6. Bugs and Entropy
    7. Vigilance
    8. Case Study: GotoFail
    9. One-Line Vulnerability
    10. Beware of Footguns
    11. Lessons from GotoFail
    12. Coding Vulnerabilities
    13. Atomicity
    14. Timing Attacks
    15. Serialization
    16. The Usual Suspects
    17. Chapter 9: Low-Level Coding Flaws
    18. Arithmetic Vulnerabilities
    19. Fixed-Width Integer Vulnerabilities
    20. Floating-Point Precision Vulnerabilities
    21. Example: Floating-Point Underflow
    22. Example: Integer Overflow
    23. Safe Arithmetic
    24. Memory Access Vulnerabilities
    25. Memory Management
    26. Buffer Overflow
    27. Example: Memory Allocation Vulnerabilities
    28. Case Study: Heartbleed
    29. Chapter 10: Untrusted Input
    30. Input Validation
    31. Determining Validity
    32. Validation Criteria
    33. Rejecting Invalid Input
    34. Correcting Invalid Input
    35. Character String Vulnerabilities
    36. Length Issues
    37. Unicode Issues
    38. Injection Vulnerabilities
    39. SQL Injection
    40. Path Traversal
    41. Regular Expressions
    42. Dangers of XML
    43. Mitigating Injection Attacks
    44. Chapter 11: Web Security
    45. Build on a Framework
    46. The Web Security Model
    47. The HTTP Protocol
    48. Digital Certificates and HTTPS
    49. The Same Origin Policy
    50. Web Cookies
    51. Common Web Vulnerabilities
    52. Cross-Site Scripting
    53. Cross-Site Request Forgery
    54. More Vulnerabilities and Mitigations
    55. Chapter 12: Security Testing
    56. What Is Security Testing?
    57. Security Testing the GotoFail Vulnerability
    58. Functional Testing
    59. Functional Testing with the Vulnerability
    60. Security Test Cases
    61. The Limits of Security Tests
    62. Writing Security Test Cases
    63. Testing Input Validation
    64. Testing for XSS Vulnerabilities
    65. Fuzz Testing
    66. Security Regression Tests
    67. Availability Testing
    68. Resource Consumption
    69. Threshold Testing
    70. Distributed Denial-of-Service Attacks
    71. Best Practices for Security Testing
    72. Test-Driven Development
    73. Leveraging Integration Testing
    74. Security Testing Catch-Up
    75. Chapter 13: Secure Development Best Practices
    76. Code Quality
    77. Code Hygiene
    78. Exception and Error Handling
    79. Documenting Security
    80. Security Code Reviews
    81. Dependencies
    82. Choosing Secure Components
    83. Securing Interfaces
    84. Don’t Reinvent Security Wheels
    85. Contending with Legacy Security
    86. Vulnerability Triage
    87. DREAD Assessments
    88. Crafting Working Exploits
    89. Making Triage Decisions
    90. Maintaining a Secure Development Environment
    91. Separating Development from Production
    92. Securing Development Tools
    93. Releasing the Product
  12. Afterword
    1. Call to Action
    2. Security Is Everyone’s Job
    3. Baking in Security
    4. Future Security
    5. Improving Software Quality
    6. Managing Complexity
    7. From Minimizing to Maximizing Transparency
    8. Improving Software Authenticity, Trust, and Responsibility
    9. Delivering the Last Mile
    10. Conclusion
  13. Appendix A: Sample Design Document
    1. Title – Private Data Logging Component Design Document
    2. Section 1 – Product Description
    3. Section 2 – Overview
    4. 2.1 Purpose
    5. 2.2 Scope
    6. 2.3 Concepts
    7. 2.4 Requirements
    8. 2.5 Non-Goals
    9. 2.6 Outstanding Issues
    10. 2.7 Alternative Designs
    11. Section 3 – Use Cases
    12. Section 4 – System Architecture
    13. Section 5 – Data Design
    14. Section 6 – API
    15. 6.1 Hello Request
    16. 6.2 Schema Definition Request
    17. 6.3 Event Log Request
    18. 6.4 Goodbye Request
    19. Section 7 – User Interface Design
    20. Section 8 – Technical Design
    21. Section 9 – Configuration
    22. Section 10 – References
  14. Appendix B: Glossary
  15. Appendix C: Exercises
  16. Appendix D: Cheat Sheets
  17. Index
18.209.230.60