The SEI Series in Software Engineering
The Addison-Wesley Software Security Series
Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and the publisher was aware of a trademark claim, the designations have been printed with initial capital letters or in all capitals.
CMM, CMMI, Capability Maturity Model, Capability Maturity Modeling, Carnegie Mellon, CERT, and CERT Coordination Center are registered in the U.S. Patent and Trademark Office by Carnegie Mellon University.
ATAM; Architecture Tradeoff Analysis Method; CMM Integration; COTS Usage-Risk Evaluation; CURE; EPIC; Evolutionary Process for Integrating COTS Based Systems; Framework for Software Product Line Practice; IDEAL; Interim Profile; OAR; OCTAVE; Operationally Critical Threat, Asset, and Vulnerability Evaluation; Options Analysis for Reengineering; Personal Software Process; PLTP; Product Line Technical Probe; PSP; SCAMPI; SCAMPI Lead Appraiser; SCAMPI Lead Assessor; SCE; SEI; SEPG; Team Software Process; and TSP are service marks of Carnegie Mellon University.
Special permission to reproduce portions of Build Security In, © 2005–2007 by Carnegie Mellon University, in this book is granted by the Software Engineering Institute.
Special permission to reproduce portions of Build Security In, © 2005–2007 by Cigital, Inc., in this book is granted by Cigital, Inc.
Special permission to reprint excerpts from the article “Software Quality at Top Speed,” © 1996 Steve McConnell, in this book is granted by Steve McConnell.
The authors and publisher have taken care in the preparation of this book, but make no express or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for incidental or consequential damages in connection with or arising out of the use of the information or programs contained herein.
The publisher offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales, which may include electronic versions and/or custom covers and content particular to your business, training goals, marketing focus, and branding interests. For more information, please contact: U.S. Corporate and Government Sales, (800) 382-3419, [email protected].
For sales outside the United States, please contact: International Sales, [email protected].
Visit us on the Web: informit.com/aw
Library of Congress Cataloging-in-Publication Data
Software security engineering : a guide for project managers / Julia H. Allen ... [et al.]. p. cm. Includes bibliographical references and index. ISBN 978-0-321-50917-8 (pbk. : alk. paper) 1. Computer security. 2. Software engineering. 3. Computernetworks—Security measures. I. Allen, Julia H.QA76.9.A25S654 2008005.8—dc22 2008007000
Copyright © 2008 Pearson Education, Inc.
All rights reserved. Printed in the United States of America. This publication is protected by copyright, and permission must be obtained from the publisher prior to any prohibited reproduction, storage in a retrieval system, or transmission in any form or by any means, electronic, mechanical, photocopying, recording, or likewise. For information regarding permissions, write to: Pearson Education, Inc., Rights and Contracts Department, 501 Boylston Street, Suite 900, Boston, MA 02116, Fax: (617) 671-3447.
ISBN-13: 978-0-321-50917-8
Text printed in the United States on recycled paper at Courier in Stoughton, Massachusetts.
First printing, April 2008