April 13, 2006

Book Review: Software Security - Building Security In

I'm jealous. No seriously. If Cigital is actually ran as depicted in the book Software Security - Building Security In, I have to give kudos to Gary and the gang for making an impressive environment for software security.

I'm a fan of Gary's writing. If you are a regular reader, you know I loved both his books on Building Secure Software and Exploiting Software. This latest book is, in my mind at least, a balancing act between the two previous books on the topic. Gary calls it the "Ying and Yang". Which makes total sense, since the book cover is of exactly that, a white hat and a black hat (taken from the other two books), positioned in the chinese ying/yang symbol.

I always thought that my favorite book on software security would be "Writing Secure Code" by Michael Howard. I really liked how it was presented, and it offered security software engineering best practices that I felt could be passed on to others on teams that I worked with. But now, Gary has given me a new book to put in my arsenal of knowledge. Not a practical coding book on the topic like I felt I got from Michael's writing, but a book that I feel managers of that process can use to build better software security processes and systems in a team.

The book touches on a number of critical components for software security:

  • Risk management frameworks and processes
  • Code review using static analysis tools
  • Architectural risk analysis
  • Penetration testing
  • Security testing
  • Abuse case development

I have to admit, it was somewhat of a battle in the first section of the book as it was somewhat dry. The content itself was good and required information to round out this book, but just how do you jazz up discussing risk management frameworks? When Gary sent me the book he followed up with an email warning me about that... but by that time I had already trudged through it. The good news is, its a small pain... as the content gets more exciting as you progress. And to be fair, anyone who is going to manage the software security process in an organization will find they will learn something in that section. So nothing is really lost there.

By the time you get into part two of the book focused on what Gary calls "The 7 Touchpoints of Software Security", you know why he is well respected in our field. He knows what he is talking about. The 7 touchpoints?

  1. Code review
  2. Architectural risk analysis
  3. Penetration testing
  4. Risk-based security tests
  5. Abuse cases
  6. Security requirements
  7. Security operations

You know... all the exciting stuff!! By the time you get through the 7 touchpoints, if you don't "get it" by then, there is little hope for you. The interesting point here is that each touchpoint is really in a lifecycle, VERY similar to the security development lifecycle Michael has been presenting on behalf of Microsoft for the last few years. I think they both have it figured out, but tainted towards their own company's objectives.

My thoughts on the book? A lof of content in this book isn't for the regular coding geek that needs to learn about software security. Get Gary's other books for that. But if you are the project manager of the team that the forementioned geek works on, or are responsible for software security in your organization, get this book. If you have the responsibility and authority to set the direction and process in your environment, you will find this book useful. Near the front of the book there is a section in which reviewers comment on their thoughts of the book. I think Bruce Schneier said it best:

When it comes to software security, the devil is in the details. This book tackled the details.

I couldn't have said it better myself. Actually, I won't even try.

Great book. Worth recommending to anyone in the software security field. 4 out of 5 stars.

Posted by SilverStr at April 13, 2006 08:53 AM | TrackBack

I got a two chapter teaser copy at RSA 2006 and finally got around to reading it. The book is now on order and I'm looking forward to reading the rest of it.

Posted by: Rick Davenport at April 13, 2006 11:02 AM