We discuss Gary McGraw's excellent book on the philosophy of software security and how it is present in all stages of the software development lifecycle. A must read for software managers.
The most important thing is to find out what is the most important thing.
This quote, from the first line of the first chapter captures the very essence of Gary McGraw's book "Software Security: Building Security In".
So, what is the most important thing for a software project manager? Is it to check and fix security when an application is ready to roll out? Or is it important to build security from the very first sketches of the application? The book answers these questions and explains in detail where to consider security in the whole software development lifecycle.
Be it security professionals or software development managers, McGraw has provided every kind of reader a powerful toolset to have a comprehensive coverage of security checks. These checks are not just limited to penetration testing and cover touchpoints like requirements, architecture and code much earlier in the lifecycle. McGraw lucidly explains these checks without involving any specific technology or platform. His clarity of thinking and his easy language show the years of experience behind this book.
The books covers the following 'touchpoints' in the development cycle:
- Risk management frameworks and processes
- Code review using static analysis tools
- Architectural Risk Analysis
- Software Penetration Testing
- Risk-based Security Testing
- Abuse cases
Each section explains the methodology using detailed steps, simple process diagrams and lucid explanations. One important philosophy that McGraw has covered is the marriage of software security and security operations. Traditionally software development has been disjointed from information security management. This needs to be changed. A case in example is use case development. McGraw recommends having security professionals and developers sit together in a room and brainstorm on how an attacker can penetrate and application and create test cases to cover these attacks.
This book is rich in quality and content. The only disadvantage one could think of is the reader should have some understanding of the software development process and some experience to start with. This makes easy fitting all the knowledge imparted by the book in each stage of the development process, which an experienced manager should be able to do efficiently. On a scale of ten, we would give this book eight out of ten. Happy reading!