Security in Development: The IBM Secure Engineering Framework
Security in Development: The IBM Secure Engineering Framework

Author: Warren Grunbok

Publisher: IBM Redbooks

Published: 2018-12-17

Total Pages: 32

ISBN-13: 0738457175

DOWNLOAD EBOOK

IBM® has long been recognized as a leading provider of hardware, software, and services that are of the highest quality, reliability, function, and integrity. IBM products and services are used around the world by people and organizations with mission-critical demands for high performance, high stress tolerance, high availability, and high security. As a testament to this long-standing attention at IBM, demonstration of this attention to security can be traced back to the Integrity Statement for IBM mainframe software, which was originally published in 1973: IBM's long-term commitment to System Integrity is unique in the industry, and forms the basis of MVS (now IBM z/OS) industry leadership in system security. IBM MVS (now IBM z/OS) is designed to help you protect your system, data, transactions, and applications from accidental or malicious modification. This is one of the many reasons IBM 360 (now IBM Z) remains the industry's premier data server for mission-critical workloads. This commitment continues to apply to IBM's mainframe systems and is reiterated at the Server RACF General User's Guide web page. The IT market transformed in 40-plus years, and so have product development and information security practices. The IBM commitment to continuously improving product security remains a constant differentiator for the company. In this IBM RedguideTM publication, we describe secure engineering practices for software products. We offer a description of an end-to-end approach to product development and delivery, with security considered. IBM is producing this IBM Redguide publication in the hope that interested parties (clients, other IT companies, academics, and others) can find these practices to be a useful example of the type of security practices that are increasingly a must-have for developing products and applications that run in the world's digital infrastructure. We also hope this publication can enrich our continued collaboration with others in the industry, standards bodies, government, and elsewhere, as we seek to learn and continuously refine our approach.

Security in Development
Security in Development

Author: Warren Grunbok

Publisher:

Published: 2018

Total Pages: 26

ISBN-13:

DOWNLOAD EBOOK

IBM® has long been recognized as a leading provider of hardware, software, and services that are of the highest quality, reliability, function, and integrity. IBM products and services are used around the world by people and organizations with mission-critical demands for high performance, high stress tolerance, high availability, and high security. As a testament to this long-standing attention at IBM, demonstration of this attention to security can be traced back to the Integrity Statement for IBM mainframe software, which was originally published in 1973: IBM's long-term commitment to System Integrity is unique in the industry, and forms the basis of MVS (now IBM z/OS) industry leadership in system security. IBM MVS (now IBM z/OS) is designed to help you protect your system, data, transactions, and applications from accidental or malicious modification. This is one of the many reasons IBM 360 (now IBM Z) remains the industry's premier data server for mission-critical workloads. This commitment continues to apply to IBM's mainframe systems and is reiterated at the Server RACF General User's Guide web page. The IT market transformed in 40-plus years, and so have product development and information security practices. The IBM commitment to continuously improving product security remains a constant differentiator for the company. In this IBM RedguideTM publication, we describe secure engineering practices for software products. We offer a description of an end-to-end approach to product development and delivery, with security considered. IBM is producing this IBM Redguide publication in the hope that interested parties (clients, other IT companies, academics, and others) can find these practices to be a useful example of the type of security practices that are increasingly a must-have for developing products and applications that run in the world's digital infrastructure. We also hope this publication can enrich our continued collaboration with others in the industry, standards bodies, government, and elsewhere, as we seek to learn and continuously refine our approach.

Software Security Engineering
Software Security Engineering

Author: Nancy R. Mead

Publisher: Addison-Wesley Professional

Published: 2004-04-21

Total Pages: 368

ISBN-13: 0132702452

DOWNLOAD EBOOK

Software Security Engineering draws extensively on the systematic approach developed for the Build Security In (BSI) Web site. Sponsored by the Department of Homeland Security Software Assurance Program, the BSI site offers a host of tools, guidelines, rules, principles, and other resources to help project managers address security issues in every phase of the software development life cycle (SDLC). The book’s expert authors, themselves frequent contributors to the BSI site, represent two well-known resources in the security world: the CERT Program at the Software Engineering Institute (SEI) and Cigital, Inc., a consulting firm specializing in software security. This book will help you understand why Software security is about more than just eliminating vulnerabilities and conducting penetration tests Network security mechanisms and IT infrastructure security services do not sufficiently protect application software from security risks Software security initiatives should follow a risk-management approach to identify priorities and to define what is “good enough”–understanding that software security risks will change throughout the SDLC Project managers and software engineers need to learn to think like an attacker in order to address the range of functions that software should not do, and how software can better resist, tolerate, and recover when under attack

Using the IBM Security Framework and IBM Security Blueprint to Realize Business-Driven Security
Using the IBM Security Framework and IBM Security Blueprint to Realize Business-Driven Security

Author: Axel Buecker

Publisher: IBM Redbooks

Published: 2014-02-06

Total Pages: 240

ISBN-13: 0738437891

DOWNLOAD EBOOK

Security is a major consideration in the way that business and information technology systems are designed, built, operated, and managed. The need to be able to integrate security into those systems and the discussions with business functions and operations exists more than ever. This IBM® Redbooks® publication explores concerns that characterize security requirements of, and threats to, business and information technology (IT) systems. This book identifies many business drivers that illustrate these concerns, including managing risk and cost, and compliance to business policies and external regulations. This book shows how these drivers can be translated into capabilities and security needs that can be represented in frameworks, such as the IBM Security Blueprint, to better enable enterprise security. To help organizations with their security challenges, IBM created a bridge to address the communication gap between the business and technical perspectives of security to enable simplification of thought and process. The IBM Security Framework can help you translate the business view, and the IBM Security Blueprint describes the technology landscape view. Together, they can help bring together the experiences that we gained from working with many clients to build a comprehensive view of security capabilities and needs. This book is intended to be a valuable resource for business leaders, security officers, and consultants who want to understand and implement enterprise security by considering a set of core security capabilities and services.

Cyber Security Engineering
Cyber Security Engineering

Author: Nancy R. Mead

Publisher: Addison-Wesley Professional

Published: 2016-11-07

Total Pages: 561

ISBN-13: 0134189876

DOWNLOAD EBOOK

Cyber Security Engineering is the definitive modern reference and tutorial on the full range of capabilities associated with modern cyber security engineering. Pioneering software assurance experts Dr. Nancy R. Mead and Dr. Carol C. Woody bring together comprehensive best practices for building software systems that exhibit superior operational security, and for considering security throughout your full system development and acquisition lifecycles. Drawing on their pioneering work at the Software Engineering Institute (SEI) and Carnegie Mellon University, Mead and Woody introduce seven core principles of software assurance, and show how to apply them coherently and systematically. Using these principles, they help you prioritize the wide range of possible security actions available to you, and justify the required investments. Cyber Security Engineering guides you through risk analysis, planning to manage secure software development, building organizational models, identifying required and missing competencies, and defining and structuring metrics. Mead and Woody address important topics, including the use of standards, engineering security requirements for acquiring COTS software, applying DevOps, analyzing malware to anticipate future vulnerabilities, and planning ongoing improvements. This book will be valuable to wide audiences of practitioners and managers with responsibility for systems, software, or quality engineering, reliability, security, acquisition, or operations. Whatever your role, it can help you reduce operational problems, eliminate excessive patching, and deliver software that is more resilient and secure.

Practical Core Software Security
Practical Core Software Security

Author: James F. Ransome

Publisher: CRC Press

Published: 2022-08-02

Total Pages: 309

ISBN-13: 1000725812

DOWNLOAD EBOOK

As long as humans write software, the key to successful software security is making the software development program process more efficient and effective. Although the approach of this textbook includes people, process, and technology approaches to software security, Practical Core Software Security: A Reference Framework stresses the people element of software security, which is still the most important part to manage as software is developed, controlled, and exploited by humans. The text outlines a step-by-step process for software security that is relevant to today’s technical, operational, business, and development environments. It focuses on what humans can do to control and manage a secure software development process using best practices and metrics. Although security issues will always exist, students learn how to maximize an organization’s ability to minimize vulnerabilities in software products before they are released or deployed by building security into the development process. The authors have worked with Fortune 500 companies and have often seen examples of the breakdown of security development lifecycle (SDL) practices. The text takes an experience-based approach to apply components of the best available SDL models in dealing with the problems described above. Software security best practices, an SDL model, and framework are presented in this book. Starting with an overview of the SDL, the text outlines a model for mapping SDL best practices to the software development life cycle (SDLC). It explains how to use this model to build and manage a mature SDL program. Exercises and an in-depth case study aid students in mastering the SDL model. Professionals skilled in secure software development and related tasks are in tremendous demand today. The industry continues to experience exponential demand that should continue to grow for the foreseeable future. This book can benefit professionals as much as students. As they integrate the book’s ideas into their software security practices, their value increases to their organizations, management teams, community, and industry.

Secure and Resilient Software Development
Secure and Resilient Software Development

Author: Mark S. Merkow

Publisher: CRC Press

Published: 2010-06-16

Total Pages: 295

ISBN-13: 1498759610

DOWNLOAD EBOOK

Although many software books highlight open problems in secure software development, few provide easily actionable, ground-level solutions. Breaking the mold, Secure and Resilient Software Development teaches you how to apply best practices and standards for consistent and secure software development. It details specific quality software developmen

Introduction to the New Mainframe: Security
Introduction to the New Mainframe: Security

Author: Rica Weller

Publisher: IBM Redbooks

Published: 2007-04-26

Total Pages: 550

ISBN-13: 0738489646

DOWNLOAD EBOOK

This book provides students of information systems with the background knowledge and skills necessary to begin using the basic security facilities of IBM System z. It enables a broad understanding of both the security principles and the hardware and software components needed to insure that the mainframe resources and environment are secure. It also explains how System z components interface with some non-System z components. A multi-user, multi-application, multi-task environment such as System z requires a different level of security than that typically encountered on a single-user platform. In addition, when a mainframe is connected in a network to other processors, a multi-layered approach to security is recommended. Students are assumed to have successfully completed introductory courses in computer system concepts. Although this course looks into all the operating systems on System z, the main focus is on IBM z/OS. Thus, it is strongly recommended that students have also completed an introductory course on z/OS. Others who will benefit from this course include experienced data processing professionals who have worked with non-mainframe-based platforms, as well as those who are familiar with some aspects of the mainframe environment or applications but want to learn more about the security and integrity facilities and advantages offered by the mainframe environment.

The Journey Continues: From Data Lake to Data-Driven Organization
The Journey Continues: From Data Lake to Data-Driven Organization

Author: Mandy Chessell

Publisher: IBM Redbooks

Published: 2018-02-19

Total Pages: 30

ISBN-13: 0738456667

DOWNLOAD EBOOK

This IBM RedguideTM publication looks back on the key decisions that made the data lake successful and looks forward to the future. It proposes that the metadata management and governance approaches developed for the data lake can be adopted more broadly to increase the value that an organization gets from its data. Delivering this broader vision, however, requires a new generation of data catalogs and governance tools built on open standards that are adopted by a multi-vendor ecosystem of data platforms and tools. Work is already underway to define and deliver this capability, and there are multiple ways to engage. This guide covers the reasons why this new capability is critical for modern businesses and how you can get value from it.

Designing Secure Software
Designing Secure Software

Author: Loren Kohnfelder

Publisher: No Starch Press

Published: 2021-12-21

Total Pages: 330

ISBN-13: 1718501935

DOWNLOAD EBOOK

What every software professional should know about security. Designing Secure Software consolidates Loren Kohnfelder’s more than twenty years of experience into a concise, elegant guide to improving the security of technology products. Written for a wide range of software professionals, it emphasizes building security into software design early and involving the entire team in the process. The book begins with a discussion of core concepts like trust, threats, mitigation, secure design patterns, and cryptography. The second part, perhaps this book’s most unique and important contribution to the field, covers the process of designing and reviewing a software design with security considerations in mind. The final section details the most common coding flaws that create vulnerabilities, making copious use of code snippets written in C and Python to illustrate implementation vulnerabilities. You’ll learn how to: • Identify important assets, the attack surface, and the trust boundaries in a system • Evaluate the effectiveness of various threat mitigation candidates • Work with well-known secure coding patterns and libraries • Understand and prevent vulnerabilities like XSS and CSRF, memory flaws, and more • Use security testing to proactively identify vulnerabilities introduced into code • Review a software design for security flaws effectively and without judgment Kohnfelder’s career, spanning decades at Microsoft and Google, introduced numerous software security initiatives, including the co-creation of the STRIDE threat modeling framework used widely today. This book is a modern, pragmatic consolidation of his best practices, insights, and ideas about the future of software.