Home > Store

Enterprise Software Security: A Confluence of Disciplines

Register your product to gain access to bonus material or receive a coupon.

Enterprise Software Security: A Confluence of Disciplines


  • Sorry, this book is no longer in print.
Not for Sale

eBook (Watermarked)

  • Your Price: $28.79
  • List Price: $35.99
  • Includes EPUB, MOBI, and PDF
  • About eBook Formats
  • This eBook includes the following formats, accessible from your Account page after purchase:

    ePub EPUB The open industry format known for its reflowable content and usability on supported mobile devices.

    MOBI MOBI The eBook format compatible with the Amazon Kindle and Amazon Kindle applications.

    Adobe Reader PDF The popular standard, used most often with the free Adobe® Reader® software.

    This eBook requires no passwords or activation to read. We customize your eBook by discreetly watermarking it with your name, making it uniquely yours.



  • Written by high-profile authors in the software security space
  • Offers a brand-new take on software security
  • It’s about two disciplines working together to develop secure code and security applications


  • Copyright 2015
  • Dimensions: 7" x 9-1/8"
  • Edition: 1st
  • Book
  • ISBN-10: 0-321-60411-3
  • ISBN-13: 978-0-321-60411-8


Traditional approaches to securing software are inadequate. The solution: Bring software engineering and network security teams together in a new, holistic approach to protecting the entire enterprise. Now, four highly respected security experts explain why this “confluence” is so crucial, and show how to implement it in your organization.

Writing for all software and security practitioners and leaders, they show how software can play a vital, active role in protecting your organization. You’ll learn how to construct software that actively safeguards sensitive data and business processes and contributes to intrusion detection/response in sophisticated new ways. The authors cover the entire development lifecycle, including project inception, design, implementation, testing, deployment, operation, and maintenance. They also provide a full chapter of advice specifically for Chief Information Security Officers and other enterprise security executives.

Whatever your software security responsibilities, Enterprise Software Security delivers indispensable big-picture guidance–and specific, high-value recommendations you can apply right now.


• Overcoming common obstacles to collaboration between developers and IT security professionals
• Helping programmers design, write, deploy, and operate more secure software
• Helping network security engineers use application output more effectively
• Organizing a software security team before you’ve even created requirements
• Avoiding the unmanageable complexity and inherent flaws of layered security
• Implementing positive software design practices and identifying security defects in existing designs
• Teaming to improve code reviews, clarify attack scenarios associated with vulnerable code, and validate positive compliance
• Moving beyond pentesting toward more comprehensive security testing
• Integrating your new application with your existing security infrastructure
• “Ruggedizing” DevOps by adding infosec to the relationship between development and operations
• Protecting application security during maintenance

Sample Content

Online Sample Chapter

Enterprise Software Security: Design Activities

Sample Pages

Download the sample pages (includes Chapter 3 and Index)

Table of Contents

Preface     xiii

1 Introduction to the Problem    1

Our Shared Predicament Today    2
Why Are We in This Security Mess?     5
Ancient History     7
All Together Now     11
The Status Quo: A Great Divide     15
What’s Wrong with This Picture?     20
Wait, It Gets Worse     25
Stressing the Positive     27
Summing Up     30
Endnotes     31

2 Project Inception     33

Without a Formal Software Security Process–The Norm Today    34
The Case for a Project Security Team     42
Tasks for the Project Security Team     43
Putting Together the Project Security Team     50
Roles to Cover on the Security Team     51
Some Final Practical Considerations about Project Security Teams     64
Summing Up     67
Endnotes     68

3 Design Activities    71

Security Tiers     72
On Confluence     76
Requirements     78
Specifications     98
Design and Architecture    100
It’s Already Designed     112
Deployment and Operations Planning     115
Summing Up     121
Endnotes     121

4 Implementation Activities    123

Confluence     123
Stress the Positive and Strike the Balance    124
Security Mechanisms and Controls     126
Code Reuse     146
Coding Resources     148
Implementing Security Tiers    152
Code Reviews     154
A Day in the Life of a Servlet    157
Summing Up     167
Endnotes     167

5 Testing Activities    169

A Few Questions about Security Testing    170
Tools of the Trade     180
Security Bug Life Cycle     185
Summing Up     191
Endnotes     192

6 Deployment and Integration    193

How Does Deployment Relate to Confluence?     194
A Road Map     194
Advanced Topics in Deployment    198
Integrating with the Security Operations Infrastructure    200
Third-Generation Log Analysis Tools     213
Retrofitting Legacy and Third-Party Components     216
Notes for Small Shops or Individuals     217
Summing Up     219
Endnotes     220

7 Operating Software Securely     221

Adjusting Security Thresholds     222
Dealing with IDS in Operations     230
Identifying Critical Applications     236
CSIRT Utilization     237
Notes for Small Shops or Individuals    238
Summing Up     240

8 Maintaining Software Securely    241

Common Pitfalls     243
How Does Maintaining Software Securely Relate to Confluence?     248
Learning from History     249
Evolving Threats     251
The Security Patch     254
Special Cases     256
How Does Maintaining Software Securely Fit into Security SDLCs?     259
Summing Up     261
Endnotes     262

9 The View from the Center    263

Ideas for Encouraging Confluent Application Development    265
Toward a Confluent Network     269
Security Awareness and Training     273
Policies, Standards, and Guidelines     274
The Role of Other Departments and Corporate Entities    275
Resource Budgeting and Strategic Planning for Confluence     277
Assessment Tools and Techniques     279
Mobile Plans–Postmortem Interviews     289
Notes for Small Shops or Individuals     292
Summing Up     292
Endnotes     293

Index    295


Submit Errata

More Information

Unlimited one-month access with your purchase
Free Safari Membership