Designing Secure Software: A Guide for Developers (Paperback)

Kohnfelder, Loren

買這商品的人也買了...

商品描述

What every software professional should know about security.

Designing Secure Software consolidates Loren Kohnfelder's more than twenty years of experience into a concise, elegant guide to improving the security of technology products. Written for a wide range of software professionals, it emphasizes building security into software design early and involving the entire team in the process.

The book begins with a discussion of core concepts like trust, threats, mitigation, secure design patterns, and cryptography. The second part, perhaps this book's most unique and important contribution to the field, covers the process of designing and reviewing a software design with security considerations in mind. The final section details the most common coding flaws that create vulnerabilities, making copious use of code snippets written in C and Python to illustrate implementation vulnerabilities.

You'll learn how to:

- Identify important assets, the attack surface, and the trust boundaries in a system
- Evaluate the effectiveness of various threat mitigation candidates
- Work with well-known secure coding patterns and libraries
- Understand and prevent vulnerabilities like XSS and CSRF, memory flaws, and more
- Use security testing to proactively identify vulnerabilities introduced into code
- Review a software design for security flaws effectively and without judgment

Kohnfelder's career, spanning decades at Microsoft and Google, introduced numerous software security initiatives, including the co-creation of the STRIDE threat modeling framework used widely today. This book is a modern, pragmatic consolidation of his best practices, insights, and ideas about the future of software.

商品描述(中文翻譯)

每位軟體專業人士應該了解的安全性知識

《設計安全軟體》將Loren Kohnfelder超過二十年的經驗整理成一本簡潔而優雅的指南,旨在提升技術產品的安全性。這本書針對廣泛的軟體專業人士撰寫,強調在軟體設計的早期階段就將安全性納入考量,並讓整個團隊參與其中。

本書首先討論了信任、威脅、緩解、安全設計模式和密碼學等核心概念。第二部分,也是本書對該領域最獨特且重要的貢獻,介紹了在考慮安全性的前提下設計和審查軟體設計的過程。最後一節詳細介紹了最常見的編碼缺陷,並大量使用C和Python編寫的程式碼片段來說明實現上的漏洞。

你將學到如何:
- 辨識系統中重要的資產、攻擊面和信任邊界
- 評估各種威脅緩解候選方案的效果
- 使用眾所周知的安全編碼模式和函式庫
- 理解並預防像XSS和CSRF、記憶體缺陷等漏洞
- 使用安全測試主動識別程式碼中引入的漏洞
- 有效且無偏見地審查軟體設計中的安全缺陷

Kohnfelder在微軟和谷歌的數十年職業生涯中,推動了許多軟體安全性計畫,包括廣泛使用的STRIDE威脅建模框架的共同創建。這本書是他最佳實踐、見解和對軟體未來的想法的現代、務實的結晶。

作者簡介

Loren Kohnfelder has over 20 years of experience working in the security industry for companies like Microsoft and Google. At Microsoft, he was a key contributor to the industry's first formalized proactive security process methodology, and program-managed the .NET platform security effort. He was also a key contributor to the first organized approach to security by any major software platform company. At Google he worked as a software engineer on the Security team and as a founding member of the Privacy team, performing numerous security design reviews of large-scale complex real-world commercial platforms and systems, while working on various projects as a developer. Now retired, Kohnfelder shares his unique experience in industry through this book.

作者簡介(中文翻譯)

Loren Kohnfelder在安全領域擁有超過20年的經驗,曾在Microsoft和Google等公司工作。在Microsoft,他是業界首個正式的主動安全流程方法論的重要貢獻者,並負責管理.NET平台的安全工作。他也是首個由主要軟體平台公司組織的安全方法的重要貢獻者。在Google,他曾擔任安全團隊的軟體工程師,並是隱私團隊的創始成員之一,對大型複雜現實商業平台和系統進行了多次安全設計審查,同時作為開發人員參與了各種項目。現在已退休的Kohnfelder通過這本書分享他在業界的獨特經驗。