Practical Core Software Security: A Reference Framework

As long as humans write software, the key to successful software security is making the software development program process more efficient and effective. Although the approach of this textbook includes people, process, and technology approaches to software security, Practical Core Software Security: A Reference Framework stresses the people element of software security, which is still the most important part to manage as software is developed, controlled, and exploited by humans.

The text outlines a step-by-step process for software security that is relevant to today's technical, operational, business, and development environments. It focuses on what humans can do to control and manage a secure software development process using best practices and metrics. Although security issues will always exist, students learn how to maximize an organization's ability to minimize vulnerabilities in software products before they are released or deployed by building security into the development process.

The authors have worked with Fortune 500 companies and have often seen examples of the breakdown of security development lifecycle (SDL) practices. The text takes an experience-based approach to apply components of the best available SDL models in dealing with the problems described above. Software security best practices, an SDL model, and framework are presented in this book. Starting with an overview of the SDL, the text outlines a model for mapping SDL best practices to the software development life cycle (SDLC). It explains how to use this model to build and manage a mature SDL program. Exercises and an in-depth case study aid students in mastering the SDL model.

Professionals skilled in secure software development and related tasks are in tremendous demand today. The industry continues to experience exponential demand that should continue to grow for the foreseeable future. This book can benefit professionals as much as students. As they integrate the book's ideas into their software security practices, their value increases to their organizations, management teams, community, and industry.

只要人類編寫軟體，成功的軟體安全的關鍵在於使軟體開發過程更加高效和有效。雖然這本教科書的方法包括人、流程和技術等軟體安全的方法，但《實用核心軟體安全：參考框架》強調軟體安全的人的要素，這仍然是在軟體開發、控制和利用過程中最重要的部分。

本書概述了一個適用於當今技術、運營、商業和開發環境的軟體安全逐步過程。它專注於人類可以做些什麼來控制和管理安全的軟體開發過程，使用最佳實踐和指標。儘管安全問題將始終存在，學生們學習如何通過將安全性融入開發過程，最大限度地減少軟體產品在發布或部署之前的漏洞。

作者與財富500強公司合作過，並經常見到安全開發生命週期（SDL）實踐的破壞案例。本書採用基於經驗的方法，應用最佳可用SDL模型的組件來處理上述問題。本書介紹了軟體安全最佳實踐、SDL模型和框架。從SDL的概述開始，本書概述了將SDL最佳實踐映射到軟體開發生命週期（SDLC）的模型。它解釋了如何使用這個模型來建立和管理成熟的SDL計劃。練習和深入案例研究幫助學生掌握SDL模型。

今天，擁有安全軟體開發和相關任務技能的專業人士需求非常大。這個行業的需求持續呈指數級增長，並且在可預見的未來應該會繼續增長。這本書對專業人士和學生都有益處。當他們將書中的思想融入到他們的軟體安全實踐中時，他們的價值將提高到他們的組織、管理團隊、社區和行業。

James Ransome, PhD, CISSP, CISM is the Chief Scientist for CYBERPHOS, an early-stage cybersecurity startup. He is also a member of the board of directors for the Bay Area Chief Security Officer Council. Most recently, James was the Senior Director of Security Development Lifecycle Engineering for Intel's Product Assurance and Security (IPAS). In that capacity, he led a team of SDL engineers, architects, and product security experts to drive and implement security practices across the company. Prior to that, James was the Senior Director of Product Security and PSIRT at Intel Security (formerly McAfee).

Anmol Misra is an accomplished leader, researcher, author, and security expert, with over 16 years of experience in technology and cybersecurity. His engineering, security, and consulting background makes him uniquely suited to drive the adoption of disruptive technologies. He is a team builder focused on mentoring and nurturing high-potential leaders, fostering excellence, and building industry partnerships. He is known for his pragmatic approach to security.

Mark S. Merkow, CISSP, CISM, CSSLP has over 25 years of experience in corporate information security and 17 years in the AppSec space helping to establish and lead application security initiatives to success and sustainment. Mark is a faculty member at the University of Denver, where he works developing and instructing online courses in topics across the Information Security spectrum, with a focus on secure software development. He also works as an advisor to the University of Denver's Information and Computing Technology Curriculum Team for new course development and changes to the curriculum and for Strayer University as an advisor to the undergraduate and graduate programs in information security.

James Ransome, PhD, CISSP, CISM 是 CYBERPHOS 的首席科學家，該公司是一家早期的網絡安全初創企業。他還是灣區首席安全官委員會的董事會成員。最近，James 擔任英特爾產品保證和安全（IPAS）的安全開發生命周期工程高級總監。在這個職位上，他帶領一個 SDL 工程師、架構師和產品安全專家團隊，推動和實施公司的安全實踐。在此之前，James 曾擔任英特爾安全（前身為 McAfee）的產品安全和 PSIRT 高級總監。

Anmol Misra 是一位傑出的領導者、研究員、作家和安全專家，擁有超過 16 年的技術和網絡安全經驗。他的工程、安全和咨詢背景使他獨特地適合推動創新技術的應用。他是一位團隊建設者，致力於指導和培養高潛力的領導者，促進卓越，建立行業合作夥伴關係。他以務實的安全方法而聞名。

Mark S. Merkow, CISSP, CISM, CSSLP 在企業信息安全領域擁有超過 25 年的經驗，並在應用安全領域擔任了 17 年，幫助建立和領導應用安全項目的成功和持續發展。Mark 是丹佛大學的教職成員，他在該校開發和教授涵蓋信息安全領域各個主題的在線課程，專注於安全軟件開發。他還擔任丹佛大學信息和計算技術課程團隊的顧問，負責新課程開發和課程內容的變更，並擔任 Strayer 大學的顧問，協助該校的信息安全本科和研究生項目。