In the past five years or so, a growing number of books on secure software development, application security, and related topics have been published. Many of these recent books are not comprehensive, descriptive textbooks, but rather pragmatic, prescriptive professional books targeting practioners. A number of them focus on a specific technology, activity particularly coding, or operational context.
Used selectively, the newer works, when augmented with papers, presentations, and articles produced for conferences, workshops, technical journals, and even with recent graduate theses, will bring up to date many of the technological concepts and examples in the older references. However, while the processing models and technologies of software have changed significantly since [Gasser 1988] was published, many of the basic concepts and principles of secure software engineering have not. For this reason, this guide also references several works that might appear, on the surface, to be “old” or “obsolete”, but which in fact remain critical to rounding out a good academic reading list on secure software engineering.
Finally, because many of the practices established in the discipline of software safety are being adapted or extended and applied to achieve software security objectives, several software safety references are also included in this guide.
Several “common references” have been identified for use across all sections of this guide. These are listed in subsection 220.127.116.11. When there is one, a uniform resource identifiers (URI) has been listed with each reference. These references are augmented, in each section of the guide, with references specific to subject matter presented in that section.
18.104.22.168Common References Spanning All Sections
[SWEBOK] Abran, Alain, James W. Moore (Executive editors); Pierre Bourque, Robert Dupuis, Leonard Tripp (Editors). Guide to the Software Engineering Body of Knowledge. 2004 Edition. Los Alamitos, California: IEEE Computer Society, Feb. 16, 2004. Available at http://www.swebok.org.
[Avizienis 2004] Avizienis, Algirdas, Jean-Claude Laprie, Brian Randell, and Carl Landwehr, “Basic Concepts and Taxonomy of Dependable and Secure Computing,” IEEE Transactions on Dependable and Secure Computing, vol. 1, no. 1, pp. 11-33, Jan.-Mar. 2004. Available at http://csdl.computer.org/dl/trans/tq/2004/01/q0011.pdf.
[Berg 2005] Berg, Clifford J. High-Assurance Design: Architecting Secure and Reliable Enterprise Applications, Addison Wesley, 2005.
[Bishop 2003] Bishop, Matt. Computer Security: Art and Practice, Addison-Wesley, 2003.
[Gasser 1988] Gasser, M. Building a Secure Computer System. Van Nostrand Reinhold, 1988. Available at http://nucia.ist.unomaha.edu/library/gasser.php.
[Ibrahim et al, 2004] Ibrahim, Linda, et al, Safety and Security Extensions for Integrated Capability Maturity Models. Washington D.C.: United States Federal Aviation Administration, Sept. 2004. Available at http://www.faa.gov/ipg/pif/evol/index.cfm.
[McGraw 2006] McGraw, Gary. Software Security: Building Security In. Addison Wesley, 2006.
[Meier 2003] Meier, J.D., Alex Mackman, Srinath Vasireddy, Michael Dunner, Ray Escamilla, and Anandha Murukan, Improving Web Application Security: Threats and Countermeasures, Microsoft, 2004. Available at: http://download.microsoft.com/download/d/8/c/d8c02f31-64af-438c-a9f4-e31acb8e3333/Threats_Countermeasures.pdf.
[Redwine 2004] Redwine, Samuel T., Jr., and Noopur Davis (Editors). Processes for Producing Secure Software: Towards Secure Software. vols. I and II. Washington, D.C.: National Cyber Security Partnership, 2004. Available at http://www.cigital.com/papers/download/secure_software_process.pdf.
[Viega 2005] Viega, J., The CLASP Application Security Process, Secure Software, 2005. Available at http://www.securesoftware.com.
[Whittaker and Thompson 2004] Whittaker, J. A. and H. H. Thompson. How to Break Software Security: Effective Techniques for Security Testing. Pearson Education, 2004.
22.214.171.124Relevant Standards and Guidelines
[CNSSI 4009] Committee on National Security Systems (CNSS) Instruction 4009: National Information Assurance (IA) Glossary. Revised May 2003. Available at http://www.cnss.gov/Assets/pdf/cnssi_4009.pdf.
[NIST FIPS 200] NIST: Federal Information Processing Standards Publication (FIPS PUB) 200: Minimum Security Requirements for Federal Information and Information Systems. March 2006. Available at http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf.
[NIST SP 800-27] NIST Special Publication 800-27: Engineering Principles for Information Technology Security (A Baseline for Achieving Security). Revision A, June 2004. Available at http://csrc.nist.gov/publications/nistpubs/800-27A/SP800-27-RevA.pdf.
[ISO/IEC 12207] International Standards Organization/International Electrotechical Commission Standard 12207:1995, Software Life Cycle Processes, plus Amendement 1:2002 and Amendment 2:2004. Available at http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=21208
[ISO/IEC 15288] ISO/IEC Standard 15288:2002, Systems Engineering - System Life Cycle Processes. Available at http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=27166
[ISO/IEC 15026] ISO/IEC Standard 15026:1998, System and Software Integrity Levels. Available at http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=26236
[Anderson 2001] Anderson, Ross J., Security Engineering: A Guide to Building Dependable Distributed Systems. John Wiley and Sons, 2001.
[Goertzel 2006] Goertzel, Karen Mercedes, et al: Security in the Software Lifecycle: Making Application Development Processes—and Software Produced by Them—More Secure, Version 1.0 DRAFT. Washington, DC: Department of Homeland Security, 2006. Available at https://buildsecurityin.us-cert.gov/daisy/bsi/89.html.