The OSS SSD Guide

Version 1.0 by Tim Hemel.

Table of Contents

• Introduction
  • The need for secure software
  • Structure of this guide
  • About this guide
• Defining security
  • What is security?
  • Taking risks
  • Finding threats
  • Determining threat impact
  • Summary
• Security in the SDLC
  • The Software Development Lifecycle (SDLC)
  • Security problems and remedies in the SDLC
  • Summary
• Threats in the requirements phase
  • STRIDE
  • Finding business level security requirements
  • Finding user interaction level security requirements
  • Finding system level security requirements
  • Security assumptions
  • Summary
• Threats in the architecture phase
  • Architectural description
  • Analyzing the architecture
  • Other approaches
  • Summary
• Third party software components
  • Checking for known vulnerabilities
  • Tools for vulnerability checking
  • Summary
• Threats in the coding phase
  • Secure coding standard
  • Code security review
  • Tools
  • Summary
• Verification methods
  • Functional tests
  • Formal methods
  • Code review
  • Pentest
  • Vulnerability scan
  • Fuzzing
  • Summary
• Integrating the practices
  • Making security visible
  • Security assumptions
  • When to do what
  • Discussions about security
  • Dealing with security findings
  • Finding people
  • Getting started with security practices
  • Growing the security practices
  • Summary
• Topics left undiscussed
  • Users
  • Malicious developers
  • Secure workflow
  • Secure deployment
  • Secure release and distribution
  • Security software
  • Privacy
• References