There are two very exciting side-projects that I have started brewing.
The first is that I have agreed to write a book with my friend Bill Hau called “Practical Software Security”. We have signed a contract for the book to be published by O’Reilly in late Summer 2012.
The second is that we have agreed with O’Reilly that we will release the book online for free from day one under a Creative Commons license as the seed for a new security community that we are going to launch. We expect that community to be called “Seconauts”; if Astronauts explore space then Seconauts explore security!
The Book – For a long time I have wanted to write a book on software security that was targeted firmly and squarely at software developers and software development teams. Security books are generally written by security people and I think for security people. When a software development team decides to include security into their development process they need to understand a wide array of topics including code level security, infrastructure security (which these days often means cloud security), security concepts like identity and cryptography and of course security management issues like the Payment Card Industry standards. They need to determine how best to apply security practices, security technologies and security tools into their (typically) established development process; conscious that it should not make them less effective or less efficient at their primary goal of building great features and shipping those features to users as fast and as often as they can.
Today I believe that software security guidance is largely offered by people that have limited real-world experience or working knowledge of how software development teams actually work (especially modern agile teams). They operate with a lense strongly focused towards the viewpoints of a security centric brain. Put another way, they live and breath security and have an interest in software development, as opposed to living and breathing software development and having a healthy interest in security. To make it worse security culture is still deeply rooted in “hacking”, something clearly evident if you attend a security conference and observe the “handles” and “street” language describing issues. This cultural mismatch often results in developers dismissing the security industry and messages coming from it as ‘sabre-rattling’.
The book we are writing is intended to be the only security book a development team would need to buy to implement an end to end security program as part of their development process and to solve the common security related scenarios they will face. That is certainly not to say it will cover all security information they will need to know but will hopefully provide all of the core knowledge they need and empower them to find and digest anything else they need to understand.
We have literally just started wiring in the writing process but the current table of content looks like this:
- Foreword
- Introduction
- Security Concepts
- Tools and Technologies
- Building a Software Security Program
- Securing Common Scenarios Across Mobile, Web and the Cloud
Foreword
The foreword will be written by a very well known software development person (not a security person). Enough said!
Introduction
The introduction will set up the business case for security including a set of case studies, a discussion of security as a software quality attribute and security as a business enabler. The section will likely conclude with two sections, “know your enemy” and “know the attack vectors” in which the reader would learn about the types of attackers and the types of attacks they use.
Security Concepts
This section will provide a ‘200 level’ education on the important security concepts that members of a development team should understand in order to make informed decisions. Starting with a overview of cryptography covering symmetric and asymmetric algorithms the section would then describe how cryptography can be used to solve real-world problems such as protecting data in transport and storage and digitally signing messages and would cover important cryptographic systems such as SSL and signing code. It would discuss identity in the context of authentication and authorization, covering types of authentication and with a special emphasis on federated models. It would cover models for authorization describing the pro’s and con’s to consider with each approach. It will cover auditing and logging, security monitoring and close with a solid discussion on data validation. These sections will all tie back to the common attacks described in the previous main section.
Tools and Technologies
This section would provide a jump-start into understanding the security features that can be used in web, mobile and cloud technology stacks, along with any useful security extensions or related technologies.
- Fundamentals : HTTP, mobile device carrier networks and infrastructure security like web servers and firewalls.
- Web : Java, PHP, Ruby on Rails, .NET, JavaScript, Node.js etc.
- Mobile : the major mobile operating systems of Android and iOS.
- Cloud : platform as a service using Amazon Web Services, Heroku and Google App Engine for examples.
Building A Software Security Program
This section will provide project leaders and development managers a blue-print to build and manage their own software security program. Starting with requirements, design & planning and a description of how to implement security into application architecture we will then cover secure coding, testing and QA, ‘DevOps’, security standards and regulations, education and awareness, dealing with 3rd parties like vendors partners and auditors and finally outsourcing. The section will also discuss tools for security including the obvious security code analysis type tools but also specifically focusing on adapting common development tools like Behavior Driven Development tools towards security tasks. The section will end with detailed description on how security fits into modern agile and test driven development practices and how security metrics (like “Coder Metrics”) can be used to drive continuous improvement.
Securing Common Scenarios Across Mobile, Web and the Cloud
The final section is expected to be the largest in the book and will be a section that describes recommended solutions to common scenarios that most development teams encounter. We think it would be prudent to ‘ask the crowd’ to help us define a prioritized set of scenarios but we would expect them to include things like the 10 examples below.
1. Storing personal data
2. Managing credit cards
3. User Registration
4. Password Reset Systems
5. Security of REST API’s
6. Exposing web services end-points across the Internet
7. Preventing bots and making sure users are humans
8. Signing mobile code
9. Setting up a cloud deployment environment
10. Consuming upstream data from an untrusted 3rd party
I will be inviting a number of people I rest and consider subject matter experts to contribute to the book in various ways.
As I mentioned the book will be released for free online (we of course want you to buy the Kindle and paperback versions) as the seed material or a new security community we are going to start. That community will be called Seconauts and will be very different from current communities. We don’t all of the community model worked out but it is fair to say it will draw heavily from observing OWASP. I want to stress that it will be very different from OWASP in many ways. For a start it will focus on a small number of high quality projects that support a clear project roadmap. The development of projects and some discussion forums will be “invite only” model and we will be working on a system of community recognition. We certainly don’t have all the details worked out yet but there will be a community points system that will not only allow people to earn points for activity (we we recognize the actual people doing the work), but it will also allow peers to rank contributions and for all contributions but be tied to the social graph of how that person became part of the community. Thats a long winded way of saying the community recognition system will encourage A players to invite A players, penalize B players that invite C players and ensure that those that actively participate and whose work is highly regarded get the recognition they deserve. Designing that is going to be fun!
We have partnered with Mike DeLibero (awesome developer) to build out the first part of our community site that will be a discussion system using Ruby on Rails to support a limited set of people we will be inviting to provide ongoing feedback on the book manuscript. We have the early part of that system running now (it’s based on an existing open source project) and expect to have a working beta in March. This will allow us to have online forums and an integrated mailing list and will take the manuscript (being written in markdown) and process it regularly into html, pdf and .epub formats for review by those initial community members. I doubt well have the community points system in place for the initial book review but it’s definitely our intention that these reviewers will earn points for their review activity and then seed the community by inviting others to join when the time is right. I definitely want to find a way to continue to develop a patterns repository expanding the scenarios both in terms of the types of scenarios and specialized versions of them (i.e. how to sign mobile code on X technology and Y technology). I hope we will eventually host a weekly video show, a rolling news blog, conference and series of workshops but one step at a time. You can follow @seconauts now although it won’t be active until the new year.
I am passionate about the book and passionate about creating a different type of security community, so it’s a fun an exciting time.
Cheers!
Mark