A central and critical intellectual acknowledgment belongs to my friends and colleagues at IEEE Security & Privacy magazine. Many of the ideas in this book first saw the light of day as a collection of articles published over the course of almost two years in my "Building Security In" (BSI) department. A complete list of the BSI articles can be found in Table 0-1.
The now-infamous touchpoints picture, which you might think of as providing the skeleton of this book, originated at a National Science Foundation meeting convened by Carl Landwehr and run by Fred Schneider. Matt Bishop and I built the original picture instead of paying attention during the meeting. A copy of the resulting touchpoints for software security can be found on the inside front cover. The seed idea for this sort of lifecycle-based picture comes from the work of Mike Howard at Microsoft. I adapted the idea to be process-agnostic and based on software artifacts.
I owe a great deal of gratitude to the coauthors who helped me develop the IEEE BSI series, putting some flesh on the touchpoint bones. Each of them helped me to create, evolve, and expand the ideas at the very core of this book. I am also extremely thankful for the support of the IEEE Security & Privacy editorial board, Dick Price, and Jenny Ferrero. IEEE Security & Privacy lead editor Kathy Clark-Fisher went above and beyond the call of duty to help me.
I am grateful for the help of my original BSI coauthors: Annie Anton, Brad Arkin, Sean Barnum, Brian Chess, Paco Hope, Nancy Mead, Bruce Potter, Scott Stender, Dan Taylor, Katrina Tsipenyuk, Ken van Wyk, and Denis Verdon. Some of the chapters in Software Security evolved directly out of the IEEE BSI articles. Whenever this is the case, the chapter starts with an acknowledgment of the article and names its coauthors.
Table 0-1 List of Articles from the "Building Security In" department of IEEE Security & Privacy magazine
|Title||Author||IEEE Security & Privacy Citation|
|Software Security||Gary McGraw||2(2):80-83|
|Misuse and Abuse Cases: Getting Past the Positive||Paco Hope, Gary McGraw, and Annie Anton||2(3):32-34|
|Risk Analysis in Software Design||Denis Verdon and Gary McGraw||2(4):79-84|
|Software Security Testing||Bruce Potter and Gary McGraw||2(5):81-85|
|Static Analysis for Security||Brian Chess and Gary McGraw||2(6):76-79|
|Software Penetration Testing||Brad Arkin, Scott Stender, and Gary McGraw||3(1):84-87|
|Knowledge for Software Security||Sean Barnum and Gary McGraw||3(2):74-78|
|Adopting a Software Security Improvement Program||Dan Taylor and Gary McGraw||3(3):88-91|
|A Portal for Software Security||Nancy R. Mead and Gary McGraw||3(4):75-79|
|Bridging the Gap between Software Development and Information Security||Kenneth R. van Wyk and Gary McGraw||3(5);75-79|
I encourage all of my readers to subscribe to IEEE Security & Privacy magazine. (Full disclosure: I am an unpaid volunteer on the magazine's editorial board.) For more information, see http://computer.org/security. Likewise deserving a tip of the hat and a friendly nod are my IT Architect magazine editors Drew Murray and Nancy Hung, who help me deal with the relentless monthly deadline associated with my column "[In]security." Some of the ideas in this book were first explored there. Also thanks to Alexa Weber-Morales and Nicole Garbolino for helping spread the software security gospel at SD East, SD West, and in Software Development magazine.
Even after taking into account the help of my IEEE BSI coauthors, there are many researchers and practitioners whose involvement was instrumental to this work. I'll take the blame for any errors and omissions, of course. Brian Chess and Ken van Wyk were particularly helpful in making this book come to life. They both suffered through multiple drafts and always came up with excellent suggestions for improvement. The following people also provided helpful reviews of early drafts: Ivan Arce, Fabio Arciniegas, Richard Bejtlich, Matt Bishop, Kathy Clark-Fisher, Dan Geer, Michael Gegick, Erik Hatcher, Paco Hope, Brad Johnson, Rick Kingsland, Scott Matsumoto, Jim Muller, Gunnar Peterson, Greg Rose, Adam Shostack, Brian Sletten, Roger Thornton, Win Treese, and Stan Wisseman. Ellen Weiner helped me with the process models found in some of the touchpoints chapters. Michal Propieszalski developed the exercise in Appendix C. Brian Chess, Yekaterina Tsipenyuk, and Jacob West (all of Fortify) worked hard on the taxonomy of Chapter 12. Sean Barnum provided an interesting point of view on static analysis rules.
Finally, John Steven has been my right-hand idea person at Cigital for many years. A number of the concepts in this book sprang whole from his mind, and his suggestions for improvement were outstanding. In particular, John's approach to architectural risk analysis and his enterprise information architecture have both been incorporated into the book.
Addison-Wesley continues to be an excellent and necessary partner in the creation of my books (and the complete Addison-Wesley Software Security Series). Special thanks to my editor, Karen Gettman, whose support over the years has never wavered. Also thanks to her assistants, Elizabeth Zdunich and Ebony Haight, and to Chrysta Meadowbrooke, whose persistent copy editing banished many a hobgoblin.
Like my other books before it, Software Security has Cigital written all over it. Cigital continues to be an exciting and vibrant place to work, where the never-ending effort of making software behave continues to be great fun. Hats off to the management team for putting up with my perpetual travel and writing: Jeff Payne, John Wyatt, Dede Haskins, and John Steven. Cigital's world-class Software Security Group (SSG), founded in 1999, continues to cut new ice in the software security field while helping customers identify and manage millions of dollars' worth of security risk. Paco Hope has been particularly outstanding during the last year. Ryan MacMichael builds and manages all of the Web sites for my books.
Like all of my books, this book is a collaborative effort of many. My friends in the security community who helped form my thinking in one way or another include Ross Anderson, Annie Anton, Steve Bellovin, Matt Bishop, Brian Chess, Bill Cheswick, Crispin Cowan, Drew Dean, Jeremy Epstein, Dave Evans, Ed Felten, Dan Geer, Virgil Gligor, Li Gong, Greg Hoglund, Peter Honeyman, Mike Howard, Steve Kent, Paul Kocher, Carl Landwehr, Patrick McDaniel, Greg Morrisett, Peter Neumann, Jon Pincus, Marcus Ranum, Greg Rose, Avi Rubin, Fred Schneider, Bruce Schneier, Gene Spafford, Kevin Sullivan, Roger Thornton, Phil Venables, and Dan Wallach.
Thanks to DARPA, the National Science Foundation, and the Advanced Technology Program for supporting my research work over the years. Cigital customers I interact with on a weekly basis and who have influenced my view of security in the real world include Greg Rose, Ricardo Lopez, and Franklin Antonio (Qualcomm), Lance Johnson (Visa), Phil Venables (Goldman Sachs), and Mike Ackerman.
Most important of all, I thank my family. Love to Amy Barley, Jack and Eli, beach moe, Uncle Chris, Walt, Nora and baby Simone, and grandma (who at 96 provides an excellent example for all of us). Shouts to the ever-expanding menagerie: the dog pack (walnut, ike, jocko [back to NH for him!], skillet, and honorary dog Eli), the cat herd (soupy, craig, soupy junes, winston J, struggle, and ghosty), sage and guthrie the sure-footed big guys, moustache the bunny, lewy and lucy the goats, and "the girls" who keep us in more eggs than we know what to do with. Also thanks to my dear friends Rhine, April, Cyn, Ant, Gina, and Aubrey (wherever he is).
Copyright © 2006, Gary McGraw