ISACA Winnipeg's bestseller list: Build Security In

Security Strategies This newsletter is sponsored by Workshare STOP Data Leak Compliance Violations Webcast Is your organization at risk of data leaks and intellectual property theft? Learn how today's organizations are reducing risk! Eliminate compliance violations by blocking visible data, strengthen compliance control by monitoring and enforcing policies, and control policies enterprise-wide using a single, centralized management console. Click here to view now! Network World's Security Strategies Newsletter, 11/15/07 ISACA Winnipeg's bestseller list: Build Security In By M. E. Kabay My friend and colleague Dan Swanson, CIA, runs a useful information assurance (IA) news and discussion service and has a valuable list of useful IA resources for us. I'm impressed by the quality of the references, including some I haven’t seen before. Readers will want to keep this list for extended browsing. Today I’ll start reviewing some of the most interesting sites and documents he and his colleagues have listed in the five-page “Leading Resources to support your Information Security improvement efforts” which is available as a PDF download from the home page of the ISACA Winnipeg Chapter’s “Security Management Conference.” Executive Guide The Security Treadmill This Executive Guide offers interviews with leading, real-world security experts who tell you how to get inside users' heads, fight for a bigger security budget, and whether VoIP security issues are overstated or underrated, and much more. Review this informative guide today. Click Here for More Information “Build Security In” (BSI) from the U.S. Department of Homeland Security has some excellent white papers. The home page describes it as follows: “Build Security In (BSI) contains and links to best practices, tools, guidelines, rules, principles, and other resources that software developers, architects, and security practitioners can use to build security into software in every phase of its development. BSI content is based on the principle that software security is fundamentally a software engineering problem and must be addressed in a systematic way throughout the software development life cycle.” Here are three particularly interesting titles in the list of new BSI resources: * Software Assurance (SwA) in Acquisition: Mitigating Risks to the Enterprise by Mary Linda Polydys and Stan Wisseman. This 112-page draft version in Word format is available for comments (deadline is Nov. 20). The Executive Summary (p. ES-2) describes the report as follows: “This guide provides information on incorporating SwA throughout the acquisition process from the acquisition planning phase to contracting, implementation and acceptance, and follow-on phases. For each phase, the guide covers SwA concepts, recommended strategies, and acquisition management tips. The guide also includes recommended Request for Proposals (RFP) and/or contract language and due diligence questionnaires that may be tailored by acquisition officials to facilitate the contract evaluation process.” * Software Project Management for Software Assurance is an 86-page document by Elaine Fedchak, Thomas McGibbon and Robert Vienneau. The main sections are as follows: 1 Introduction 2 Definitions and Rationale 3 Planning 4 Tracking 5 Management in the Development life cycle 6 Standards for Secure Software Engineering 7 Resources 8 Terminology 9 References A Appendix: Work Breakdown Structure for Software Assurance * State-of-the-Art Report on Software Security Assurance is a collaborative report based on discussions in software assurance groups. The publication from the Information Assurance Technology Analysis Center (IATAC) is available as a PDF file with 396 pages and a tooth-jarringly garish cover. It’s also stored with a two-page-per-screen layout that you may want to change unless you use a wide screen. However, quibbles aside, this is an astonishing work that most readers are going to want to download and read. It can be used as a resource in undergraduate and graduate courses (I’m going to scuttle away and see where to fit it into the MSIA program). Here’s an outline of the just the section headings (the detailed Table of Contents is seven pages long) of this impressive achievement: Section 1: Introduction Section 2: Definitions Section 3: Why is Software at Risk? Section 4: Secure Systems Engineering Section 5: SDLC Processes and Methods and the Security of Software Section 6: Software Assurance Initiatives, Activities, and Organizations Section 7: Resources Section 8: Observations Appendix A: Acronyms Appendix B: Definitions Appendix C: Types of Software Under Threat Appendix D: DoD/FAA Proposed Safety and Security Extensions to ICMM and CMMI Appendix E: Security Functionality Appendix F: Agile Methods: Issues for Secure Software Development Appendix G: Comparison of Security Enhanced SDLC Methodologies Appendix H: Software Security Research in Academia Although I am already beyond my word-count limit, I can’t resist adding the topics in Section 8 to whet your appetite: 8.1 What “Secure Software” Means 8.2 Outsourcing and Offshore Development Risks 8.3 Malicious Code in the SDLC 8.4 Vulnerability Reporting 8.5 Developer Liability for Vulnerable Software 8.6 Attack Patterns 8.7 Secure Software Life Cycle Processes 8.8 Using Formal Methods for Secure Software Development 8.9 Requirements Engineering for Secure Software 8.10 Security Design Patterns 8.11 Security of Component-Based Software 8.12 Secure Coding 8.13 Development and Testing Tools for Secure Software 8.14 Software Security Testing 8.15 Security Assurance Cases 8.16 Software Security Metrics 8.17 Secure Software Distribution 8.18 Software Assurance Initiatives 8.19 Resources on Software Security 8.20 Knowledge for Secure Software Engineering 8.21 Software Security Education and Training 8.22 Software Security Research Trends Yum! Editor's note: Starting Tuesday, Nov, 20, this newsletter will be renamed "Security Strategies Alert." Subscribers to the HTML version of this newsletter will notice some enhancements that will provide access to more resources relevant to IT security. You will still receive M. E. Kabay's analysis of this topic, which you will be able to read in its entirety online at NetworkWorld.com, along with links to relevant news headlines of the day. We hope you enjoy the enhancements and we thank you for reading Network World newsletters.   What do you think? Post a comment on this newsletter

MOST-READ STORIES: 1. Testing all-in-one firewalls 2. South Korea to build robot theme parks 3. 10 career killers to avoid 4. Top 5 security-menace predictions for 2008 5. Networking's 50 greatest arguments 6. Oracle takes on VMware with its hypervisor 7. AT&T brings online banking to cell phones 8. Avaya gets iPhone ready for business 9. 5 cool wireless research projects 10. MIT's amazing, foldable, stackable car FEATURED BUYER'S GUIDE: Secure Web Gateways

Contact the author: M. E. Kabay, PhD, CISSP-ISSMP is Program Director of the Master of Science in Information Assurance and CTO of the School of Graduate Studies at Norwich University in Northfield, Vt. Mich can be reached by e-mail and his Web site. This newsletter is sponsored by Workshare STOP Data Leak Compliance Violations Webcast Is your organization at risk of data leaks and intellectual property theft? Learn how today's organizations are reducing risk! Eliminate compliance violations by blocking visible data, strengthen compliance control by monitoring and enforcing policies, and control policies enterprise-wide using a single, centralized management console. Click here to view now! ARCHIVE Archive of the Security Strategies Newsletter. BONUS FEATURE 90% of IT Managers are leaving their company at risk for a DNS ATTACK. Get the tools and resources you need to keep your DNS healthy and secure. Run a DNSreport on your domain today - 56 critical tests run in 8 seconds. Visit www.dnsreport.com to learn more. (apply coupon NWW2007NLA for a 25% membership discount) PRINT SUBSCRIPTIONS AVAILABLE You've got the technology snapshot of your choice delivered to your inbox each day. Extend your knowledge with a print subscription to the Network World newsweekly, Apply here today. International subscribers, click here. SUBSCRIPTION SERVICES To subscribe or unsubscribe to any Network World newsletter, change your e-mail address or contact us, click here. This message was sent to: security.world@gmail.com. Please use this address when modifying your subscription. Advertising information: Write to Associate Publisher Online Susan Cardoza Network World, Inc., 118 Turnpike Road, Southborough, MA 01772 Copyright Network World, Inc., 2007