Publications Read

1. Beck, K. (2000). Extreme Programming Explained. Boston, Addison-Wesley.

Abstract: This book outlines the fundamental principles behind Extreme Programming (XP). XP was conceived and developed to address the specific needs of software development conducted by small teams in the face of vague and changing requirements. This new lightweight methodology challenges many conventional tenets, including the long-held assumption that the cost of changing a piece of software necessarily rises dramatically over the course of time.

Notes:
The lack of an overarching design might present a problem in the incorporation of security into the XP methodology.

2. Ghosh, A. K. (2001). Security & Privacy for E-Business. New York, Wiley Computer Publishing.

Abstract: This book addresses the problem of security and privacy for the e-commerce environment. Rather than focusing on firewalls and encryption tools, it presents a proactive engineering approach that attempts to correct the problem through consideration in the software development process. It provides guidance on how to build secure systems from the ground up and teaches how to balance technical and business requirements while providing security for customers.

Notes:
1. When users have access to data which is widely distributed, this can actually be viewed as a benefit for security because the entire system will be so compartmentalized that a breach in one segment will not ensure access to all information.
2. Software risk management has to do with prioritizing the potential threats, vulnerabilities, and consequences; and then determining what is unacceptable behavior and must be addressed versus what can be ignored.
3. Users could potentially modify forms on web pages and send invalid information.
4. Hidden fields are not really hidden. Users could still potentially modify these fields.
5. Wireless devices are especially vulnerable to attacks and should be carefully considered when involved in e-commerce.
6. As always, security is only as strong as the weakest point, so the focus should be on identifying these points and strengthening them rather than being lulled into a false sense of security by the strongest point of your system (i.e. encryption).

3. Peltier, T. R. (2002). Information Security Policies, Procedures, and Standards: Guidelines for Effective Information Security Management. Boca Raton, Auerbach Publications.

Abstract: This book provides guidance to individuals attempting to create Information Security Policies without conflicting with current company practices. It outlines the necessary steps involved in writing effective policies, procedures, and standards.

Notes:
1. A security policy contains general statements about the particular company's stance on related issues.
2. A security standard is a more specific and detailed extension of the company's security policy, most likely dealing with the implementation of the solution to the problem.

4. Thielen, D. (1992). No Bugs! Delivering Error-Free Code in C and C++. Reading, Ma, Addison-Wesley.

Abstract: This book provides helpful hints for writing code which is less error-prone. It focuses on exploring testing strategies which prevent releasing bug-ridden programs.

Notes:
1. Reminders to check that you aren't referencing memory that has been deallocated (mostly a problem for C)
2. Contains suggestions for treatment of file i/o; reminders to verify the possibility of file reads/writes.

5. Viega, J. and G. McGraw (2002). Building Secure Software: How to Avoid Security Problems the Right Way. Boston, Addison-Wesley.

Abstract: This book covers the need for integrating security into every step of the software development process. It discusses common how security errors are made, how these errors are exploited, and how to avoid these errors. It provides perspectives and techniques to help ensure the security of essential software by assuming that considering threats and vulnerabilities early in the development cycle can help build security into a system. It allows the developers to determine an acceptable level of risk, develop security tests, and plug security holes before software is even shipped.

Notes:
Too numerous to mention.