Enterprise Software Security: A Confluence of Disciplines

I use this book as the basis for a graduate course I developed in cybersecurity, titled Secure Software Development. Prior to selecting this as my course text I reviewed 4 other books used in similar courses at other universities.

To date, most software security books have focused solely on writing secure code and educating developers on how to do that.In Enterprise Software Security: A Confluence of Disciplines, authors Kenneth van Wyk, Mark Graff, Dan Peters and Diana Burley take a different, and ultimately necessary approach. Their tactic is that treating software security as an autonomous discipline doesn’t work. With is needed is, as the titles notes, a confluence, a process of merging two autonomous groups. In this case, those groups are software development security and network security.By having enterprise security interact with their software engineers and developers (which is in truth, not such a radical idea), the ability to fully protect software can be actualized.The authors note that it is an imperative for these two groups to collaborate to ensure effective enterprise security. Obviously, just placing these two groups in a conference room and telling them to work security out is a method that is bound to fail. Hence, the book provides a holistic approach and method in which they can work together.The book shows how this confluence will work throughout the entire software development lifecycle; from inception, design, implementation, testing, deployment, operation, to software maintenance and more.As noted, this is not secure software guide, such as Robert Seacord’s superb CERT C Coding Standard: 98 Rules for Developing Safe, Reliable, and Secure Systems or Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs. Readers looking for detailed coding guidelines or ways to write secure code against the OWASP Top 10 won’t find it in this title.What the book does offer is a method to enhance software security by ensuring those who are expected to create and maintain it, and support the platforms it runs on, play nicely. That act of having software development and enterprise security place nicely in the corporate IT word is not a trivial endeavor. With that, Enterprise Software Security: A Confluence of Disciplines details a timely approach on how to take this confluence, and make it work in an enterprise IT environment.

This book is part of the AWL software security series which I edit. I recommend it highly for serious practitioners who have to move entire armies (and not just individual developers).

This is a groundbreaking view of software security, which is made all the more important by the fact that we have known, and ignored, the wisdom expressed here far too long. It makes eminent good sense to view software security development systematically and comprehensively rather than as a pure technical challenge. That is because there are a lot of things that can go wrong and they all have to be addressed if you want to create a truly trustworthy product. I believe it was Einstein who said that the definition of insanity is doing the same thing over and over and expecting different results, which describes the current industry approach to a “T”. This book changes the paradigm and as a result perhaps we are finally on the way to better and more secure code.