To date, most software security books have focused solely on writing secure code and educating developers on how to do that.
In Enterprise Software Security: A Confluence of Disciplines, authors Kenneth van Wyk, Mark Graff, Dan Peters and Diana Burley take a different, and ultimately necessary approach. Their tactic is that treating software security as an autonomous discipline doesn’t work. With is needed is, as the titles notes, a confluence, a process of merging two autonomous groups. In this case, those groups are software development security and network security.
By having enterprise security interact with their software engineers and developers (which is in truth, not such a radical idea), the ability to fully protect software can be actualized.
The authors note that it is an imperative for these two groups to collaborate to ensure effective enterprise security. Obviously, just placing these two groups in a conference room and telling them to work security out is a method that is bound to fail. Hence, the book provides a holistic approach and method in which they can work together.
The book shows how this confluence will work throughout the entire software development lifecycle; from inception, design, implementation, testing, deployment, operation, to software maintenance and more.
As noted, this is not secure software guide, such as Robert Seacord’s superb CERT C Coding Standard: 98 Rules for Developing Safe, Reliable, and Secure Systems or Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs. Readers looking for detailed coding guidelines or ways to write secure code against the OWASP Top 10 won’t find it in this title.
What the book does offer is a method to enhance software security by ensuring those who are expected to create and maintain it, and support the platforms it runs on, play nicely. That act of having software development and enterprise security place nicely in the corporate IT word is not a trivial endeavor. With that, Enterprise Software Security: A Confluence of Disciplines details a timely approach on how to take this confluence, and make it work in an enterprise IT environment.