《软件安全技术》PPT课件
本资源为《软件安全技术》一书的PPT课件,共14章
机械工业出版社,2018年8月出版
第1章 软件安全概述
1.1 软件安全的重要性
【案例1】零日攻击、网络战与软件安全
【案例1思考与分析】
1.2 软件面临的安全威胁
1.2.1 软件漏洞
1.2.2 恶意代码
1.2.3 软件侵权
1.3 软件安全的概念
1.3.1 软件安全的一些定义
1.3.2 用信息安全的基本属性理解软件安全
1.3.3 软件安全相关概念辨析
1.4 软件安全的研究内容
1.4.1 软件安全是信息安全保障的重要内容
1.4.2 软件安全的主要方法和技术
1.5 思考与实践
1.6 学习目标检验
第2章 软件漏洞概述
2.1 软件漏洞的概念
2.1.1 信息安全漏洞
2.1.2 软件漏洞
2.1.3 软件漏洞成因分析
2.2 软件漏洞标准化管理
2.2.1 软件漏洞的分类
2.2.2 软件漏洞的分级
2.2.3 软件漏洞管理国际标准
2.2.4 软件漏洞管理国内标准
2.3 漏洞管控的思考
【案例2-1】白帽黑客的罪与罚
【案例2-2】阿里巴巴月饼门
【案例2-1和案例2-2思考与分析】
2.4 思考与实践
2.5 学习目标检验
第3章 Windows系统典型漏洞分析
3.1 内存漏洞
3.1.1 内存结构及缓冲区溢出
3.1.2 栈溢出漏洞及利用分析
3.1.3 堆溢出漏洞及利用分析
3.1.4 格式化字符串漏洞及利用分析
3.2 Windows安全漏洞保护分析
3.2.1 栈溢出检测选项/GS
3.2.2 数据执行保护DEP
3.2.3 地址空间布局随机化ASLR
3.2.4 安全结构化异常处理SafeSEH
3.2.5 增强缓解体验工具包EMET
【案例3】Windows安全漏洞保护技术应用
【案例3思考与分析】
3.3 思考与实践
3.4 学习目标检验
第4章 Web漏洞分析
4.1 Web基础
4.1.1 Web基本架构
4.1.2 一次Web访问过程分析
4.2 Web漏洞概述
4.3 SQL注入漏洞
4.3.1 漏洞原理及利用
4.3.2 漏洞防护的基本措施
【案例4-1】SQL注入漏洞源代码层分析
【案例4-1思考与分析】
4.4 XSS跨站脚本漏洞
……
第5章 软件安全开发模型
第6章 软件安全需求分析
第7章 软件安全设计
第8章 软件安全编码
第9章 软件安全测试
第10章 软件安全部署
第11章 恶意代码分析基础
第12章 恶意代码防治
第13章 开源软件及其安全性
第14章 软件知识产权保护
参考文献
C Coding Standard (2016 Edition)
C编码标准:开发安全、可靠系统的规则;
pdf格式;英文;CERT2016年发布
《信息安全案例教程》最新PPT课件(2016年8月更新)
《信息安全案例教程:技术与应用》最新PPT课件(2016年8月更新)
该书由机械工业出版社2015年出版
Core Software Security: Security at the Source
pdf电子书
出版社: Auerbach Publications (2013年12月9日)
语种: 英语
ISBN: 1466560959
目录
Introduction
The Importance and Relevance of Software Security
Software Security and the Software Development Lifecycle
Quality Versus Secure Code
The Three Most Important SDL Security Goals
Threat Modeling and Attack Surface Validation
Chapter Summary―What to Expect from This Book
References
The Secure Development Lifecycle
Overcoming Challenges in Making Software Secure
Software Security Maturity Models
ISO/IEC 27034―Information Technology―Security Techniques―Application Security
Other Resources for SDL Best Practices
SAFECode
U.S. Department of Homeland Security
Software Assurance Program
National Institute of Standards and Technology
MITRE Corporation Common Computer Vulnerabilities and Exposures
SANS Institute Top Cyber Security Risks
U.S. Department of Defense Cyber Security and Information Systems Information Analysis Center (CSIAC)
CERT, Bugtraq, and SecurityFocus
Critical Tools and Talent
The Tools
The Talent
Principles of Least Privilege
Privacy
The Importance of Metrics
Mapping the Security Development Lifecycle to the Software Development Lifecycle
Software Development Methodologies
Waterfall Development
Agile Development
Chapter Summary
References
Security Assessment (A1): SDL Activities and Best Practices
Software Security Team Is Looped in Early
Software Security Hosts a Discovery Meeting
Software Security Team Creates an SDL Project Plan
Privacy Impact Assessment (PIA) Plan Initiated
Security Assessment (A1) Key Success Factors and Metrics
Key Success Factors
Deliverables
Metrics
Chapter Summary
References
Architecture (A2): SDL Activities and Best Practices
A2 Policy Compliance Analysis
SDL Policy Assessment and Scoping
Threat Modeling/Architecture Security Analysis
Threat Modeling
Data Flow Diagrams
Architectural Threat Analysis and Ranking of Threats
Risk Mitigation
Open-Source Selection
Privacy Information Gathering and Analysis
Key Success Factors and Metrics
Key Success Factors
Deliverables
Metrics
Chapter Summary
References
Design and Development (A3): SDL Activities and Best Practices
A3 Policy Compliance Analysis
Security Test Plan Composition
Threat Model Updating
Design Security Analysis and Review
Privacy Implementation Assessment
Key Success Factors and Metrics
Key Success Factors
Deliverables
Metrics
Chapter Summary
References
Design and Development (A4): SDL Activities and Best Practices
A4 Policy Compliance Analysis
Security Test Case Execution
Code Review in the SDLC/SDL Process
Security Analysis Tools
Static Analysis
Dynamic Analysis
Fuzz Testing
Manual Code Review
Key Success Factors
Deliverables
Metrics
Chapter Summary
References
Ship (A5): SDL Activities and Best Practices
A5 Policy Compliance Analysis
Vulnerability Scan
Penetration Testing
Open-Source Licensing Review
Final Security Review
Final Privacy Review
Key Success Factors
Deliverables
Metrics
Chapter Summary
References
Post-Release Support (PRSA1–5)
Right-Sizing Your Software Security Group
The Right Organizational Location
The Right People
The Right Process
PRSA1: External Vulnerability Disclosure Response
Post-Release PSIRT Response
Post-Release Privacy Response
Optimizing Post-Release Third-Party Response
PRSA2: Third-Party Reviews
PRSA3: Post-Release Certifications
PRSA4: Internal Review for New Product Combinations or Cloud Deployments
PRSA5: Security Architectural Reviews and Tool-Based Assessments of Current, Legacy, and M&A Products and Solutions
Legacy Code
Mergers and Acquisitions (M&As)
Key Success Factors
Deliverables
Metrics
Chapter Summary
References
Applying the SDL Framework to the Real World
Introduction
Build Software Securely
Produce Secure Code
Manual Code Review
Static Analysis
Determining the Right Activities for Each Project
The Seven Determining Questions
Architecture and Design
Testing
Functional Testing
Dynamic Testing
Attack and Penetration Testing
Independent Testing
Agile: Sprints
Key Success Factors and Metrics
Secure Coding Training Program
Secure Coding Frameworks (APIs)
Manual Code Review
Independent Code Review and Testing (by Experts or Third Parties)
Static Analysis
Risk Assessment Methodology
Integration of SDL with SDLC
Development of Architecture Talent
Metrics
Chapter Summary
References
Pulling It All Together: Using the SDL to Prevent Real-World Threats
Strategic, Tactical, and User-Specific Software Attacks
Strategic Attacks
Tactical Attacks
User-Specific Attacks
Overcoming Organizational and Business Challenges with a Properly Designed, Managed, and Focused SDL
Software Security Organizational Realities and Leverage
Overcoming SDL Audit and Regulatory Challenges with Proper Governance Management
Future Predications for Software Security
The Bad News
The Good News
Conclusion
References
Appendix
Index
《信息安全案例教程》PPT课件
《信息安全案例教程》一书PPT课件
机械工业出版社 2015年4月出版
Managing an Information Security and Privacy Awareness and Training Program
Managing an Information Security and Privacy Awareness and Training Program, 第2版 英文电子书
pdf格式
544页
媒体推荐
The first edition was outstanding. The new second edition is even better - an excellent textbook packed with sound advice and loads of tips to make your security awareness program pull its weight... engaging and stimulating, easy to read yet at the same time thought-provoking. ... chock-full of good ideas, not just theoretical concepts but solid practical advice that can be put to use immediately. A side effect is that there are lots of lists, tables and bullet points but they are well structured and succinctly summarize the key points. ...an excellent reference text. Extensive appendices (130 pages) include sample awareness materials and plans, a security glossary, various checklist/questionnaires and references. This is the definitive and indispensable guide for information security and privacy awareness and training professionals, worth every cent. As with the first edition, we recommend it unreservedly. -NoticeBored.com This book is remarkable because it covers in detail all the facets of providing effective security awareness training...I can, without reservation, recommend use of this book to any organization faced with the need to develop a successful training and awareness program. It surely provides everything you need to know to create a real winner. -Hal Tipton, from the Foreword Rebecca Herold has the answers in her definitive book on everything everybody needs to know about how to impart security awareness, training, and motivation. Motivation had been missing from the information security lexicon until Herold put it there in most thorough and effective ways ... She demonstrates that security must become a part of job performance rather than being in conflict with job performance... The power of this book also lies in applying real education theory, methods, and practice to teaching security awareness and training ... After reading this book, there is no question about the necessary and important roles of security awareness, training, and motivation. -Donn B. Parker, CISSP, from the Preface Rebecca Herold, an independent computer security advisor, knows privacy. Not all security consultants do. In her latest book, Managing an Information Security and Privacy Awareness and Training Program, Herold has collected her best advice. -Privacy Journal ... perfect for lay and professional audiences, this is a guide not for implementing technical necessities but for getting everybody in an organization on board. -Journal of Productive Innovation
作者简介
Rebecca Herold, LLC, Van Meter, Iowa, USA
Network Forensics: Tracking Hackers through Cyberspace
本资源为Network Forensics: Tracking Hackers through Cyberspace
英文电子书 pdf格式 576 pages
Publisher: Prentice Hall; 1 edition (June 23, 2012)
Language: English
中译本《黑客大追踪:网络取证核心原理与实践》已于2014年12月电子工业出版社出版
Software Similarity and Classification
Software Similarity and Classification
软件相似性与分类
pdf文档 96页
Springer出版,2012年
Web Application Defender's Cookbook: Battling Hackers and Protecting Users
Web Application Defender's Cookbook: Battling Hackers and Protecting Users
格式:英文版pdf
页数:554
作者: (美)Ryan Barnett
《网站安全攻防秘笈:防御黑客和保护用户的100条超级策略》
目前该书的中译本已于2014-9出版
译者: 许鑫城
出版社:机械工业出版社
ISBN:9787111478034
上架时间:2014-9-26
中文目录等信息可访问http://product.china-pub.com/3804118
CYBERDETERRENCE AND CYBERWAR
书名:CYBERDETERRENCE AND CYBERWAR
作者:MARTIN C. LIBICKI
中译本:兰德报告-美国如何打赢网络战争
2013年8月东方出版社出版中译本
此处资源为英文pdf,240页
序言
概述
缩略语列表
第一章 引言
目的
基本观点与内容组织
第二章 概念模型
网络空间机制
外部威胁
内部威胁
定义网络攻击
定义网络威慑
第三章 为什么网络威慑是不同的
我们知道攻击方是谁吗?
我们有能力破坏他们的资产吗?
我们可以重复攻击对手吗?
如果报复未能成功威慑,那它能否至少解除对方武装?
会有第三方加入战斗吗?
报复会向我们自己一方传达正确的信息吗?
我们有一个忍耐极限吗?
.我们能阻止冲突升级吗?
如果攻击方没有什么值得攻击的资产怎么办?
不过网络空间中报复的意愿更可信
优秀的防御能力能够进一步增强威慑的可信性
第四章 为什么初始网络攻击的目的很重要
错误
施压
武力
其他
启示
第五章 反应策略
目标放应该曝光网络攻击事件吗?
应该何时公布溯源的结果?
网络报复应该是显而易见的吗?
报复行动是“迟做总比不做好”吗?
对别国政府容忍的自由黑客进行报复
对cne进行的报复情况如何?
威慑政策可以扩展到盟国吗?
网络威慑政策应该挑明吗?
漠视策略能够挫败攻击方的战略吗?
报复之外的应对方法
攻击方视角
发出停火信号
第六章 战略网络战
网络战的目的
网络战的合理性
网络战的局限性
网络战的管理
以战防战
保留二次进攻的能力
秘密网络战?
政府在防御网络战时的角色
管理网络战的效果
结束网络战
结论
第七章 战术网络战
把网络战用作晴天霹雳
向网络中心站泼冷水
袭击民用目标
对战争中网络战的组织
结论
第八章 网络防御
网络防御的目标
体系结构
政策
策略
操作
总结
第九章 情况复杂
附录a 网络空间内战争行为由何组成?
附录b 明示型威慑与默示型威慑之间的对比计算
附录c 网络军备控制的暗淡前景
致谢
Machine Learning in Cyber Trust Security, Privacy, and Reliability
电子书pdf格式
Many networked computer systems are far too vulnerable to cyber attacks that can inhibit their functioning, corrupt important data, or expose private information. Not surprisingly, the field of cyber-based systems is a fertile ground where many tasks can be formulated as learning problems and approached in terms of machine learning algorithms. This book contains original materials by leading researchers in the area and covers applications of different machine learning methods in the reliability, security, performance, and privacy issues of cyber space. It enables readers to discover what types of learning methods are at their disposal, summarizing the state-of-the-practice in this significant area, and giving a classification of existing work.Those working in the field of cyber-based systems, including industrial managers, researchers, engineers, and graduate and senior undergraduate students will find this an indispensable guide in creating systems resistant to and tolerant of cyber attacks.
Windows Internals 6ed Part 2
英文pdf,645页, 22M
中文名: 深入解析Windows操作系统 (第6版, Part 2)
原名: Windows Internals: Covering Windows Server 2008 R2 and Windows 7, 6th Edition
作者: Mark E. Russinovich
David A. Solomon
Alex Ionescu
图书分类: 软件
资源格式: PDF
iOS Forensic Analysis for iPhone, iPad and iPod Touch
iOS Forensic Analysis: for iPhone, iPad and iPod Touch
本资源为英文pdf;372 pages
Publisher: Apress; 1 edition (December 27, 2010)
中译本《iOS取证分析》2012-8由 电子工业出版社出版
主要内容:
How to respond to security incidents involving iOS devices
How to acquire and analyze data on iOS devices such as iPhone and iPad
How to analyze media exploitation on iOS devices
深入解析Windows操作系统 第6版-第1部
英文pdf,730页, 25M
Windows Internals: Covering Windows Server 2008 R2 and Windows 7, Part 1, 6th Edition
深入解析Windows操作系统 (第6版, Part 1)
第6版分两卷出版,第1卷2012-3出版
作者: Mark E. Russinovich,David A. Solomon,Alex Ionescu
第1卷内容:
CHAPTER 1 Concepts and Tools 1
CHAPTER 2 System Architecture 33
CHAPTER 3 System Mechanisms 79
CHAPTER 4 Management Mechanisms 277
CHAPTER 5 Processes, Threads, and Jobs 359
CHAPTER 6 Security 487
CHAPTER 7 Networking 591
A Guide To Computer Network Security
计算机网络安全概论
作 者:(美)Joseph Migga Kizza(约瑟夫 米伽 克扎)
译 者:陈向阳;胡征兵;王海晖
出版日期:2012-6-1
出 版 社:电子工业出版社 ISBN:9787121152207
定 价:¥45.00
Hacking and Securing Ios Applications
Jonathan Zdziarski作品
Hacking and Securing Ios Applications电子书
Professional Iphone and Ipad Application Development
本电子资源是《Professional Iphone and Ipad Application Development》英文pdf
2011年Wrox出版
该书中译本《iPhone & iPad高级编程》2012年1月出版
译者: 岳红 凌冲
出版社:清华大学出版社
ISBN:9787302274452
Security Engineering: A Guide to Building Dependable Distributed Systems(2nd)
Security Engineering: A Guide to Building Dependable Distributed Systems, Second Edition
出版社: Wiley
总页数:1082页
作者: (英)Ross Anderson
2012年1月清华大学出版社 中译本 译者: 齐宁 韩智文 刘国萍
试读前三章下载:http://product.china-pub.com/194722#xgzy
CISSP认证考试指南(第4版)中文版
CISSP认证考试指南(第4版)中文电子书
科学出版社,2009年出版
Lucene原理与代码分析完整版
感谢觉先,大家经常去其博客看看http://www.cnblogs.com/forfuture1978/archive/2010/06/13/1757479.html
精通正则表达式(第3版)中文pdf版.(美)Jeffrey.E.F.Friedl.part3
精通正则表达式(第3版)中文pdf版.(美)Jeffrey.E.F.Friedl.part3
精通正则表达式(第3版)中文pdf版.(美)Jeffrey.E.F.Friedl.part2
[精通正则表达式(第3版)]中文pdf版.(美)Jeffrey.E.F.Friedl.part2
精通正则表达式(第3版)中文pdf.(美)Jeffrey.E.F.Friedl.part1
精通正则表达式(第3版)]中文pdf版.(美)Jeffrey.E.F.Friedl.part1
《计算机系统安全原理与技术(第2版)》 课件
《计算机系统安全原理与技术(第2版)》
机械工业出版社 2009年出版