本书以软件生命周期为脉络，以软件安全风险评估、风险控制技术及软件安全评估指标、软件安全能力成熟度指标为引领，将安全理念、安全模型、安全方法与常见的软件过程模型相融合，系统介绍在软件开发的每个环节保障软件安全的原理和方法，包括安全需求分析、安全设计、安全编码、安全测试及软件部署运维中安全配置与软件加固等各环节的流程与常用方法，用于全面指导软件安全开发，树立软件开发人员的安全意识，以期减少或杜绝软件的安全问题，提高软件的抗攻击能力和安全可信度，助力软件在各领域、各行业的推广应用。本书适用于高等院校的计算机科学与技术、软件工程、网络空间安全、信息安全专业的本科生，也适用于与软件开发相关的其他各类学生或软件开发从业者。

张仁斌，合肥工业大学计算机与信息学院副教授，2004年参与合肥工业大学新成立的信息安全专业的专业建设，并承担《计算机病毒与反病毒》课程教学工作，此后陆续承担《计算机网络系统实践》《网络工程师综合实训》、《软件安全》《信息安全专业导论》《系统与软件安全综合设计》等多门课程的主讲或实践指导；主编国家"十一·五”规划教材1部（计算机病毒与反病毒技术，第1主编）、安徽省"十一·五”规划教材1部（网络与信息安全系列课程实践教程，第2主编），参编教材2部。主持安徽省教育厅教学研究课题《计算机病毒与网络攻防教学研究与实践》、虚拟仿真实验教学项目《工控网络攻防虚拟仿真实验教学》；主持安徽省年度重点项目8项；参与省市科技攻关项目、863项目13项；公开发表学术论文20余篇。

第1 章 软件与软件安全······································································································1
1.1 软件安全范畴········································································································1
1.1.1 软件与软件安全的定义····················································································1
1.1.2 软件缺陷与漏洞·····························································································3
1.1.3 软件漏洞分类································································································6
1.1.4 软件安全与其他安全的关系···········································································.12
1.2 软件安全现状·····································································································.15
1.2.1 软件安全总体情况·······················································································.15
1.2.2 系统软件安全现状·······················································································.17
1.2.3 应用软件安全现状·······················································································.18
1.2.4 开源软件安全现状·······················································································.19
1.3 安全事件的根源··································································································.21
1.3.1 软件漏洞是安全问题的焦点···········································································.21
1.3.2 产生软件漏洞的原因····················································································.24
1.4 缓解软件安全问题的途径与方法··········································································.27
1.4.1 缓解软件安全问题的基本策略········································································.27
1.4.2 缓解软件安全问题的工程化方法·····································································.28
1.4.3 软件安全问题的标准化、规范化解决之路·························································.29
1.4.4 缓解软件安全问题的技术探索与举措·······························································.31
实践任务···················································································································.34
任务1：相对路径攻击···························································································.34
任务2：SQL 注入攻击··························································································.35
思考题······················································································································.35
第2 章 软件的工程化安全方法·························································································.36
2.1 软件工程概述·····································································································.36
2.1.1 软件的发展过程··························································································.36
2.1.2 软件危机···································································································.37
2.1.3 软件工程···································································································.38
2.1.4 软件生命周期·····························································································.40
2.2 软件过程模型·····································································································.43
2.2.1 瀑布模型···································································································.44
2.2.2 快速原型模型·····························································································.45
2.2.3 增量模型···································································································.46
2.2.4 螺旋模型···································································································.47
2.2.5 微软MSF 过程模型······················································································.48
2.3 软件质量与软件的安全特性·················································································.49
2.3.1 软件质量···································································································.50
2.3.2 软件的安全特性··························································································.52
2.3.3 软件安全特性与软件质量的关系·····································································.53
2.3.4 确定所需安全特性·······················································································.54
2.3.5 改善软件的安全特性····················································································.55
2.3.6 功能安全、安全功能与软件安全·····································································.59
2.4 软件安全过程模型······························································································.59
2.4.1 微软SDL 模型····························································································.60
2.4.2 安全接触点过程模型····················································································.64
2.4.3 实施软件安全过程的建议··············································································.68
2.5 软件安全开发初体验···························································································.72
2.5.1 账号安全···································································································.72
2.5.2 简单的口令验证及其破解示例········································································.74
2.5.3 用户操作的随意性·······················································································.77
实践任务···················································································································.80
任务1：网络监听与https 的配置··············································································.80
任务2：MD5 动态加盐防篡改·················································································.80
任务3：暴力破解登录密码·····················································································.81
思考题······················································································································.82
第3 章 软件安全风险管理·······························································································.82
3.1 风险管理的基本过程与方法·················································································.82
3.1.1 风险管理的定义··························································································.82
3.1.2 软件安全风险评估基本要素及其关系·······························································.83
3.1.3 软件安全风险评估基本流程···········································································.85
3.1.4 手动评估和工具辅助评估··············································································.89
3.1.5 风险控制···································································································.90
3.2 软件安全风险评估······························································································.90
3.2.1 评估准备···································································································.91
3.2.2 软件安全风险识别·······················································································.93
3.2.3 软件安全风险分析·······················································································.95
3.2.4 基于DREAD 模型的威胁评级········································································.97
3.2.5 基于标准的漏洞等级划分··············································································.99
3.2.6 基于形式化方法的软件安全风险评估·······························································103
3.3 软件安全风险控制······························································································108
3.3.1 基于风险管理框架的安全风险控制··································································108
3.3.2 基于软件项目风险管理的安全风险控制···························································.111
3.3.3 软件供应链安全风险控制·············································································.111
3.4 软件安全能力成熟度模型····················································································112
3.4.1 安全性能力成熟度模型·················································································113
3.4.2 软件保障成熟度模型····················································································117
3.4.3 安全构建成熟度模型····················································································125
3.4.4 系统安全工程能力成熟度模型········································································129
实践任务···················································································································137
任务1：Web 安全现状调研与Web 应用防火墙（WAF）原理分析···································137
任务2：CWE“软件开发视图”（CWE-699）研习························································138
思考题······················································································································138
第4 章 软件需求与安全需求····························································································139
4.1 软件需求与需求工程···························································································139
4.1.1 软件需求的定义与分类·················································································139
4.1.2 需求工程概述·····························································································143
4.1.3 安全需求工程·····························································································144
4.2 需求引出············································································································145
4.2.1 需求引出过程·····························································································145
4.2.2 安全需求引出源··························································································147
4.2.3 提取安全需求的基本方法··············································································150
4.3 需求分析建模·····································································································150
4.3.1 分析建模的任务··························································································150
4.3.2 需求分析的基本方法····················································································151
4.3.3 安全需求分析的策略与方法···········································································157
4.3.4 基于误用例和滥用例的安全需求分析·······························································169
4.4 需求定义与需求验证···························································································173
4.4.1 需求定义···································································································173
4.4.2 需求验证···································································································176
4.5 安全质量需求工程简介························································································178
4.6 需求变更及其风险控制························································································180
4.6.1 需求变更···································································································180
4.6.2 需求变更的负面影响····················································································181
4.6.3 需求变更风险控制·······················································································182
实践任务···················································································································182
任务1：结构化需求分析························································································182
任务2：基于误用例的安全需求分析·········································································183
思考题······················································································································183
第5 章 安全设计·············································································································184
5.1 软件设计概述·····································································································184
5.1.1 软件设计基本概念·······················································································184
5.1.2 软件概要设计·····························································································184
5.1.3 软件详细设计·····························································································191
5.2 安全设计及其原则······························································································191
5.2.1 安全设计目标与设计内容··············································································191
5.2.2 安全设计原则·····························································································192
5.2.3 制订安全计划·····························································································196
5.3 安全策略与安全模型···························································································197
5.3.1 多级安全策略·····························································································197
5.3.2 商业安全策略·····························································································198
5.3.3 安全模型···································································································199
5.3.4 面向云计算的访问控制·················································································201
5.4 威胁建模············································································································201
5.4.1 威胁建模的作用··························································································201
5.4.2 威胁建模方法·····························································································202
5.4.3 威胁建模过程·····························································································207
5.4.4 威胁建模示例·····························································································210
5.5 基于复用的软件安全设计····················································································216
5.5.1 攻击树及其缓解措施的复用···········································································216
5.5.2 基于安全模式的软件设计··············································································216
5.5.3 常用安全功能设计·······················································································217
5.6 基于容错技术的功能安全设计··············································································223
5.6.1 软件容错···································································································223
5.6.2 基于容错的抗攻击措施·················································································225
5.7 软件体系结构与安全设计分析··············································································226
5.7.1 软件体系结构·····························································································226
5.7.2 软件体系结构复用·······················································································230
5.7.3 安全体系结构·····························································································234
5.7.4 体系结构分析与安全设计分析········································································238
5.7.5 安全设计常见问题·······················································································240
实践任务···················································································································240
任务1：结构化设计与威胁建模···············································································240
任务2：安全体系结构设计·····················································································241
任务3：访问控制设计···························································································241
思考题······················································································································242
第6 章 安全编码与代码审核····························································································243
6.1 软件编码概述·····································································································243
6.1.1 软件编码···································································································243
6.1.2 编码规范···································································································244
6.1.3 代码检查···································································································246
6.2 安全编码规范·····································································································247
6.2.1 安全编码建议·····························································································247
6.2.2 应用软件安全编程国家标准···········································································250
6.2.3 SEI CERT 安全编码系列标准··········································································257
6.2.4 ISO/IEC C 安全编码规则···············································································269
6.2.5 面向特定行业领域的安全编码规则··································································270
6.3 安全编码过程管理与代码安全审核·······································································273
6.3.1 安全编码过程管理·······················································································273
6.3.2 源代码静态安全分析····················································································274
6.3.3 代码安全审核·····························································································278
实践任务···················································································································281
任务1：安全登录模块的实现··················································································281
任务2：代码安全分析···························································································282
任务3：ASLR、DEP 与栈保护················································································282
思考题······················································································································283
第7 章 软件测试与安全分析····························································································284
7.1 软件测试············································································································284
7.1.1 软件测试及其目标·······················································································284
7.1.2 软件测试基本原则·······················································································285
7.1.3 软件测试分类·····························································································286
7.1.4 软件测试过程·····························································································289
7.1.5 软件测试过程模型·······················································································291
7.2 软件安全测试·····································································································293
7.2.1 安全测试及其与传统测试的区别·····································································294
7.2.2 软件安全测试分类·······················································································295
7.2.3 软件安全测试基本流程·················································································300
7.3 二进制程序安全分析···························································································303
7.3.1 语法语义与二进制程序分析···········································································304
7.3.2 二进制代码分析常用技术··············································································307
7.3.3 二进制代码相似性分析·················································································309
7.4 典型的软件安全测试技术····················································································312
7.4.1 典型安全测试技术概述·················································································312
7.4.2 模糊测试···································································································313
7.4.3 渗透测试···································································································319
7.5 软件安全合规性审核···························································································321
实践任务···················································································································321
任务1：基于AWVS 的Web 漏洞扫描·······································································321
任务2：基于AFL 的模糊测试·················································································322
思考题······················································································································323
第8 章 软件部署运维与软件保护·····················································································324
8.1 软件部署与安全配置···························································································324
8.1.1 软件部署···································································································324
8.1.2 安全配置···································································································325
8.1.3 应用程序的容器化部署·················································································326
8.2 系统运维与应急响应···························································································327
8.2.1 系统运维···································································································327
8.2.2 应急响应···································································································328
8.3 软件保护与软件加固···························································································330
8.3.1 软件反逆向分析··························································································330
8.3.2 软件防篡改································································································333
8.3.3 软件版权保护·····························································································335
8.3.4 软件加固···································································································336
实践任务···················································································································338
任务1：Web 应用Java Script 代码安全发布································································338
任务2：Apache HTTP 服务器安全配置······································································338
思考题······················································································································339
参考文献··························································································································340