BKISESWE.RVW 20080209 "Integrating Security and Software Engineering", Haralambos Mouratidis/Paolo Giorgini, 2007, 1-59904-147-2, U$94.95 %E Haralambos Mouratidis %E Paolo Giorgini %C Suite 200 701 E. Chocolate Ave., Hershey, PA 17033-1117 %D 2007 %G 1-59904-147-2 %I IRM Press/Idea Group/IGI Global %O U$94.95 800-345-432 717-533-8845 cust@idea-group.com %O http://www.amazon.com/exec/obidos/ASIN/1599041472/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/1599041472/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/1599041472/robsladesin03-20 %O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation) %P 288 p. %T "Integrating Security and Software Engineering" In the preface, the editors state that, with this collection of papers, they are attempting to provide a work that will narrow the gap between software developers, who do not know or care much about security, and security experts, who only deal in theoretical matters. I'm sure a number of security experts would be surprised to hear that last point. Chapter one is a review of a few papers on secure software engineering. Section one deals with security engineering requirements. Chapter two suggests defining and checking security through formal and abstract (and therefore theoretical) methods. A standard breakdown of the process of determining requirements is called a "method" in chapter three. A system for graphically representing social relationships is used, in chapter four, to diagram a potential security problem. Section two considers the use of software pattern models for secure development. Chapter five presents a generic view of the first few phases of a standard system development cycle. More graphical representation is given in chapter six, but the explanation is even more limited than in the previous paper, and the relation to security engineering even more tenuous. Section three moves on to modelling languages and methodologies for secure software development. Chapter seven discusses the extension of security controls to agile development methods, but seems to recommend limiting security considerations to a subset of development, which is almost a blueprint for ensuring that security vulnerabilities will be created in the resulting applications. The graphical representation scheme described in chapter eight is based on (and, in fact, explains more effectively) the system from chapter four, but seems to be limited to access control issues in complex database environments. A structure for documenting security issues that have been separately identified is outlined in chapter nine. (The method may have some uses in quantitative risk analysis.) A method for chronicling access control in object-oriented systems is given in chapter ten. In the paper that makes up chapter eleven, the authors properly point out that new approaches are needed for the extreme complexities of the modern computing environment (including emergent properties of interacting systems, which they refer to as "ambient intelligence"), but they are only proposing that a new mechanism be created, rather than proposing any solution. (The text is also ragged and difficult to read in places, from both problems in grammar and missing words.) Chapter twelve is a terse and generic review of a few issues in security. The papers do present some interesting points for consideration, but in very limited topics and areas. The security of software engineering is not addressed comprehensively. The two groups of software developers and security professionals will find little in this book to assist them in their separate endeavors, let alone bringing them closer together. copyright Robert M. Slade, 2008 BKISESWE.RVW 20080209