Product Description
This essential book for all software developers–regardless of platform, language, or type of application–outlines the “19 deadly sins” of software security and shows how to fix each one. Best-selling authors Michael Howard and David LeBlanc, who teach Microsoft employees how to secure code, have partnered with John Viega, the man who uncovered the 19 deadly programming sins to write this much-needed book. Coverage includes:
- Windows, UNIX, Linux, and Mac OS X
- C, C++, C#, Java, PHP, Perl, and Visual Basic
- Web, small client, and smart-client applications
#1 by M. J. Hubbell on January 23, 2010 - 9:03 am
Quote
Too often, software security is overlooked in the info security infrastructure of most organizations as we focus on network, computer, data, and physical security. That is a luxury organizations can no longer afford. The book gives a great overview of software security issues yet at the same time provides granular examples and solutions that can be readily implemented. Would serve as a great source for training of programmers in code security.
Rating: 5 / 5
#2 by John Matlock on January 23, 2010 - 9:39 am
Quote
As anyone who has been around the web for any time at all, the web is not exactly a friendly place. The very openness of the web on a worldwide basis makes it very difficult to find the bad guys. This is especially true when countries like China, Nigeria and numerous ’stans from the old Soviet Union don’t seem to care.
The result is that it is left up to the individual to build his own fences, hire his own guards. And use software that is written without the holes that allow the bad guys to come in.
This book started with the Department of Homeland Security’s Cyber Security Division. The director asked John Viega to define the most common well-understood programming mistakes that lead to break ins. The result is this book. The authors say that the rules they followed in writing this book were quite simple:
Keep it Simple — no war stories, no funny anecdotes just the facts.
Keep it short — the facts and nothing else.
Cross Platform — because the Internet runs on everything.
Cross Language — because many languages on many platforms are used on the web.
This book is aimed at software developers and outlines the most common and destructive coding sins and how to eradicate them from code before customers use the software.
Rating: 5 / 5
#3 by Danilo Castro Dy on January 23, 2010 - 10:40 am
Quote
Software is vitally important to computers as none of these machines will function without the programming that gives them life. It is high time for software developers and application support to understand the importance of software security.
Software security should start at the early stage of its development. But it should NOT stop there, it should be a continual security enhancement.
Though the book covers a lot of areas in the software development and provide useful tips, I give it 4 stars as I feel that it lacks advice about the importance of software security during its deployment and testing in the production environment, NOT to give up network security over application connectivity/availability as both can be achieved together if application support and software developers also understand the importance of network security to augment their software security and both can build a secure production environment.
I highly recommend this book to software developers and application support.
Rating: 4 / 5
#4 by W Boudville on January 23, 2010 - 11:19 am
Quote
The authors take an even handed look across several major languages and point out pitfalls in each. Probably, for you as a programmer, you have met many of these ideas before. But maybe in the context of a given language. This book lets you take a metalanguage view.
Consider integer overflows. C# and Visual Basic guard against these. But not Java, C or C++. There are also commonsense recommendations like using unsigned integers when describing things that are intrinsically non-negative, like memory addresses or sizes of memory allocations. Alas, Java does not support unsigned integers.
Cross site scripting gets a chapter of its own. A dangerous phenomenon of the web. Where a web page gets user input from the user’s browser. The application does not check this input for malicious content, and it proceeds to send it to a web page. The text might have scripting commands which are then run by the user’s browser. These might mess up the browser or even the user’s computer. Worth checking out.
Rating: 4 / 5
#5 by Jayesh Naithani on January 23, 2010 - 11:49 am
Quote
I read the book as part of my Advanced Security course reading at the University of Saint Thomas. It is a short read, with chapters no longer than 10 to 15 pages, application security focused with code examples illustrating some of the issues, and recommendations (with references) for how to address each of the problems.
Overall, a good introduction to information about common security flaws and problems. Recommended for any software developer.
Rating: 4 / 5