Features
- Cover Type: Paperback with 798 pages
- Published by: Microsoft Press; 2 Sub edition January 4, 2003
- Written in: English
- ISBN 10 Number: 0735617228
- ISBN 13 Number: 978-0735617223
-
Book Dimensions:
8.7 x 7.4 x 2 inches
- Weighs: 3 pounds
Product Description
Keep black-hat hackers at bay with the tips and techniques in this entertaining, eye-opening book! Developers will learn how to padlock their applications throughout the entire development process—from designing secure applications to writing robust code that can withstand repeated attacks to testing applications for security flaws. Easily digested chapters reveal proven principles, strategies, and coding techniques. The authors—two battle-scarred veterans who have solved some of the industry’s toughest security problems—provide sample code in several languages. This edition includes updated information about threat modeling, designing a security process, international issues, file-system issues, adding privacy to applications, and performing security code reviews. It also includes enhanced coverage of buffer overruns,
Microsoft® .NET security, and
Microsoft ActiveX® development, plus practical checklists for developers, testers, and program managers.
Publisher Description
No more malicious attacks! Learn the best practices for writing secure code, with samples in
Microsoft Visual Basic®.NET, Visual C++®, Perl, and Visual C#®.
--This text refers to the
Paperback
edition.
Reader ReviewsThe title of the book is misleading to begin with. The book is not about writing secure code. It's about (1) not writing non-secure code and (2) using Windows specific security APIs. (1) Not writing non-secure code. Covers several issues, some more obvious, like buffer overruns and validating user input, some more complex, like escaping URLs and socket security. I thought the book would teach me best practices about organizing code, as in "do like I do". Instead it goes like "don't do like I'm telling you". (2) Using Windows security APIs. This is THE BEST part of the book. Gives you a very good overview about several different APIs, including ACLs, protecting sensitive data, securing DCOM and .NET code, excellent tips on installing programs etc. etc. Keep in mind that this book is said to be used internally within Microsoft with "security pushes", with the audience of 8000 people, including not only developers of all levels, but managers as well, therefore the book is by definition a high level overview. Sometimes the book feels like MS educational course. Ex. (tip on p.77) "I created the ... diagrams ... using ... Microsoft Visio Professional 2002". That's cool, but what does it have to do with security ? Some topics should never be there. How about 3 pages of tips for a kernel driver writer ? It's a huge topic in itself and how many readers outside MS do this anyway ? Privacy issues are covered idealistically. Yeah, sure, if you put a specially crafted XML to the special place on your site, the users magically start trusting you... I'd better read about real situation with privacy, not how the government rules it to be. Oh, and how about forty pages about cryptography ? Please... The book tries to show you the security process with development and testing. I can easily see they use this process in Microsoft, with 8000 people. For a small team it's completely useless. How about using 4 (!) people for a code review ? Sure, upon reading this book you will know that security code review is a must (if you have enough resources). Didn't you know that before ? The code samples are ugly. How about this: "... X is cool ... several pages of Perl (!) ... see what I mean ?". Ok, one of the authors admits to be a Perl fan, but how am I supposed to read through all this gibberish ? C(++) samples are not much better. May be they are fully functional and compilable and all, but please, they are huge and inconsistent in themselves. All in all, 5 stars for Microsoft, 3 stars for the rest of the world.
Search for books at
