19 Deadly Sins of Software Security (Security One-off)

Features

• Cover Type: Paperback with 304 pages
• Published by: McGraw-Hill Osborne Media
• Edition: 1st Edition July 26, 2005
• Written in: English
• ISBN 10 Number: 0072260858
• ISBN 13 Number: 978-0072260854
• Book Dimensions: 9.1 x 7.3 x 0.8 inches
• Weighs: 1.1 pounds

Product Description


This essential book for all software developers--regardless of platform, language, or type of application--outlines the “19 deadly sins” of software security and shows how to fix each one. Best-selling authors Michael Howard and David LeBlanc, who teach Microsoft employees how to secure code, have partnered with John Viega, the man who uncovered the 19 deadly programming sins to write this much-needed book. Coverage includes:

• Windows, UNIX, Linux, and Mac OS X
• C, C++, C#, Java, PHP, Perl, and Visual Basic
• Web, small client, and smart-client applications

Back Cover Copy


“Ninety-five percent of software bugs are caused by the same 19 programming flaws.” —Amit Yoran, Former Director of The Department of Homeland Security’s National Cyber Security Division

Secure your software by eliminating code vulnerabilities from the start. This essential book for all software developers--regardless of platform, language, and type of application--outlines the 19 sins of software security and shows how to fix each one. Best-selling authors Michael Howard and David LeBlanc, who teach Microsoft employees how to write secure code, have partnered with John Viega, the man who uncovered the 19 deadly programming sins to write this hands-on guide. Detailed code examples throughout show the code defects as well as the fixes and defenses. If you write code, you need this book. Eliminate these security flaws from your code:

• Buffer overruns
• Format string problems
• Integer overflows
• SQL injection
• Command injection
• Failure to handle errors
• Cross-site scripting
• Failure to protect network traffic
• Use of magic URLs and hidden forms
• Improper use of SSL
• Use of weak password-based systems
• Failure to store and protect data securely
• Information leakage
• Trusting network address resolution
• Improper file access
• Race conditions
• Unauthenticated key exchange
• Failure to use cryptographically strong random numbers
• Poor usability

Michael Howard, CISSP, is an architect of the security process changes at Microsoft and a co-author of Processes to Produce Secure software published by the Department of Homeland Security’s National Cyber Security Division. He is a Senior Security Program Manager in the Security Engineering Group at Microsoft Corporation and co-author of Writing Secure Code (Microsoft Press). David LeBlanc, Ph.D., is Chief software Architect for Webroot Software, and was formerly Security Architect in the Office group at Microsoft. He is co-author of Writing Secure Code. John Viega is the CTO of Secure Software. He first defined the 19 deadly sins of software security for the Department of Homeland Security. He is co-author of many security books including Building Secure software (Addison-Wesley).

Reader Reviews
I read six books on software security recently, namely "Writing Secure Code, 2nd Ed" by Michael Howard and David LeBlanc; "19 Deadly Sins of Software Security" by Michael Howard, David LeBlanc, and John Viega; "Software Security" by Gary McGraw; "The Security Development Lifecycle" by Michael Howard and Steve Lipner; "High-Assurance Design" by Cliff Berg; and "Security Patterns" by Markus Schumacher, et al. Each book takes a different approach to the software security problem, although the first two focus on coding bugs and flaws; the second two examine development processes; and the last two discuss practices or patterns for improved design and implementation. My favorite of the six is Gary McGraw's, thanks to his clear thinking and logical analysis. The other five are still noteworthy books. All six will contribute to the production of more security software. The main reason to read 19DS is to quickly become acquainted with various security problems facing software developers. At less than 300 pages, it's not a thick tome like WSC2E. 19DS also is not afraid to mix bugs (coding errors, like buffer overflow conditions) with flaws (design problems, like "failing to protect network traffic.") This sort of lax categorization bothers me (and Gary McGraw, as noted in his book "Software Security"), but it shouldn't interfere with the quality content of 19DS. Probably the most interesting aspect (to me) of 19DS was sin 10, which discussed problems with Secure Sockets Layer (SSL). The chapter didn't describe algorithmic or protocol problems. Instead, it explained how programmers make poor assumptions about the features provided by their language of choice with respect to SSL. For example, many SSL libraries do not properly validate certificates. Without this functionality, the authors argue that SSL is almost worthless. While I don't necessarily agree with this statement, I really like reading this sort of criticism. I'd like to note that p 134 berates Python's ssl() but ignores pyOpenSSL, which probably provides the features the authors would want. Other "sins" take slightly different looks at security issues. Sin 17, for example, explains the importance of key exchange AND authentication. These are the sorts of problems I imagine are only discovered by examining multiple real-world implementations, and I value the authors sharing their experiences. I subtracted one star because the quality of the "sins" isn't even. Some don't adequately explain the problem at hand (e.g., integer overflows). If the authors assume the reader knows the problem well enough to not introduce it properly, then why discuss it at all? Overall, however, 19DS is a great book to get to your developers. It's short enough that they might actually read it, and the content is presented in a convincing enough manner to perhaps influence their coding choices.