Book Review - 19 Deadly Sins Of Software Security
Category Book Reviews
With the continual alerts and patches for software vulnerabilities, it may appear that there is no way to write secure software. While I agree there are no "absolutes" when it comes to secure software, there are ways to greatly reduce your potential of writing software that can be exploited. 19 Deadly Sins Of Software Security - Programming Flaws and How To Fix Them by Michael Howard, David LeBlanc, and John Viega does an excellent job in helping you focus in on this subject...
Content: Buffer Overruns; Format String Problems; Integer Overflows; SQL Injection; Command Injection; Failing To Handle Errors; Cross-Site Scripting; Failing To Protect Network Traffic; Use Of Magic URLs And Hidden Form Fields; Improper Use Of SSL And TLS; Use Of Weak Password-Based Systems; Failing To Store And Protect Data Security; Information Leakage; Improper File Access; Trusting Network Name Resolution; Race Conditions; Unauthenticated Key Exchange; Cryptographically Strong Random Numbers; Poor Usability; Mapping The 19 Deadly Sins To The OWASP "Top Ten"; Summary Of Do's And Don'ts; Index
This book came out of a list developed by Homeland Security that declared that 95% of security issues in software came from 19 programming mistakes. What you read in these pages go into more detail about each of those issues, but in a very concise, practical, no-nonsense fashion. This is the type of information you'll need as a professional who needs to get a job done without wasting time on fluff and verbose writing. Each chapter covers one of the sins, and follows a standard format for the information. The subsections in each chapter are: Overview of the Sin; Affected Languages; The Sin Explained; Related Sins; Spotting the Sin Pattern; Spotting the Sin During Code Review; Testing Techniques to Find the Sin; Example Sins; Redemption Steps; Extra Defensive Measures; Other Resources; Summary. Since each chapter stands on its own, you can use this as a reference tool if you're having a particular issue to resolve, or you can read it cover to cover to get a good understanding of the security concerns you need to face when programming.
Just about every significant programming platform and language is covered somewhere in here (Windows, Unix, Linux, C, C++, C#, Java, PHP, Perl, etc.), so there's no real reason why nearly every developer won't take *something* away from their reading. And if you're writing software that will be exposed to usage outside your company, there is *no* reason to not have this book on your shelf. You'll get the core of what you should do very quickly, and you'll end up writing more secure software up front instead of issuing patch after patch after patch...
With the continual alerts and patches for software vulnerabilities, it may appear that there is no way to write secure software. While I agree there are no "absolutes" when it comes to secure software, there are ways to greatly reduce your potential of writing software that can be exploited. 19 Deadly Sins Of Software Security - Programming Flaws and How To Fix Them by Michael Howard, David LeBlanc, and John Viega does an excellent job in helping you focus in on this subject...
Content: Buffer Overruns; Format String Problems; Integer Overflows; SQL Injection; Command Injection; Failing To Handle Errors; Cross-Site Scripting; Failing To Protect Network Traffic; Use Of Magic URLs And Hidden Form Fields; Improper Use Of SSL And TLS; Use Of Weak Password-Based Systems; Failing To Store And Protect Data Security; Information Leakage; Improper File Access; Trusting Network Name Resolution; Race Conditions; Unauthenticated Key Exchange; Cryptographically Strong Random Numbers; Poor Usability; Mapping The 19 Deadly Sins To The OWASP "Top Ten"; Summary Of Do's And Don'ts; Index
This book came out of a list developed by Homeland Security that declared that 95% of security issues in software came from 19 programming mistakes. What you read in these pages go into more detail about each of those issues, but in a very concise, practical, no-nonsense fashion. This is the type of information you'll need as a professional who needs to get a job done without wasting time on fluff and verbose writing. Each chapter covers one of the sins, and follows a standard format for the information. The subsections in each chapter are: Overview of the Sin; Affected Languages; The Sin Explained; Related Sins; Spotting the Sin Pattern; Spotting the Sin During Code Review; Testing Techniques to Find the Sin; Example Sins; Redemption Steps; Extra Defensive Measures; Other Resources; Summary. Since each chapter stands on its own, you can use this as a reference tool if you're having a particular issue to resolve, or you can read it cover to cover to get a good understanding of the security concerns you need to face when programming.
Just about every significant programming platform and language is covered somewhere in here (Windows, Unix, Linux, C, C++, C#, Java, PHP, Perl, etc.), so there's no real reason why nearly every developer won't take *something* away from their reading. And if you're writing software that will be exposed to usage outside your company, there is *no* reason to not have this book on your shelf. You'll get the core of what you should do very quickly, and you'll end up writing more secure software up front instead of issuing patch after patch after patch...
| Permalink |
