About Duffbert...

Duffbert's Random Musings is a blog where I talk about whatever happens to be running through my head at any given moment... I'm Thomas Duff, and you can find out more about me here...

Email Me!

Search This Site!

Custom Search

I'm published!

Co-author of the book IBM Lotus Sametime 8 Essentials: A User's Guide

Purchase on Amazon

Co-author of the book IBM Sametime 8.5.2 Administration Guide

Purchase on Amazon


Visitor Count...

View My Stats

« Katrina's Half | Main| Book Review - XForms Essentials by Micah Dubinko »

Book Review - 19 Deadly Sins Of Software Security

Category Book Reviews

With the continual alerts and patches for software vulnerabilities, it may appear that there is no way to write secure software.  While I agree there are no "absolutes" when it comes to secure software, there are ways to greatly reduce your potential of writing software that can be exploited.  19 Deadly Sins Of Software Security - Programming Flaws and How To Fix Them by Michael Howard, David LeBlanc, and John Viega does an excellent job in helping you focus in on this subject...

Content: Buffer Overruns; Format String Problems; Integer Overflows; SQL Injection; Command Injection; Failing To Handle Errors; Cross-Site Scripting; Failing To Protect Network Traffic; Use Of Magic URLs And Hidden Form Fields; Improper Use Of SSL And TLS; Use Of Weak Password-Based Systems; Failing To Store And Protect Data Security; Information Leakage; Improper File Access; Trusting Network Name Resolution; Race Conditions; Unauthenticated Key Exchange; Cryptographically Strong Random Numbers; Poor Usability; Mapping The 19 Deadly Sins To The OWASP "Top Ten"; Summary Of Do's And Don'ts; Index

This book came out of a list developed by Homeland Security that declared that 95% of security issues in software came from 19 programming mistakes.  What you read in these pages go into more detail about each of those issues, but in a very concise, practical, no-nonsense fashion.  This is the type of information you'll need as a professional who needs to get a job done without wasting time on fluff and verbose writing.  Each chapter covers one of the sins, and follows a standard format for the information.  The subsections in each chapter are: Overview of the Sin; Affected Languages; The Sin Explained; Related Sins; Spotting the Sin Pattern; Spotting the Sin During Code Review; Testing Techniques to Find the Sin; Example Sins; Redemption Steps; Extra Defensive Measures; Other Resources; Summary.  Since each chapter stands on its own, you can use this as a reference tool if you're having a particular issue to resolve, or you can read it cover to cover to get a good understanding of the security concerns you need to face when programming.

Just about every significant programming platform and language is covered somewhere in here (Windows, Unix, Linux, C, C++, C#, Java, PHP, Perl, etc.), so there's no real reason why nearly every developer won't take *something* away from their reading.  And if you're writing software that will be exposed to usage outside your company, there is *no* reason to not have this book on your shelf.  You'll get the core of what you should do very quickly, and you'll end up writing more secure software up front instead of issuing patch after patch after patch...

Post A Comment


Want to support this blog or just say thanks?

When you shop Amazon, start your shopping experience here.

When you do that, all your purchases during that session earn me an affiliate commission via the Amazon Affiliate program. You don't have to buy the book I linked you to (although I wouldn't complain!). Simply use that as your starting point.


Thomas "Duffbert" Duff

Ads of Relevance...

Monthly Archives