Book details of 'Building Secure Software: How to Avoid Security Problems the Right Way'

Title	Building Secure Software: How to Avoid Security Problems the Right Way
Author(s)	John Viega, Gary McGraw
ISBN	020172152X
Language	English
Published	September 2001
Publisher	Addison Wesley Professional

---

Back to shelf Computer security
Amazon.com info for Building Secure Software: How to Avoid Security Problems the Right Way

Score:

Vote for this book

The Virtual Bookcase Reviews of 'Building Secure Software: How to Avoid Security Problems the Right Way':

Reviewer Rob Slade wrote:
The "right way" of the subtitle is, of course, designing and building a product correctly the first time. The preface states that the book is concerned with broad principles of systems development, and so does not cover specialized topics such as code authentication and sandboxing. It also points out that software vendors are effectively exempt from liability, and so have no reason to produce secure or reliable software. Chapter one is an introduction to software security, with an overview of related topics and considerations. Managing software security risks, in chapter two, looks at good practices in the system development life cycle, the position of the security engineer in development, and standards. The authors point out problems in common security "solutions," mostly dealing with authentication, in chapter three. The common myths about the security of open and closed source systems are examined in chapter four. Instead of a checklist of thousands of security items (that likely won't be of much use anyway), chapter five presents ten guiding principles which will probably catch most problems. The list is not a panacea: the first principle is to secure the weakest link, and it takes lots of forethought to design this for type of factor in advance. Auditing software, in chapter six, is more about security assessments being conducted at various stages in the process, for example, using attack trees at the design stage. The preface states that the book is divided into two parts, conceptual and implementation, and, although there is no formal division, this is probably the beginning of part two. Chapter seven looks at buffers overflows, always and still the most common software security problem. This book, it must be assumed, is written primarily for a programming audience, and yet the first part has presented concepts very clearly without necessarily getting into code examples. At this point, however, the material is definitely written for advanced C (and specifically UNIX) programmers, and the basic concepts are sometimes hidden in the details. Access control, primarily in UNIX systems, although with some mention of special capabilities in Windows NT, is the topic of chapter eight. Chapter nine deals with race conditions, including the familiar "time of check versus time of use" problem, although most of the material is limited to file access concerns. There is an excellent and thorough discussion of pseudo random number generation in chapter ten. Applying cryptography, in chapter eleven, stresses the fact that you shouldn't "roll your own," helps out by reviewing publicly available cryptographic code libraries, and even examines the drawbacks of one-time pads. Managing trust and input validation, in chapter twelve, emphasizes input concerns to the point that an important element is possibly buried: in the modern environment, you not only have to trust the goodwill of an entity, but also its ability to defend itself, so as not to become part of an attack against you. Password authentication, in chapter thirteen, promotes randomly chosen passwords. Given a work directed at programming I suppose this is understandable, but recent research has shown that "well chosen" passwords are as easy to remember as naive, and as secure as random. Chapter fourteen is an overview of the basic aspects of database security, although it only touches on the more advanced topics of this specialized field. Client-side security concentrates on copy protection and other anti-piracy measures in chapter fifteen. Some means of establishing a connection through a firewall are examined in chapter sixteen. While I can understand and sympathize with the desire to give examples of specific code in dealing with implementation details, there are a number of major concepts covered in the latter part of the book which would have been more accessible to non-programmers had they been dealt with as tutorially as in the first part. Still, the book has a great deal to teach programmers about security and reliability, and security professionals about the requirements of the development process. copyright Robert M. Slade, 2002
Add my review for Building Secure Software: How to Avoid Security Problems the Right Way

Book description:

"This book is useful, practical, understandable, and comprehensive. The fact that you have this book in your hands is a step in the right direction. Read it, learn from it. And then put its lessons into practice." --From the Foreword by Bruce Schneier, CTO, Counterpane, and author of Secrets and Lies "A must-read for anyone writing software for the Internet." --Jeremy Epstein, Director, Product Security and Performance, webMethods "This book tackles complex application security problems like buffer overflows, race conditions, and applied cryptography in a manner that is straightforward and easy to understand. This is a must for any application developer or security professional." --Paul Raines, Global Head of Information Risk Management, Barclays Capital Most organizations have a firewall, antivirus software, and intrusion detection systems, all of which are intended to keep attackers out. So why is computer security a bigger problem today than ever before? The answer is simple--bad software lies at the heart of all computer security problems. Traditional solutions simply treat the symptoms, not the problem, and usually do so in a reactive way. This book teaches you how to take a proactive approach to computer security. Building Secure Software cuts to the heart of computer security to help you get security right the first time. If you are serious about computer security, you need to read this book, which includes essential lessons for both security professionals who have come to realize that software is the problem, and software developers who intend to make their code behave. Written for anyone involved in software development and use--from managers to coders--this book is your first step toward building more secure software. Building Secure Software provides expert perspectives and techniques to help you ensure the security of essential software. If you consider threats and vulnerabilities early in the devel-opment cycle you can build security into your system. With this book you will learn how to determine an acceptable level of risk, develop security tests, and plug security holes before software is even shipped. Inside you'll find the ten guiding principles for software security, as well as detailed coverage of: * Software risk management for security * Selecting technologies to make your code more secure * Security implications of open source and proprietary software * How to audit software * The dreaded buffer overflow * Access control and password authentication * Random number generation * Applying cryptography * Trust management and input * Client-side security * Dealing with firewalls Only by building secure software can you defend yourself against security breaches and gain the confidence that comes with knowing you won't have to play the "penetrate and patch" game anymore. Get it right the first time. Let these expert authors show you how to properly design your system; save time, money, and credibility; and preserve your customers' trust.