The Virtual Bookcase for browsing and sharing reviews of books. New to this site? Read the welcome page first.

The Virtual Bookcase Home
Recent reviews
Collected book news
Welcome to this site

Book details of 'Software Security : Building Security In'

Cover of Software Security : Building Security In
TitleSoftware Security : Building Security In
Author(s)Gary McGraw
PublishedJanuary 2006
PublisherAddison-Wesley Professional
Web links for this book
Search at
Wikipedia booksources
Shop for this book
As an Amazon Associate I earn from qualifying purchases

Back to shelf Computer programming
Back to shelf Computer security


Vote for this book

The Virtual Bookcase Reviews of 'Software Security : Building Security In':

Reviewer Rob Slade wrote:
The preface states that the audience for the book is comprised of developers (particularly those interested in secure software), security professionals (in places), managers (in places), and academics (there are a couple of chapters that indicate where further research might be useful). McGraw also introduces the major components of the book. His "thee pillars" are not the usual confidentiality, integrity and availability, but risk management, "touchpoints," and knowledge. The touchpoints are code analysis, risk analysis, penetration (vulnerability) testing, security tests, abuse cases, security requirements, and security operations. Part one outlines the basics of software security. Chapter one informs us that problems exist in software, and notes the differences betweens bugs (due to careless implementation) and flaws (due to poor design). McGraw also suggests his three pillars as a means of addressing the difficulty. Using an example software project, chapter two takes us through a risk management framework in some detail. Part two examines the touchpoints. Chapter three introduces them in a diagram related to the steps in the software development process (they are numbered, although in a seemingly random pattern which turns out to be the suggested order of effectiveness). (The latter half of the chapter seems to be more of a sermon on software security.) Source code review tools (for finding bugs) are described in chapter four. Chapter five starts off with traditional risk analysis definitions and then extends the concept with details of the application of the process to software design. (Sidebars on software tools for program risk analysis, and other related items, are dropped in seemingly at random. The information is valuable, but the reading flow is somewhat disjointed.) Penetration testing of software sounds like a good idea, but chapter six doesn't really define what the topic involves. (The sidebar on tools is a case in point: the tools are listed and recommended, but the descriptions don't say what they actually do.) Risk-based security testing seems, by the end of chapter seven, to be a special case of spanning tree analysis, but along the way a number of the other touchpoints seem to overlap with it. "Abuse cases" is the application of known common vulnerabilities and attacks (perpetrated on systems similar to yours), and analysis of means of protection while still in the design phase. Chapter eight provides a handy list of such attacks (if you are building a Web application). "Security operations," in chapter nine, appears to be a discussion of how software developers and security professionals should relate to each other. (Touchpoint six, "security requirements," is not covered.) Part three covers additional topics. Chapter ten outlines advice for a software security program in a large company. "Knowledge for software security," in chapter eleven, is mostly an overview of material already covered, but does include some additional tools. Chapter twelve is a taxonomy of coding errors, which should be valuable both for those working on analysis of their own program security, and also researchers in the field. One fairly consistent weakness is that the book seems to assume that all software applications are network-based, and that all software problems result from malicious attacks. While Web-based applications are definitely of great importance, and also subject to a larger range of difficulties, this does limit the application of some of the material of the text in regard to standalone programs where the major concern is integrity of data, prevention of errors, and reliability of operation. The writing and structure could use some work: in many situations it is not easy to follow the thread of McGraw's argument. However, there is no denying the value of having all these ideas about software security brought together in one volume. There is a great deal of useful and interesting material here, and, with commitment from the reader, much that will be helpful in building more robust and reliable software. copyright Robert M. Slade, 2006

Add my review for Software Security : Building Security In
Search The Virtual Bookcase

Enter a title word, author name or ISBN.

The shelves in The Virtual Bookcase

Arts and architecture (25)
Biography (24)
Business and Management (120)
Cars and driving (53)
Cartoons (45)
Children's books (180)
Computer (475)
Computer history/fun (113)
Computer networks (382)
Computer programming (215)
Computer security (272)
Cook books (89)
Fantasy (154)
Fiction (446)
Health and body (71)
History (138)
Hobby (37)
Horror (65)
Humorous books (52)
Literature (57)
Operating systems (94)
Outdoor camping (162)
Outdoors (236)
Politics (85)
Privacy (61)
Psychology (55)
Religion (17)
Science (113)
Science Fiction (156)
Self-help books (56)
Technology (14)
Travel guides (308)
War and weapons (29)
World Wide Web (213)
Zen (5)
Other books (89)

The Virtual Bookcase is created and maintained by Koos van den Hout. Contact e-mail
Site credits
Copyright © 2000-2020 Koos van den Hout / The Virtual Bookcase Copyright and privacy statement