 | | |
| 19 Deadly Sins of Software Security (Security One-off) | 
| Authors: Michael Howard, David Leblanc, John Viega
Publisher: McGraw-Hill Osborne Media
Category: Book
List Price: $41.99
Buy New: $8.38
You Save: $33.61 (80%)
Buy New/Used from $7.00
Avg. Customer Rating:  (8 reviews)
Sales Rank: 129811
Languages: English (Original Language), English (Unknown), English (Published)
Media: Paperback
Edition: 1
Number Of Items: 1
Pages: 304
Shipping Weight (lbs): 1.1
Dimensions (in): 9.1 x 7.3 x 0.8
ISBN: 0072260858
Dewey Decimal Number: 005.8
EAN: 9780072260854
ASIN: 0072260858
Publication Date: July 26, 2005
Availability: Usually ships in 1-2 business days
|
| Similar Items:
|
| Editorial Reviews:
Product Description
This essential book for all software developers--regardless of platform, language, or type of application--outlines the ?19 deadly sins? of software security and shows how to fix each one. Best-selling authors Michael Howard and David LeBlanc, who teach Microsoft employees how to secure code, have partnered with John Viega, the man who uncovered the 19 deadly programming sins to write this much-needed book. Coverage includes: - Windows, UNIX, Linux, and Mac OS X
- C, C++, C#, Java, PHP, Perl, and Visual Basic
- Web, small client, and smart-client applications
|
| Customer Reviews: Read 3 more reviews...
 A fast read that addresses serious problems in a decent manner November 2, 2006
11 out of 11 found this review helpful
I read six books on software security recently, namely "Writing Secure Code, 2nd Ed" by Michael Howard and David LeBlanc; "19 Deadly Sins of Software Security" by Michael Howard, David LeBlanc, and John Viega; "Software Security" by Gary McGraw; "The Security Development Lifecycle" by Michael Howard and Steve Lipner; "High-Assurance Design" by Cliff Berg; and "Security Patterns" by Markus Schumacher, et al. Each book takes a different approach to the software security problem, although the first two focus on coding bugs and flaws; the second two examine development processes; and the last two discuss practices or patterns for improved design and implementation. My favorite of the six is Gary McGraw's, thanks to his clear thinking and logical analysis. The other five are still noteworthy books. All six will contribute to the
production of more security software.
The main reason to read 19DS is to quickly become acquainted with various security problems facing software developers. At less than 300 pages, it's not a thick tome like WSC2E. 19DS also is not afraid to mix bugs (coding errors, like buffer overflow conditions) with flaws (design problems, like "failing to protect network traffic.") This sort of lax categorization bothers me (and Gary McGraw, as noted in his book "Software Security"), but it shouldn't interfere with the quality content of 19DS.
Probably the most interesting aspect (to me) of 19DS was sin 10, which discussed problems with Secure Sockets Layer (SSL). The chapter didn't describe algorithmic or protocol problems. Instead, it explained how programmers make poor assumptions about the features provided by their language of choice with respect to SSL. For example, many SSL libraries do not properly validate certificates. Without this functionality, the authors argue that SSL is almost worthless. While I don't necessarily agree with this statement, I really like reading this sort of criticism. I'd like to note that p 134 berates Python's ssl() but ignores pyOpenSSL, which probably provides the features the authors would want.
Other "sins" take slightly different looks at security issues. Sin 17, for example, explains the importance of key exchange AND authentication. These are the sorts of problems I imagine are only discovered by examining multiple real-world implementations, and I value the authors sharing their experiences.
I subtracted one star because the quality of the "sins" isn't even. Some don't adequately explain the problem at hand (e.g., integer overflows). If the authors assume the reader knows the problem well enough to not introduce it properly, then why discuss it at all?
Overall, however, 19DS is a great book to get to your developers. It's short enough that they might actually read it, and the content is presented in a convincing enough manner to perhaps influence their coding choices.
 The bug parade March 3, 2006
5 out of 7 found this review helpful
If you are serious about eradicating software security bugs, you should buy this book. Keeping an eagel eye on the bug parade is a critical activity in software security. (Just don't forget about design flaws while you're at it.)
Mike Howard, David LeBlanc, and John Viega are all top notch software security experts. Listen carefully. Be the bug.
The software security touchpoints help address problems like these every day.
Required reading for software developers February 1, 2006
18 out of 18 found this review helpful
If George Santayana were to recommend a security book, it would certainly be 19 Deadly Sins of Software Security. Santayana is the poet-philosopher widely known for saying, "Those who cannot remember the past are condemned to repeat it." For far too long, software developers have been making the same mistakes in programming as if they were incapable of remembering their past errors.
Poorly written software lies behind nearly every computer security vulnerability. Amit Yoran, former director of the National Cyber Security Division of the U.S. Department of Homeland Security, is quoted as saying that "95 percent of software bugs are caused by the same 19 programming flaws." These flaws are the so-called "deadly sins" of the title.
The book covers these 19 programming flaws, which include the most devastating types of coding and architectural errors, such as buffer overflows, format string problems, cross-site scripting, and insufficient encryption. Each flaw gets its own chapter, which features a brief introduction to the problem, sample code depicting each "sin," ways to detect the problem during code review, a description of tools and techniques to test for the defect, and defensive measures that make it more difficult for someone to exploit the weakness.
None of the text is extraneous, as it economically addresses a wealth of the most popular platforms and languages. These include Windows, Linux, UNIX, C/C++, C#, Java, PERL, and more.
Software applications developers, irrespective of which platform or language they use to write code, should consider this book required reading. Were he a techie, Santayana might have said that those who have written insecure code in the past are condemned to continue to write insecure code in the future. Programmers need only read this book to help put an end to that vicious cycle.
A Must Have in your Info Security Library October 15, 2005
5 out of 11 found this review helpful
Too often, software security is overlooked in the info security infrastructure of most organizations as we focus on network, computer, data, and physical security. That is a luxury organizations can no longer afford. The book gives a great overview of software security issues yet at the same time provides granular examples and solutions that can be readily implemented. Would serve as a great source for training of programmers in code security.
a meta-language view of common problems September 13, 2005
3 out of 5 found this review helpful
The authors take an even handed look across several major languages and point out pitfalls in each. Probably, for you as a programmer, you have met many of these ideas before. But maybe in the context of a given language. This book lets you take a metalanguage view.
Consider integer overflows. C# and Visual Basic guard against these. But not Java, C or C++. There are also commonsense recommendations like using unsigned integers when describing things that are intrinsically non-negative, like memory addresses or sizes of memory allocations. Alas, Java does not support unsigned integers.
Cross site scripting gets a chapter of its own. A dangerous phenomenon of the web. Where a web page gets user input from the user's browser. The application does not check this input for malicious content, and it proceeds to send it to a web page. The text might have scripting commands which are then run by the user's browser. These might mess up the browser or even the user's computer. Worth checking out.
|
|
|
Powered by: Dknc, inc. and Amazon.com | | 
For your safety and security, orders are processed through amazon.com
|
|
|
|
