 | | |
| Software Security: Building Security In (Addison-Wesley Software Security Series) | 
| Author: Gary Mcgraw
Publisher: Addison-Wesley Professional
Category: Book
List Price: $54.99
Buy New: $27.85
You Save: $27.14 (49%)
Buy New/Used from $19.94
Avg. Customer Rating:  (19 reviews)
Sales Rank: 145267
Languages: English (Original Language), English (Unknown), English (Published)
Media: Paperback
Number Of Items: 1
Pages: 448
Shipping Weight (lbs): 1.9
Dimensions (in): 9 x 6.9 x 1.4
ISBN: 0321356705
Dewey Decimal Number: 005.8
EAN: 9780321356703
ASIN: 0321356705
Publication Date: February 2, 2006
Availability: Usually ships in 1-2 business days
|
| Customer Reviews:
Critical reading if you're just getting started May 26, 2006
10 out of 11 found this review helpful
When my company began to investigate software security, we all mistakenly assumed it would be possible to just train the developers what mistakes not to make and all would be well with the world. This book was the first step toward fixing that misunderstanding. Dr. McGraw does an excellent job of describing the environment and the practices that are required when implementing secure coding in the lifecycle. But, he's also manage d to prioritize the "touchpoints" so that each can be added in turn to a new development effort rather than requiring any single massive change. Overall and excellent read and good set of guidelines for implementation
you need to fix both bugs and flaws April 11, 2006
6 out of 8 found this review helpful
McGraw offers many spot on tips for programmers and software architects to embed security into your products. Perhaps the most cogent is to recognise the difference between bugs and flaws. Bugs are coding errors. Not just those syntactical ones caught by the compiler or interpreter. But also those that compile fine. Flaws, on the other hand, arise from the overall design of the product. In his experience, each represent around 50% of the defects. Hence just trying to debug the bugs will not suffice.
Finding flaws is a subtler, harder task. One better suited for the experienced programmer or architect. Which also tells you that if you are a programmer, and you want to burnish your skills, then moving to finding and fixing flaws is a value-added utility.
Also, from the very definition of a flaw, it implies that you have a design, don't you? Well, if you or your team has bought into the Extreme Programming mindset, then the code is the design. McGraw strongly dumps on the entire XP approach, as being bad for reducing defects.
Amongst the many other interesting issues he raises is one of "ambiguity analysis". Where a group of experienced architects analyses a project design. Each person separately does her own analysis. Then the group assembles and compares these. Invariably, differences will arise. Due perhaps to ambiguities or omissions in the design documentation. This can help indicate flaws.
It crosses the chasm (from information security to software development) March 10, 2006
5 out of 8 found this review helpful
This is a software engineering book. I would describe it as the stuff that was missing (security) from your favorite software engineering title whether that was from Yourdon, Booch, or Beck. My background is in software development - almost twenty years from operating systems and development tools to online banking. A little over four years ago I embarked on a crash course in security when I became convinced that software was the key to our security problem, not some new whiz -bang box on the network. When I searched for information on how to build better code from a security perspective the available literature was extremely limited. There were a couple of titles on coding practices and hacking techniques - two authored by Dr. McGraw and a third from Microsoft press- but there was really nothing on the subject from a software engineering perspective. This is the first (and only book that I know of) that introduces security as a core software discipline and is quite comprehensive in terms of covering the entire development lifecycle. Gary does an excellent job of introducing security concepts from what he terms an "artifact driven" approach thus making it compatible with just about any development process or methodology (as long as it produces requirements, designs, and code). If you are an experienced developer, architect, or manager you will find it an easy read and quite actionable in terms of things you can put in place right away.
If you are new to software development or involved with it through information security, you really should read this along with one of the classic (or newer) software engineering books so that those concepts are clear. Ask the development team that you work with for recommendations on that so that you are in synch with their philosophies as there are some subtle, but critical difference in the various development methodologies. As I mentioned, the techniques and principles outlined in this book should overlay any development methodology.
For purposes off full disclosure, I have had the pleasure of knowing Gary for several years now; in fact we met during my initial quest for just this information. He has been an invaluable mentor and this book captures an incredible amount of experience he has assembled in his career. I am confident that you will benefit from his knowledge as much as I have.
 Philosophy that turns the corner to answers, not just questions February 23, 2006
0 out of 3 found this review helpful
We've all heard "It's the software stupid." long enough. Practitioners finally have a place to turn, beyond a single topic such as `code review', for "what" to do.
Development Managers will find a set of activities that they can experiment with adding in order to "build security into" their software. No activity is `one size fits all', but McGraw has gone to incredible lengths to make sure that every reader will find guidance that will resonate with their environment.
Security professionals, regardless of background, have been given a much broader and more powerful toolkit with which they can attack software. Rather than attempting to deepen penetration-testing efforts, they can use the touchpoints to consider use cases, requirements, architecture, and code earlier in the lifecycle. McGraw helps readers understand the essential aspects of each activity rather than getting mired in a particular technology or platform.
After reading "Exploiting Software", Developers will have to look hard to find the gems buried in presentation of each touchpoint. If they can harvest it, I think the guidance Developers find will prove more widely applicable and useful than the principles of Building Secure Software or the specificity of Exploiting Software.
Those working for organizations that manufacture software as their product have the best chance of directly applying this guidance. Organizations that rely on using software to support their (non-IT) business may have more difficulty aligning things in order to make the guidance actionable. Here's the trick: pursuit of the philosophy this book presents is going to be difficult and frustrating. Readers are most likely to be dissatisfied with the amount of "how" in the book-especially if they've already started working on some of the suggestion and have hit a barrier.
This deficiency in "how" isn't the book's fault-it's the state of the practice; stay tuned.
McGraw has done it again!!! February 15, 2006
6 out of 8 found this review helpful
McGraw's previous books set a very high standard for technical content, relevance and writing clarity. "Building Security In" has raised the bar even higher.
This book is based on years of experience in developing secure software, but what really sets McGraw apart is the clarity of his thinking and the natural, conversational tone of his writing.
I was particularly impressed by the methodical and consistent treatment of all aspects of secure code design, development and validation. McGraw covers the all the territory and with style.
|
|
|
Powered by: Dknc, inc. and Amazon.com | | 
For your safety and security, orders are processed through amazon.com
|
|
|
|
