 | | |
| 19 Deadly Sins of Software Security (Security One-off) | 
| Authors: Michael Howard, David Leblanc, John Viega
Publisher: McGraw-Hill Osborne Media
Category: Book
List Price: $41.99
Buy New: $6.99
You Save: $35.00 (83%)
Buy New/Used from $4.36
Avg. Customer Rating:  (9 reviews)
Sales Rank: 365052
Languages: English (Original Language), English (Unknown), English (Published)
Media: Paperback
Edition: 1
Number Of Items: 1
Pages: 304
Shipping Weight (lbs): 1.1
Dimensions (in): 9.1 x 7.3 x 0.8
ISBN: 0072260858
Dewey Decimal Number: 005.8
EAN: 9780072260854
ASIN: 0072260858
Publication Date: July 26, 2005
Availability: Usually ships in 1-2 business days
|
| Customer Reviews:
| Showing reviews 6-9 of 9 | | « PREV | | |
 a meta-language view of common problems September 13, 2005
3 out of 5 found this review helpful
The authors take an even handed look across several major languages and point out pitfalls in each. Probably, for you as a programmer, you have met many of these ideas before. But maybe in the context of a given language. This book lets you take a metalanguage view.
Consider integer overflows. C# and Visual Basic guard against these. But not Java, C or C++. There are also commonsense recommendations like using unsigned integers when describing things that are intrinsically non-negative, like memory addresses or sizes of memory allocations. Alas, Java does not support unsigned integers.
Cross site scripting gets a chapter of its own. A dangerous phenomenon of the web. Where a web page gets user input from the user's browser. The application does not check this input for malicious content, and it proceeds to send it to a web page. The text might have scripting commands which are then run by the user's browser. These might mess up the browser or even the user's computer. Worth checking out.
 Another one of those "required" books to own and read... September 3, 2005
8 out of 9 found this review helpful
With the continual alerts and patches for software vulnerabilities, it may appear that there is no way to write secure software. While I agree there are no "absolutes" when it comes to secure software, there are ways to greatly reduce your potential of writing software that can be exploited. 19 Deadly Sins Of Software Security - Programming Flaws and How To Fix Them by Michael Howard, David LeBlanc, and John Viega does an excellent job in helping you focus in on this subject...
Content: Buffer Overruns; Format String Problems; Integer Overflows; SQL Injection; Command Injection; Failing To Handle Errors; Cross-Site Scripting; Failing To Protect Network Traffic; Use Of Magic URLs And Hidden Form Fields; Improper Use Of SSL And TLS; Use Of Weak Password-Based Systems; Failing To Store And Protect Data Security; Information Leakage; Improper File Access; Trusting Network Name Resolution; Race Conditions; Unauthenticated Key Exchange; Cryptographically Strong Random Numbers; Poor Usability; Mapping The 19 Deadly Sins To The OWASP "Top Ten"; Summary Of Do's And Don'ts; Index
This book came out of a list developed by Homeland Security that declared that 95% of security issues in software came from 19 programming mistakes. What you read in these pages go into more detail about each of those issues, but in a very concise, practical, no-nonsense fashion. This is the type of information you'll need as a professional who needs to get a job done without wasting time on fluff and verbose writing. Each chapter covers one of the sins, and follows a standard format for the information. The subsections in each chapter are: Overview of the Sin; Affected Languages; The Sin Explained; Related Sins; Spotting the Sin Pattern; Spotting the Sin During Code Review; Testing Techniques to Find the Sin; Example Sins; Redemption Steps; Extra Defensive Measures; Other Resources; Summary. Since each chapter stands on its own, you can use this as a reference tool if you're having a particular issue to resolve, or you can read it cover to cover to get a good understanding of the security concerns you need to face when programming.
Just about every significant programming platform and language is covered somewhere in here (Windows, Unix, Linux, C, C++, C#, Java, PHP, Perl, etc.), so there's no real reason why nearly every developer won't take *something* away from their reading. And if you're writing software that will be exposed to usage outside your company, there is *no* reason to not have this book on your shelf. You'll get the core of what you should do very quickly, and you'll end up writing more secure software up front instead of issuing patch after patch after patch...
Great book for experienced developers, good one for newbies August 30, 2005
This book's a must-have addition to your bookshelf if you're at all concerned about developing secure software -- and you ought to be.
The book's format lends to quick reading of the most common security errors. Each "sin" breaks down into concise sections laying out an overview of the sin, what languages are effected, examples of the sin, redemption steps, extra defense measures, other resources on the sin, and a summary of the sin.
Most useful to me as a developer are the sections on patterns for spotting the sin, how to look for the sin during code reviews, and how to test for the sin.
The book's strengths are its concise discussion of each sin, and it's almost-cookbook format. You're able to quickly find exactly what you need in the book. The book also covers a wealth of languages: C/C++, C#, Java, Perl, VB/VB.NET, plus quite the major different platforms: Macs, *nix, and Windows.
The concise nature of the book is also its weakness. Some of the examples aren't explained very well -- it's expected that the reader is experienced enough to figure out exactly what the errors are. This may overwhelm developers new to a particular language if they're not motivated enough to track down further information.
However, more information and examples would weigh this book down and make it less attractive and useful. Use this book as a general (and sometimes specific) guide, but look elsewhere for specifics on implementation.
Because the Web is Like the Old West with no Sheriff August 14, 2005
3 out of 6 found this review helpful
As anyone who has been around the web for any time at all, the web is not exactly a friendly place. The very openness of the web on a worldwide basis makes it very difficult to find the bad guys. This is especially true when countries like China, Nigeria and numerous 'stans from the old Soviet Union don't seem to care.
The result is that it is left up to the individual to build his own fences, hire his own guards. And use software that is written without the holes that allow the bad guys to come in.
This book started with the Department of Homeland Security's Cyber Security Division. The director asked John Viega to define the most common well-understood programming mistakes that lead to break ins. The result is this book. The authors say that the rules they followed in writing this book were quite simple:
Keep it Simple -- no war stories, no funny anecdotes just the facts.
Keep it short -- the facts and nothing else.
Cross Platform -- because the Internet runs on everything.
Cross Language -- because many languages on many platforms are used on the web.
This book is aimed at software developers and outlines the most common and destructive coding sins and how to eradicate them from code before customers use the software.
|
|
|
Powered by: Dknc, inc. and Amazon.com | | 
For your safety and security, orders are processed through amazon.com
|
|
|
|
