Writing Secure Code, Second Edition

You think your data is safe, your website secured, your code foolproof.... think again. If you haven't read this book, probably none of the above are true. This book is written with a hacker's mind. It reveals and elaborates on the most common and not so common volnurabilities of computer and web applications. I am glad I read this book and used the information to plug the holes at a client's web application, so when one of their laptops was later compromised, no harm was done to their data or IT infrastructure.

The timeless advice in this book should be at the front of every programmer's mind every day. Things like- There's no such thing as a small security flaw,- If you see more than one bug of a given type, there are lots more you didn't see, or- It can still be a security flaw even if you haven't heard of an exploit.And, as an example in itself, this helps programmers remember that security specialists really do know more about some things than developers with strengths in other areas. (An embarassing story from the early days of Java, not recounted here, described a blunder that any security specialist would have found in a minute - but it was shipped because the team decided they didn't need the specialist's review since they knew it all.)Then, in a helpful turn, the authors give voluminous examples of what not to do, what to do instead, and finer point of some of the subtler Windows APIs - the APIs that were used in 2003 (when the book was published) or even earlier (when it was being written). Those details were valuable at the time, but aged incredibly rapidly. Some specifics, like resisting SQL injection attacks, remain salient. Others, like use of RC4 for encryption, have been overtaken by more recent findings. And a few statements just weren't true even when this was written. One, that compiler writers might find ways to optimize "volatile" references away (p.326), would break huge amounts of hardware-oriented code if it were to happen.Lots of the content remains important and widely applicable - five stars for that part, even with a few glitches. But, because so much discussion depends on Windows-specific and aging APIs, I can't give it full marks for today's (or for a non-Windows) reader.-- wiredweird

I opened the box with hesitation as I have been burned purchasing used books before, but to my surprise it was in excellent condition. The information will be of great help to me. Thank you for selling product that is true to the prescription.

I recommend this book as must read in todays internet programming world.I am not a internet programmer, but still this book covers lot of topics how my stand alone applicationcan be vulnerable if the system is hooked to net.Must read for all programmrs in todays world.

I found for every 10 pages read I picked up one useful idea, but even then was left with only the vaguest notion of how to implement. (Read: I had no clue how to implement.)I don't doubt the authors know their stuff.But when the conversation moves away from the general idea to the implementation, it uses examples from 20-year old technology. It's hard to stay interested, because you know these details have to be irrelevant now.Truth is, I'm a C#/SQL Server developer with no clue how operating systems work. I don't even know what a buffer overrun is, or what any of the system functions in the C and C++ or Perl code examples do (or in what context I would ever be calling said functions.) This book assumes such knowledge, and makes for a frustrating read otherwise.What the book highlights for me is how clunky and non-intuitive the whole Windows security APIs are. (At least, as depicted in this 20-year old book. Maybe things are simpler now, but why has Microsoft not provided a more recent version of this book?)This book left me feeling frustrated and dumber than when I started.

No problems, good experience.

Great book for the money.

I agree with a previous reviewer that the title is misleading - it should emphasize that this is primarily a book about not writing non-secure code on a Windows platform.There are many good tips in the book (which is why it didn't get one star), but for those of us who write code for other platforms (there are other platforms, BTW) it's not nearly as useful.The final example of non-usefulness are the sample code files. To get them you must download a Windows executable which requires that you click on a button accepting a license agreement; the download will then begin. If you don't happen to be running on a Windows box, no download, no code examples, no nothing. Makes the book way less useful and much more annoying to me.

This is an excellent book which gives you very specific information on common security weaknesses to be aware of, common coding failures that can be exploited by malformed data along with useful philosophies on testing at the boundaries between trusted and untrusted environments. Most of the content is as applicable today as it was in the early noughties.The authors are very highly experienced however they are also a bit smug which does grate from time to time.

If you are a developer then this book is mandatory.You do not realise the threats (from the desktop, the web, Intranet) until you read this book. Attacks come from everywhere.Reading this together with "Code Complete 2" (Steve McConnell) will surely make you a better developer and your software safer, faster and more secure.Imagine the consequences of a simple SQL injection attack or a cross site script attack on your customers. Your reputation, your job and your company are at risk. Its as simple as that. Getting a few copies of this for yourself and your colleagues makes sense.

I bought myself a copy of this some years ago. I was sufficiently impressed that I then bought additional copies and presented them to each of my team members. It is not sufficient material on its own - it is particularly light on .Net issues, but it is a very good primer on a wide range of topics.

Having a book endorsed by Microsoft's Co-Founder, Bill Gates, seems like a great idea! On the front, he is quoted as saying that it's a mandatory read for every MS employee.This version is from when Windows Server 2003 was still nick-named Windows Server .Net, so that should tell you the age; however, the information is very accurate, and insightful in how to write secure programs even in this day and age. I don't write in C or C++ as much as I'd like to learn it, so some examples went over my head when they got to the code. The information they provide helps a lot to understand *why* the programmers are choosing their insecure or secure methods, and helps to convey the message that security starts as you start planning the project, **before you write any actual code**. I recommend every programmer who wants to write for other people read this book!

Nothing to complain about the quality and aspect of the book. Will probably buy again from this vendor. Two thumbs up!