Writing Secure Code

...so I picked it up and flipped through it. It is packed with valueable (and useable!) information. This book seems so useful, I ordered myself a copy. Nothing else out there talks about how to write (and test) the security aspects of an application.

This is a must read for todays savvy devloper. Michael is obviously a talented individual who shares his insight in a simple no nonsense fashion. You can spend 10 yrs making all these mistakes and learning from them or just read this book! I have brought several for our department that have become well thumbed in only a few weeks.

no comment

This is a good book as it does a good job covering the different sources of software insecurities:- The classical buffer overflows on the stack and on the heap- Canonical issues on input- The least privilege principle- There is a brief overview on how store a secretOn the last point, the authors know well the topic. If you are using cryptography to protect something in your software but just store the private key in a global variable then you are helping tremendously the job of hackers as all they will have to do is look into your executable binary to search for something that looks like a key. A security measure is as strong as its weakest element and no hacker is foolish enough to attack a cryptographic algorithm that is proven strong. Even if you store the key in a secure place, all that is needed to retrieve the key is to perform a memory dump at the right time just before the software use the key. At least, you can make hackers job harder as there is nothing you can do to make your software 100% safe against hacker if the software is valuable enough to motivate them to hack your software. All you can do by improving your software security is to buy you some time before your software is hacked. All that to say that there is not bullet proof solution against hackers but the book gives solid leads to improve software security in that aspect.In this book, there is a strong emphasis on Microsoft security technologies. The Windows Crypto API and the Microsoft OSes privileges API are described in length. If you develop on Windows and want to make your software more secure then this is an excellent book for you. If you develop on another platform, there is still something for you in this book as there are a lot of code snippets that are platform independent to improve software security such as input validation for file names to protect yourself against canonization bugs.This is a very good book about software security but I do not recommend it simply because there is a new edition of itWriting Secure Code, Second Edition.

When deciding on whether or not to buy a book, I normally read the reviews to find out what people did not like. After checking out this book, I am shocked at the comments one of the reviewers wrote, as he unfairly panned the book on something that it was not intended to solve.If you are looking for a heavy coders book to show you how to code security in your apps, this is probably not the best place to look. While there is some code, that is not the primary focus. You will also be disappointed if you are looking for code samples that easily migrate to other systems.The book is, overall, very Microsoft-centric. Whether this is good or bad depends largely on your point of view. While you can apply many of the techniques to any platform to shore up holes in your code.There are many of the security mistakes in this book that I found almost laughable, until I tested code on a few collegues sites. If you code your SQL strings in ADO, for example, you might be leaving a way for a malicious user to gain admin rights to your SQL Server.If you think there is no way in the world you would ever need a book on security holes in code, then this book is probably tailor made for you. Understand, of course, if you do not do windows, the code samples will be far less useful than if you do.

Wow -- a great and very unexpected find. Michael Howard's experience within the Microsoft organization and David LeBlanc's technical experiences at ISS blend very well to provide a very solid high-level overview of secure coding practices. Of the few texts available for this subject, I would rate this very highly. It is technically neutral enough to survive for longer than it takes me to write this review, while using enough examples to help the reader understand the issues.This isn't a low-level coding "how-to", and doesn't pretend to be. Providing examples of how to implement every coding algorithm in the short history of coding would be counter-productive. Instead, Howard and LeBlanc provide excellent examples that teach the reader how to think securely, and then carry that information into their coding practices. Phenomenal read, well worth the time.

This is a wonderful book that covers things that are often glossed over in other security books. For instance, the coverage of access control lists, and the difficulties of controlling them, are well covered. I wish it had more information on the .NET Framework (there are I believe 2 chapters covering .NET security issues) but the editing is clean (something I am a bit of a finatic about) and the writing style is good enough to make this relatively dry topic an enjoyable read.