19 Deadly Sins of Software Security

I am not a security type, I look at code for robustness. Security bugs are BUGS that have a security component. I don't see an array overflow as a way for someone to crash my code, I see it as a problem where my code will act in an unpredictable way. The first 3 chapters alone is worth the price of this book. I fount it an easy read that really made the issues stand out. I can see why there are so many security problems in software. This book not only described the problems, it did it in a way that showed me how common these problems are. Everywhere I look, I now see interger overflow, and array bound issues. scanf and even printf are now suspect for me. I think the name of the book will limit its audience. This book should be read by anyone looking to write good basic code.

This is a very good book for software developers that are concerned about software security. It is short enough and easy enough to follow that it might also be a good book for software developers that are not concerned about software security but should be. Last year I reviewed Seacord's "Secure Coding in C and C++" and claimed it was "The best how-to security book" I had seen. This one might be even better. It is almost as thorough in the areas the two have in common, and has more material about the proper use of third party security packages. There are extensive references to books and papers about exploits and defenses, and pointers to many web sites with additional and more detailed information. Highly recommended.

If you are serious about eradicating software security bugs, you should buy this book. Keeping an eagel eye on the bug parade is a critical activity in software security. (Just don't forget about design flaws while you're at it.) Mike Howard, David LeBlanc, and John Viega are all top notch software security experts. Listen carefully. Be the bug. The software security touchpoints help address problems like these every day.

If George Santayana were to recommend a security book, it would certainly be 19 Deadly Sins of Software Security. Santayana is the poet-philosopher widely known for saying, "Those who cannot remember the past are condemned to repeat it." For far too long, software developers have been making the same mistakes in programming as if they were incapable of remembering their past errors. Poorly written software lies behind nearly every computer security vulnerability. Amit Yoran, former director of the National Cyber Security Division of the U.S. Department of Homeland Security, is quoted as saying that "95 percent of software bugs are caused by the same 19 programming flaws." These flaws are the so-called "deadly sins" of the title. The book covers these 19 programming flaws, which include the most devastating types of coding and architectural errors, such as buffer overflows, format string problems, cross-site scripting, and insufficient encryption. Each flaw gets its own chapter, which features a brief introduction to the problem, sample code depicting each "sin," ways to detect the problem during code review, a description of tools and techniques to test for the defect, and defensive measures that make it more difficult for someone to exploit the weakness. None of the text is extraneous, as it economically addresses a wealth of the most popular platforms and languages. These include Windows, Linux, UNIX, C/C++, C#, Java, PERL, and more. Software applications developers, irrespective of which platform or language they use to write code, should consider this book required reading. Were he a techie, Santayana might have said that those who have written insecure code in the past are condemned to continue to write insecure code in the future. Programmers need only read this book to help put an end to that vicious cycle.

With the continual alerts and patches for software vulnerabilities, it may appear that there is no way to write secure software. While I agree there are no "absolutes" when it comes to secure software, there are ways to greatly reduce your potential of writing software that can be exploited. 19 Deadly Sins Of Software Security - Programming Flaws and How To Fix Them by Michael Howard, David LeBlanc, and John Viega does an excellent job in helping you focus in on this subject... Content: Buffer Overruns; Format String Problems; Integer Overflows; SQL Injection; Command Injection; Failing To Handle Errors; Cross-Site Scripting; Failing To Protect Network Traffic; Use Of Magic URLs And Hidden Form Fields; Improper Use Of SSL And TLS; Use Of Weak Password-Based Systems; Failing To Store And Protect Data Security; Information Leakage; Improper File Access; Trusting Network Name Resolution; Race Conditions; Unauthenticated Key Exchange; Cryptographically Strong Random Numbers; Poor Usability; Mapping The 19 Deadly Sins To The OWASP "Top Ten"; Summary Of Do's And Don'ts; Index This book came out of a list developed by Homeland Security that declared that 95% of security issues in software came from 19 programming mistakes. What you read in these pages go into more detail about each of those issues, but in a very concise, practical, no-nonsense fashion. This is the type of information you'll need as a professional who needs to get a job done without wasting time on fluff and verbose writing. Each chapter covers one of the sins, and follows a standard format for the information. The subsections in each chapter are: Overview of the Sin; Affected Languages; The Sin Explained; Related Sins; Spotting the Sin Pattern; Spotting the Sin During Code Review; Testing Techniques to Find the Sin; Example Sins; Redemption Steps; Extra Defensive Measures; Other Resources; Summary. Since each chapter stands on its own, you can use this as a reference tool if you're having a particular issue to resolve, or you can read it cover to cover to get a good understanding of the security concerns you need to face when programming. Just about every significant programming platform and language is covered somewhere in here (Windows, Unix, Linux, C, C++, C#, Java, PHP, Perl, etc.), so there's no real reason why nearly every developer won't take *something* away from their reading. And if you're writing software that will be exposed to usage outside your company, there is *no* reason to not have this book on your shelf. You'll get the core of what you should do very quickly, and you'll end up writing more secure software up front instead of issuing patch after patch after patch...