Writing Secure Code: Practical Strategies and Proven Techniques for Building Secure Applications in a Networked World

I got this book for free from Microsoft, because our company became a Microsoft Partner. I must admit that at first I was a little bit sceptical about it, because afterall this book is published by Microsoft and they have this reputation of selling rather insecure software themselves. But after reading the first few sections I knew it was going to be a very good read.The book explains in very clear language almost every aspect of secure programming and gives a good overview of all common security flaws that can (and will!) enter your programming code. You'll learn how to securely design, implement, test and deploy your programs. Ofcourse buffer overruns are handled (Public Enemy #1 according to the authors), but that's only the tip of the iceberg. The book does a great job by identifying and providing solutions to common security pitfalls. Topics that are handled include: database access, user privileges and Access Control, Cryptography, handling secret data, user input, encoding and internationalization, RPC, DCOM, DOS attacks, .NET and writing secure program documentation.I recommend this book to every programmer out there, even if you're not programming for the Win32-platform. Don't let the fact that this is a Microsoft publication refrain you from buying this book. If you are serious about writing secure programs this is the book to get.

I bought this book after the *Bill Gates* email came out about Microsoft being serious about security. I figured that when he sends email like this to the company, it's important. And when **he recommends this book** in the email, it's something worth looking at. It is - Writing Secure Code is great. It's an easy read, full of great design, development and testing principles and ideas. The first couple of chapters revolve around design, in fact ch2 is over 70pp long, and it's all about how to design secure systems. The bulk of the book focuses on secure coding, including buffer overruns, sockets, RPC, COM, Crypto, canoniclization issues, least privilege, storing secret data, Web apps - and more!The last part of the book discusses common .NET coding errors, and how to build security test plans.What makes this book utterly unique is it really teaches you how to design and test secure applications, as well as how to write them. The design and test stuff I have seen nowhere else.The book is worth every penny, and I now know why Bill Gates recommends the book to all Microsoft developers.

I bought this after reading other reviews, and like many of them I found this book worth every cent. The three manjor portions of the book: secure design, secure coding and security testing are really well explained. In fact, I have never seen any other material in any book on security design and testing. And to those that thing there are no good SSL examples, I have two comments, (a) yes, there is material in the book on when to use SSL (and when not to!) and (b) SSL is no panacea, sometimes SSL is not the correct solution to use, and this book offers exceptional recommendations on how to determine if SSL is indeed the correct solution or not.

Too many books talk about how to secure a network, and discuss network-based attacks, but this book is different; it covers how to design, build and test the code at the end of the pipe - the application software.The book is complete in its explanation of how to make sure your application code, be it web-based or otherwise, is secured from attack. I learned a great deal from this book, and, based on code and design reviews of my company's code, the authors obviously know what they are talking about - as we made a lot of fixes, and added many new security test cases to our test suites. Simply put, we never knew we had problems, until we read this book, now it's mandatory reading for all our software engineers.

after reading the secure web app chapter, i rushed out and fixed about seven errors in my web-based finance app. the security bugs were bugs i didn't know i had! we've also built cross-site scripting tests based on the commentary in the testing chapter.GREAT BOOK!