Dallas/Ft. Worth Unix Users Group

Writing Secure Code - reviewed by Gary Smith

The path "There is a difference between knowing the path and walking the path." Morpheus in "The Matrix"

I love books, especially when they are free. So, when I got an opportunity to get a book name "Writing Secure Code", I sent in the response card right away. I was surprised when I received the book, or should I say tome.

The tome by Michael Howard and David LeBlanc measures two inches thick. Clearly writing secure code is a weighty proposition. Looking at the Table of Contents, the five sections to the book including appendices.

The sections are "Contemporary Security", "Secure Coding Techniques", "Even More Secure Coding Techniques", "Special Topics", and the Appendices.

One of chapters in Section I I found to be good was chapter 3, "Security Principles to Live By." This chapter had some very good ideas and principles to live by such as secure by design, secure by default, defense in depth, and learn from mistakes. Each principle is accompanied by a discussion of the principle.

Section II is about secure coding techniques. This section start off with the most insecure technique in the book, the buffer overrun or overflow. I personally discovered the buffer overflow when I was a graduate student in 1975. It's a shame we've haven't progressed past that in 29 years.

Other chapters that were interesting are "All Input is Evil!" (isn't that the truth) "Running with Least Privilege", and "Determining Appropriate Access Control."

Want more secure coding techniques, then Section III is for you. There's "Socket Security", and "Protecting Against Denial of Service Attacks" among others. Under the "Special Topics" of Section IV, we have "Secure Testing," "Performing a Security Code Review," Secure Software Installations," "Building Privacy into Your Applications," "General Good Practices", and "Writing Secure Documentation and Error Messages". Most people skip the Appendices of a book just as most people skip the closing credits of movie. If you have sat all the way through the credits of "Young Sherlock Holmes", any of the "Airplane" or "Hot Shots" movies, you know there are hidden gems at the end. So too it is with the Appendices.

I love Appendix B, "Ridiculous Excuses We've Heard". My favorites are "We're secure; we use a firewall" and "No one will do that".

At 768 pages, this is quite a work. Now get ready for the shockers: this book comes from Microsoft Press. Yes, that Microsoft. On the cover, there is a quote from His Bill-ness himself, "Required reading at Microsoft." We can laugh at all the bugs and exploits that Microsoft software has in it. We can make snide comments about how people at Microsoft may read the book but not understand it. But can you imagine how bad it would be some people at Microsoft did not walk the path?

Return to Home Map and Directions Member Services Schedule of Talks Mailing Lists SIGs Roadmap to Wiki Free Books Membership/Individual Benefits Membership/Corporate Roster Benefits Organization Bylaws Policies Officers Other Talk Suggestions Volunteer! Member Blogs Member Profiles Historical Archives Newsletter Audio of Meetings Webmaster
	Top . Main . WritingSecureCode	Recent Changes Printable View Page History Edit Page
	Content Last Modified on January 12, 2005, at 01:12 AM CST Writing Secure Code - reviewed by Gary Smith The path "There is a difference between knowing the path and walking the path." Morpheus in "The Matrix" I love books, especially when they are free. So, when I got an opportunity to get a book name "Writing Secure Code", I sent in the response card right away. I was surprised when I received the book, or should I say tome. The tome by Michael Howard and David LeBlanc measures two inches thick. Clearly writing secure code is a weighty proposition. Looking at the Table of Contents, the five sections to the book including appendices. The sections are "Contemporary Security", "Secure Coding Techniques", "Even More Secure Coding Techniques", "Special Topics", and the Appendices. One of chapters in Section I I found to be good was chapter 3, "Security Principles to Live By." This chapter had some very good ideas and principles to live by such as secure by design, secure by default, defense in depth, and learn from mistakes. Each principle is accompanied by a discussion of the principle. Section II is about secure coding techniques. This section start off with the most insecure technique in the book, the buffer overrun or overflow. I personally discovered the buffer overflow when I was a graduate student in 1975. It's a shame we've haven't progressed past that in 29 years. Other chapters that were interesting are "All Input is Evil!" (isn't that the truth) "Running with Least Privilege", and "Determining Appropriate Access Control." Want more secure coding techniques, then Section III is for you. There's "Socket Security", and "Protecting Against Denial of Service Attacks" among others. Under the "Special Topics" of Section IV, we have "Secure Testing," "Performing a Security Code Review," Secure Software Installations," "Building Privacy into Your Applications," "General Good Practices", and "Writing Secure Documentation and Error Messages". Most people skip the Appendices of a book just as most people skip the closing credits of movie. If you have sat all the way through the credits of "Young Sherlock Holmes", any of the "Airplane" or "Hot Shots" movies, you know there are hidden gems at the end. So too it is with the Appendices. I love Appendix B, "Ridiculous Excuses We've Heard". My favorites are "We're secure; we use a firewall" and "No one will do that". At 768 pages, this is quite a work. Now get ready for the shockers: this book comes from Microsoft Press. Yes, that Microsoft. On the cover, there is a quote from His Bill-ness himself, "Required reading at Microsoft." We can laugh at all the bugs and exploits that Microsoft software has in it. We can make snide comments about how people at Microsoft may read the book but not understand it. But can you imagine how bad it would be some people at Microsoft did not walk the path?
WikiHelp	Recent Changes Printable View Page History Edit Page