24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them [Paperback]

Michael Howard (Author), David LeBlanc (Author), John Viega (Author)

Book Description

ISBN-10: 0071626751 | ISBN-13: 978-0071626750 | Publication Date: September 3, 2009 | Edition: 1

"What makes this book so important is that it reflects the experiences of two of the industry's most experienced hands at getting real-world engineers to understand just what they're being asked for when they're asked to write secure code. The book reflects Michael Howard's and David LeBlanc's experience in the trenches working with developers years after code was long since shipped, informing them of problems." --From the Foreword by Dan Kaminsky, Director of Penetration Testing, IOActive

Eradicate the Most Notorious Insecure Designs and Coding Vulnerabilities

Fully updated to cover the latest security issues, 24 Deadly Sins of Software Security reveals the most common design and coding errors and explains how to fix each one-or better yet, avoid them from the start. Michael Howard and David LeBlanc, who teach Microsoft employees and the world how to secure code, have partnered again with John Viega, who uncovered the original 19 deadly programming sins. They have completely revised the book to address the most recent vulnerabilities and have added five brand-new sins. This practical guide covers all platforms, languages, and types of applications. Eliminate these security flaws from your code:

• SQL injection
• Web server- and client-related vulnerabilities
• Use of magic URLs, predictable cookies, and hidden form fields
• Buffer overruns
• Format string problems
• Integer overflows
• C++ catastrophes
• Insecure exception handling
• Command injection
• Failure to handle errors
• Information leakage
• Race conditions
• Poor usability
• Not updating easily
• Executing code with too much privilege
• Failure to protect stored data
• Insecure mobile code
• Use of weak password-based systems
• Weak random numbers
• Using cryptography incorrectly
• Failing to protect network traffic
• Improper use of PKI
• Trusting network name resolution

Editorial Reviews

About the Author

Michael Howard is is a principal security program manager on the Trustworthy Computing Group’s Security Engineering team at Microsoft. He is the author or coauthor of many well-known software security books and is an editor of IEEE Security & Privacy.

David LeBlanc, Ph.D., is a principal software development engineer on the Microsoft Office security team. He is a coauthor, with Michael Howard, of Writing Secure Code (Microsoft Press).

John Viega is CTO of the SaaS Business Unit at McAfee and was previously their chief security architect. He is the author of five other security books. Mr. Viega first defined the 19 deadly sins of software security for the Department of Homeland Security.

Product Details

• Paperback: 432 pages
• Publisher: McGraw-Hill Osborne Media; 1 edition (September 3, 2009)
• Language: English
• ISBN-10: 0071626751
• ISBN-13: 978-0071626750
• Product Dimensions: 9.2 x 7.3 x 0.9 inches
• Shipping Weight: 1.6 pounds (View shipping rates and policies)
• Average Customer Review: 3.7 out of 5 stars  See all reviews (3 customer reviews)
• Amazon Best Sellers Rank: #76,279 in Books (See Top 100 in Books)

More About the Author

Discover books, learn about writers, read author blogs, and more.

Customer Reviews

Most Helpful Customer Reviews

4 of 5 people found the following review helpful:

4.0 out of 5 stars 24 Deadly Sins of Software Security, August 9, 2010

By 

Mike Lyman - See all my reviews

Amazon Verified Purchase

This review is from: 24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them (Paperback)

24 Deadly Sins carries on in the great tradition of the original 19 Deadly Sins but has expanded to cover problems that have developed since then as well as added coverage for more programing languages. It serves as a great introduction to the most common problems in software development that lead to security issues without getting bogged down in the weeds on any of them. It does not go into a great deal of detail so if that is what you are looking for this isn't the book you want but it does do what it sets out to do.

The organization of the book lends itself to a straight read through and as a jump around reference to cover the problems you need to look at when you need to look at them. Most chapters stand alone quite well and most references to other chapters are about closely related sins. It describes the basics of the problem, goes into more detail and helps you try to spot the problem in various languages. It covers some of the ways you can avoid the problems and provides additional remediation if available.

The book lends itself to being a decent text book on software security problems and its basic structure is not a bad approach to an introduction to the topic. I've been teaching an introduction to secure development class for a couple of years that was mostly based on the original book and I'm finishing updating that to the new 24 Deadly Sins breakdown.

1 of 1 people found the following review helpful:

5.0 out of 5 stars Great Summarization, December 6, 2011

By 

W. Conklin (Houston, TX) - See all my reviews
(REAL NAME)   

Amazon Verified Purchase

This review is from: 24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them (Paperback)

This book is the update to the 19 Deadly Sins, and does a tremendous job summarizing the information needed to understand the types of errors prevalent in software today. This is not a book with all the details behind the causes, fixes, etc. For those details, I would refer my students (and do) to Michael's other great book "Writing Secure Code, Second Edition". And for process related material, "The Security Development Lifecycle".

Howard is the real deal, a straight shooter and known for telling it like it is. This book is no different - no fluff, no extraneous material, just the stuff every project manager of a software development effort should know, so they know what to ask of their team.

1 of 2 people found the following review helpful:

2.0 out of 5 stars Disappointing In Lack of Detail, October 21, 2011

By 

Jamison D. Dance (Provo, UT USA) - See all my reviews
(REAL NAME)   

Amazon Verified Purchase

This review is from: 24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them (Paperback)

If you just look at the table of contentes, you might believe this book covers basic application security very thoroughly. However, reading the actual treatment of each topic is very disappointing. The actual explanations of the attacks and how to defend against them are difficult to follow and vague. If you didn't know what XXS was before reading this book, you probably still don't know after. Maybe the authors didn't want to encourage attackers by demonstrating actual attacks, but the book suffers greatly from not illustrating the "sins" with example attacks. Not a good introduction to application security.

The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws is a much better treatment of security in web applications if that is what you are looking for.