Programming Books C Java PHP Python Learn more Browse Programming Books
19 Deadly Sins of Software Security: Programming Flaws an... and over one million other books are available for Amazon Kindle. Learn more
Have one to sell? Sell on Amazon
Flip to back Flip to front
Listen Playing... Paused   You're listening to a sample of the Audible audio edition.
Learn more
See all 2 images

19 Deadly Sins of Software Security: Programming Flaws and How to Fix Them (Security One-off) Paperback – July 26, 2005

ISBN-13: 978-0072260854 ISBN-10: 0072260858 Edition: 1st

23 New from $14.98 50 Used from $0.53
Amazon Price New from Used from
Kindle
"Please retry"
Paperback
"Please retry"
$14.98 $0.53

There is a newer edition of this item:

Free%20Two-Day%20Shipping%20for%20College%20Students%20with%20Amazon%20Student


Frequently Bought Together

19 Deadly Sins of Software Security: Programming Flaws and How to Fix Them (Security One-off) + Hacking: The Art of Exploitation, 2nd Edition + The Shellcoder's Handbook: Discovering and Exploiting Security Holes
Buy the selected items together

NO_CONTENT_IN_FEATURE

Shop the new tech.book(store)
New! Introducing the tech.book(store), a hub for Software Developers and Architects, Networking Administrators, TPMs, and other technology professionals to find highly-rated and highly-relevant career resources. Shop books on programming and big data, or read this week's blog posts by authors and thought-leaders in the tech industry. > Shop now

Product Details

  • Series: Security One-off
  • Paperback: 304 pages
  • Publisher: McGraw-Hill Osborne Media; 1 edition (July 26, 2005)
  • Language: English
  • ISBN-10: 0072260858
  • ISBN-13: 978-0072260854
  • Product Dimensions: 9.2 x 7.4 x 0.6 inches
  • Shipping Weight: 1.1 pounds
  • Average Customer Review: 4.5 out of 5 stars  See all reviews (13 customer reviews)
  • Amazon Best Sellers Rank: #551,372 in Books (See Top 100 in Books)

Editorial Reviews

From the Back Cover

“Ninety-five percent of software bugs are caused by the same 19 programming flaws.” —Amit Yoran, Former Director of The Department of Homeland Security’s National Cyber Security Division

Secure your software by eliminating code vulnerabilities from the start. This essential book for all software developers--regardless of platform, language, and type of application--outlines the 19 sins of software security and shows how to fix each one. Best-selling authors Michael Howard and David LeBlanc, who teach Microsoft employees how to write secure code, have partnered with John Viega, the man who uncovered the 19 deadly programming sins to write this hands-on guide. Detailed code examples throughout show the code defects as well as the fixes and defenses. If you write code, you need this book. Eliminate these security flaws from your code:

  • Buffer overruns
  • Format string problems
  • Integer overflows
  • SQL injection
  • Command injection
  • Failure to handle errors
  • Cross-site scripting
  • Failure to protect network traffic
  • Use of magic URLs and hidden forms
  • Improper use of SSL
  • Use of weak password-based systems
  • Failure to store and protect data securely
  • Information leakage
  • Trusting network address resolution
  • Improper file access
  • Race conditions
  • Unauthenticated key exchange
  • Failure to use cryptographically strong random numbers
  • Poor usability

Michael Howard, CISSP, is an architect of the security process changes at Microsoft and a co-author of Processes to Produce Secure Software published by the Department of Homeland Security’s National Cyber Security Division. He is a Senior Security Program Manager in the Security Engineering Group at Microsoft Corporation and co-author of Writing Secure Code (Microsoft Press). David LeBlanc, Ph.D., is Chief Software Architect for Webroot Software, and was formerly Security Architect in the Office group at Microsoft. He is co-author of Writing Secure Code. John Viega is the CTO of Secure Software. He first defined the 19 deadly sins of software security for the Department of Homeland Security. He is co-author of many security books including Building Secure Software (Addison-Wesley).

About the Author

Michael Howard is a senior security program manager in the security engineering group at Microsoft Corporation, and a co-author of the award-winning Writing Secure Code. He is a co-author of Basic Training in IEEE Security and Privacy Magazine and a co-author of the National Cyber Security Task Force “Processes to produce Secure Software” document for the Department of Homeland Security. As an author of the Security Development Lifecycle, Michael spends most of his time is spent defining and enforcing security best practice and software development process improvements to deliver more secure software to normal humans.

David LeBlanc, Ph.D., is currently Chief Software Architect for Webroot Software. Prior to joining Webroot, he served as security architect for Microsoft's Office division, was a founding member of the Trustworthy Computing Initiative, and worked as a white-hat hacker in Microsoft's network security group. David is also co-author of Writing Secure Code and Assessing Network Security, as well as numerous articles. On good days, he'll be found riding the trails on his horse with his wife, Jennifer.

John Viega discovered the 19 deadly programming flaws that received such press and media attention, and this book is based on his discovery. He is the Founder and Chief Scientist of Secure Software(www.securesoftware.com), is a well-known security expert, and coauthor of Building Secure Software (Addison-Wesley), Network Security with OpenSSL (O'Reilly) an Adjuct Professor of Computer Science at Virginia Tech (Blacksburg, VA) and Senior Policy Researcher at the Cyberspace Policy Institute, and he serves on the Technical Advisory Board for the Open Web Applications Security Project. He also founded a Washington, D.C. area security interest group that conducts monthly lectures presented by leading experts in the field. John is responsible for numerous software security tools, and is the original author of Mailman, the GNU mailing list manager. He holds a B.A. and M.S. in Computer Science from the University of Virginia. He is the author or coauthor of nearly 80 technical publications, including numerous refered research papers and trade articles. He is coauthor of Building Secure Software, Network Security and Cryptography with OpenSSL and The Secure Programming Cookbook for C and C++.


More About the Authors

Discover books, learn about writers, read author blogs, and more.

Customer Reviews

4.5 out of 5 stars
5 star
7
4 star
5
3 star
1
2 star
0
1 star
0
See all 13 customer reviews
This one might be even better.
Charles Bradley
The book gives a great overview of software security issues yet at the same time provides granular examples and solutions that can be readily implemented.
M. J. Hubbell
Software applications developers, irrespective of which platform or language they use to write code, should consider this book required reading.
Ben Rothke

Most Helpful Customer Reviews

18 of 18 people found the following review helpful By Richard Bejtlich on November 1, 2006
Format: Paperback
I read six books on software security recently, namely "Writing Secure Code, 2nd Ed" by Michael Howard and David LeBlanc; "19 Deadly Sins of Software Security" by Michael Howard, David LeBlanc, and John Viega; "Software Security" by Gary McGraw; "The Security Development Lifecycle" by Michael Howard and Steve Lipner; "High-Assurance Design" by Cliff Berg; and "Security Patterns" by Markus Schumacher, et al. Each book takes a different approach to the software security problem, although the first two focus on coding bugs and flaws; the second two examine development processes; and the last two discuss practices or patterns for improved design and implementation. My favorite of the six is Gary McGraw's, thanks to his clear thinking and logical analysis. The other five are still noteworthy books. All six will contribute to the

production of more security software.

The main reason to read 19DS is to quickly become acquainted with various security problems facing software developers. At less than 300 pages, it's not a thick tome like WSC2E. 19DS also is not afraid to mix bugs (coding errors, like buffer overflow conditions) with flaws (design problems, like "failing to protect network traffic.") This sort of lax categorization bothers me (and Gary McGraw, as noted in his book "Software Security"), but it shouldn't interfere with the quality content of 19DS.

Probably the most interesting aspect (to me) of 19DS was sin 10, which discussed problems with Secure Sockets Layer (SSL). The chapter didn't describe algorithmic or protocol problems. Instead, it explained how programmers make poor assumptions about the features provided by their language of choice with respect to SSL. For example, many SSL libraries do not properly validate certificates.
Read more ›
Comment Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback. If this review is inappropriate, please let us know.
Sorry, we failed to record your vote. Please try again
10 of 11 people found the following review helpful By Thomas Duff HALL OF FAMETOP 1000 REVIEWERVINE VOICE on September 3, 2005
Format: Paperback
With the continual alerts and patches for software vulnerabilities, it may appear that there is no way to write secure software. While I agree there are no "absolutes" when it comes to secure software, there are ways to greatly reduce your potential of writing software that can be exploited. 19 Deadly Sins Of Software Security - Programming Flaws and How To Fix Them by Michael Howard, David LeBlanc, and John Viega does an excellent job in helping you focus in on this subject...

Content: Buffer Overruns; Format String Problems; Integer Overflows; SQL Injection; Command Injection; Failing To Handle Errors; Cross-Site Scripting; Failing To Protect Network Traffic; Use Of Magic URLs And Hidden Form Fields; Improper Use Of SSL And TLS; Use Of Weak Password-Based Systems; Failing To Store And Protect Data Security; Information Leakage; Improper File Access; Trusting Network Name Resolution; Race Conditions; Unauthenticated Key Exchange; Cryptographically Strong Random Numbers; Poor Usability; Mapping The 19 Deadly Sins To The OWASP "Top Ten"; Summary Of Do's And Don'ts; Index

This book came out of a list developed by Homeland Security that declared that 95% of security issues in software came from 19 programming mistakes. What you read in these pages go into more detail about each of those issues, but in a very concise, practical, no-nonsense fashion. This is the type of information you'll need as a professional who needs to get a job done without wasting time on fluff and verbose writing. Each chapter covers one of the sins, and follows a standard format for the information.
Read more ›
Comment Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback. If this review is inappropriate, please let us know.
Sorry, we failed to record your vote. Please try again
11 of 13 people found the following review helpful By James Holmes on August 30, 2005
Format: Paperback
This book's a must-have addition to your bookshelf if you're at all concerned about developing secure software -- and you ought to be.

The book's format lends to quick reading of the most common security errors. Each "sin" breaks down into concise sections laying out an overview of the sin, what languages are effected, examples of the sin, redemption steps, extra defense measures, other resources on the sin, and a summary of the sin.

Most useful to me as a developer are the sections on patterns for spotting the sin, how to look for the sin during code reviews, and how to test for the sin.

The book's strengths are its concise discussion of each sin, and it's almost-cookbook format. You're able to quickly find exactly what you need in the book. The book also covers a wealth of languages: C/C++, C#, Java, Perl, VB/VB.NET, plus quite the major different platforms: Macs, *nix, and Windows.

The concise nature of the book is also its weakness. Some of the examples aren't explained very well -- it's expected that the reader is experienced enough to figure out exactly what the errors are. This may overwhelm developers new to a particular language if they're not motivated enough to track down further information.

However, more information and examples would weigh this book down and make it less attractive and useful. Use this book as a general (and sometimes specific) guide, but look elsewhere for specifics on implementation.
Comment Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback. If this review is inappropriate, please let us know.
Sorry, we failed to record your vote. Please try again
8 of 9 people found the following review helpful By Ben Rothke on February 1, 2006
Format: Paperback
If George Santayana were to recommend a security book, it would certainly be 19 Deadly Sins of Software Security. Santayana is the poet-philosopher widely known for saying, "Those who cannot remember the past are condemned to repeat it." For far too long, software developers have been making the same mistakes in programming as if they were incapable of remembering their past errors.

Poorly written software lies behind nearly every computer security vulnerability. Amit Yoran, former director of the National Cyber Security Division of the U.S. Department of Homeland Security, is quoted as saying that "95 percent of software bugs are caused by the same 19 programming flaws." These flaws are the so-called "deadly sins" of the title.

The book covers these 19 programming flaws, which include the most devastating types of coding and architectural errors, such as buffer overflows, format string problems, cross-site scripting, and insufficient encryption. Each flaw gets its own chapter, which features a brief introduction to the problem, sample code depicting each "sin," ways to detect the problem during code review, a description of tools and techniques to test for the defect, and defensive measures that make it more difficult for someone to exploit the weakness.

None of the text is extraneous, as it economically addresses a wealth of the most popular platforms and languages. These include Windows, Linux, UNIX, C/C++, C#, Java, PERL, and more.

Software applications developers, irrespective of which platform or language they use to write code, should consider this book required reading. Were he a techie, Santayana might have said that those who have written insecure code in the past are condemned to continue to write insecure code in the future. Programmers need only read this book to help put an end to that vicious cycle.
Comment Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback. If this review is inappropriate, please let us know.
Sorry, we failed to record your vote. Please try again

Most Recent Customer Reviews