Customer Reviews

24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them

5 star:		(1)
4 star:		(1)
3 star:		(0)
2 star:		(1)
1 star:		(0)

 

 

24 Deadly Sins carries on in the great tradition of the original 19 Deadly Sins but has expanded to cover problems that have developed since then as well as added coverage for more programing languages. It serves as a great introduction to the most common problems in software development that lead to security issues without getting bogged down in the weeds on any of them. It does not go into a great deal of detail so if that is what you are looking for this isn't the book you want but it does do what it sets out to do.

The organization of the book lends itself to a straight read through and as a jump around reference to cover the problems you need to look at when you need to look at them. Most chapters stand alone quite well and most references to other chapters are about closely related sins. It describes the basics of the problem, goes into more detail and helps you try to spot the problem in various languages. It covers some of the ways you can avoid the problems and provides additional remediation if available.

The book lends itself to being a decent text book on software security problems and its basic structure is not a bad approach to an introduction to the topic. I've been teaching an introduction to secure development class for a couple of years that was mostly based on the original book and I'm finishing updating that to the new 24 Deadly Sins breakdown.

This book is the update to the 19 Deadly Sins, and does a tremendous job summarizing the information needed to understand the types of errors prevalent in software today. This is not a book with all the details behind the causes, fixes, etc. For those details, I would refer my students (and do) to Michael's other great book "Writing Secure Code, Second Edition". And for process related material, "The Security Development Lifecycle".

Howard is the real deal, a straight shooter and known for telling it like it is. This book is no different - no fluff, no extraneous material, just the stuff every project manager of a software development effort should know, so they know what to ask of their team.

If you just look at the table of contentes, you might believe this book covers basic application security very thoroughly. However, reading the actual treatment of each topic is very disappointing. The actual explanations of the attacks and how to defend against them are difficult to follow and vague. If you didn't know what XXS was before reading this book, you probably still don't know after. Maybe the authors didn't want to encourage attackers by demonstrating actual attacks, but the book suffers greatly from not illustrating the "sins" with example attacks. Not a good introduction to application security.

The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws is a much better treatment of security in web applications if that is what you are looking for.