Programming Books C Java PHP Python Learn more Browse Programming Books

Sorry, this item is not available in
Image not available for
Image not available

To view this video download Flash Player

Due Date: Aug 16, 2014

FREE return shipping at the end of the semester.

Access codes and supplements are not guaranteed with rentals.
Have one to sell? Sell yours here
Tell the Publisher!
I'd like to read this book on Kindle

Don't have a Kindle? Get your Kindle here, or download a FREE Kindle Reading App.

Secure Coding: Principles and Practices [Paperback]

by Mark G. Graff, Kenneth R. van Wyk
4.6 out of 5 stars  See all reviews (19 customer reviews)

In Stock.
Free Two-Day Shipping for College Students with Amazon Student


Amazon Price New from Used from
Hardcover --  
Paperback --  
Shop the new
New! Introducing the, a hub for Software Developers and Architects, Networking Administrators, TPMs, and other technology professionals to find highly-rated and highly-relevant career resources. Shop books on programming and big data, or read this week's blog posts by authors and thought-leaders in the tech industry. > Shop now

Book Description

July 2003 0596002424 978-0596002428 1st

Practically every day, we read about a new type of attack on computer systems and networks. Viruses, worms, denials of service, and password sniffers are attacking all types of systems -- from banks to major e-commerce sites to seemingly impregnable government and military computers --at an alarming rate.

Despite their myriad manifestations and different targets, nearly all attacks have one fundamental cause: the code used to run far too many systems today is not secure. Flaws in its design, implementation, testing, and operations allow attackers all-too-easy access.

Secure Coding, by Mark G. Graff and Ken vanWyk, looks at the problem of bad code in a new way. Packed with advice based on the authors' decades of experience in the computer security field, this concise and highly readable book explains why so much code today is filled with vulnerabilities, and tells readers what they must do to avoid writing code that can be exploited by attackers. Writing secure code isn't easy, and there are no quick fixes to bad code. To build code that repels attack, readers need to be vigilant through each stage of the entire code lifecycle:

  • Architecture: during this stage, applying security principles such as "least privilege" will help limit even the impact of successful attempts to subvert software.
  • Design: during this stage, designers must determine how programs will behave when confronted with fatally flawed input data. The book also offers advice about performing security retrofitting when you don't have the source code -- ways of protecting software from being exploited even if bugs can't be fixed.
  • Implementation: during this stage, programmers must sanitize all program input (the character streams representing a programs' entire interface with its environment -- not just the command lines and environment variables that are the focus of most security analysis).
  • Testing: during this stage, programs must be checked using both static code checkers and runtime testing methods -- for example, the fault injection systems now available to check for the presence of such flaws as buffer overflow.
  • Operations: during this stage, patch updates must be installed in a timely fashion. In early 2003, sites that had diligently applied Microsoft SQL Server updates were spared the impact of the Slammer worm that did serious damage to thousands of systems.

Beyond the technical, Secure Coding sheds new light on the economic, psychological, and sheer practical reasons why security vulnerabilities are so ubiquitous today. It presents a new way of thinking about these vulnerabilities and ways that developers can compensate for the factors that have produced such unsecured software in the past. It issues a challenge to all those concerned about computer security to finally make a commitment to building code the right way.

Editorial Reviews


"This is an extremely useful little book in best O'Reilly tradition and I recommend it not only to programmers but also to security architects who work with programmers. It gives you a lot of insights that you don't often come across." Information Security Bulletin, September

About the Author

Kenneth R. van Wyk is an internationally recognized information security expert and author of the O'Reilly Media books, Incident Response and Secure Coding. In addition to providing consulting and training services through his company, KRvW Associates, LLC, he currently holds numerous positions: as a monthly columnist for on-line security portal, eSecurityPlanet, and a Visiting Scientist at Carnegie Mellon University's Software Engineering Institute.

Ken has 20+ years experience as an IT Security practitioner in the academic, military, and commercial sectors. He has held senior and executive technologist positions at Tekmark, Para-Protect, Science Applications International Corporation (SAIC), in addition to the U.S. Department of Defense and Carnegie Mellon and Lehigh Universities.

Ken also served a two-year elected position as a member of the Steering Committee, and a one-year elected position as the Chairman of the Steering Committee, for the Forum of Incident Response and Security Teams (FIRST) organization. At the Software Engineering Institute of Carnegie Mellon University, Ken was one of the founders of the Computer Emergency Response Team (CERT®). He holds an engineering degree from Lehigh University and is a frequent speaker at technical conferences, and has presented papers and speeches for CSI, ISF, USENIX, FIRST, AusCERT, and others. Ken is also a CERT® Certified Computer Security Incident Handler.

Product Details

  • Paperback: 200 pages
  • Publisher: O'Reilly Media; 1st edition (July 2003)
  • Language: English
  • ISBN-10: 0596002424
  • ISBN-13: 978-0596002428
  • Product Dimensions: 9.1 x 6 x 0.6 inches
  • Shipping Weight: 10.6 ounces
  • Average Customer Review: 4.6 out of 5 stars  See all reviews (19 customer reviews)
  • Amazon Best Sellers Rank: #647,410 in Books (See Top 100 in Books)

More About the Author

Discover books, learn about writers, read author blogs, and more.

Customer Reviews

4.6 out of 5 stars
4.6 out of 5 stars
Most Helpful Customer Reviews
18 of 19 people found the following review helpful
5.0 out of 5 stars Some reviewers missing the point. November 17, 2003
Some of the reviewers here are missing the point of this book. It's not a "secure code cookbook" in that it doesn't give specific code examples. Such things are quickly obsolete anyway.
This book teaches you how to *think* about security, how to think about and *design* code that will be secure. It isn't a "add this snippit of code to your input buffer validation function" sort of book. There are many of these books, and they're useful in their place, but this book writes about the design of secure code, not the actual specifics.
To continue the cooking analogy, this is a book on how to write receipes, not a book *of* receipes.
Disclaimer, I helped review this book - and I think it's the sort of work that has been sorely missing in the field (I was also given a free copy for doing the review work).
Jeremy Allison,
Samba Team.
Comment | 
Was this review helpful to you?
21 of 23 people found the following review helpful
3.0 out of 5 stars A good step in the right direction October 8, 2003
Format:Paperback|Verified Purchase
You may have a hi-tech lock on your door, 100% unpickable. If I can just slam my shoulder against the door and jerk it loose from the frame, the fancy lock is irrelevant.
Passwords, encryption, and all the rest are the lock. This book is more about making the door and frame strong. Remember the Blaster worm? That wasn't a 'security' problem. It exploited bugs in Windows that supposedly had nothing to do with security.
This book is about building programs that resist attack. That doesn't mean copying a safe code fragment into your program and declaring it safe - that idea is ludicrous. Instead, this book is about the process that designs and implements strong programs. It starts with architecture and design documents, then follows through to design and maintenance.
The weakness of this book is lack of detail - how to build fail-safe code, what needs to be on design and inspection checklists, etc. There's good reason for that: each sub-topic needs books, if not whole libraries of its own. Take fault tolerance, for example. It may not sound like security, but an attack is meant to cause system failures, and fault tolerance is design to withstand failures. Fault tolerance is a huge topic, with journals and literature all its own. This book can barely mention the idea, while still giving other topics their due. It's a start, though.
Much of the advice may sound drearily familiar: code reviews, security audits, configuration control, error checking, and all the other things that take the 'fun' out of programming. If people want that kind of 'fun', then stop calling them software engineers. They're not ready for adult responsibilities.
Before anything else, software security requires correct behavior from a program. I really hope I don't hear objections to that as a basic design goal.
Comment | 
Was this review helpful to you?
20 of 22 people found the following review helpful
5.0 out of 5 stars Holistic Security November 29, 2003
In the 11th century, Moses Maimonides taught us that the highest form of charity is to teach a man to fish. If you give him a fish, he can eat today. If you teach him to fish he can eat forever.
In the same way, Mark G. Graff and Kenneth R. van Wyk have provided an excellent book that gives us a framework for thinking about security rather than trying to give specific rules that might have been invalid before the book came off the press. "Secure Coding" gives the reader the ability to envision, architect, design, code, and implement a security framework that truly meets the needs of its stakeholders.
The authors don't provide a cookbook. In their own words: "When you picked up this book, perhaps you thought that we could provide certain security? Sadly, no one can."
Instead, they deliver a robust mental model and a framework to understand security and to architect, design, develop, and operate secure systems. They present best practices in the field of security, the reasons for using them, and suggestions on deciding which practices are appropriate in your particular case.
Their approach is to realize that the objective is not to make a system totally secure, but to make it just secure enough. Deciding what is "just secure enough" is a business and not a technical decision. It is based on weighing risk versus cost.
There are substantial references throughout the book as well as an appendix of resources. The book is filled with examples of security failures and, more importantly, an excellent post mortem on each to show what could have been done to avoid the problem. The authors are extremely familiar with UNIX environments and this comes through in the examples. However, you don't need to be a UNIX guru to glean valuable lessons from the examples.
Read more ›
Comment | 
Was this review helpful to you?
13 of 14 people found the following review helpful
5.0 out of 5 stars Just plain good January 28, 2004
My job is fixing security vulnerabilities in applications.
This book offers a great description of how to creat applications that don't need fixing. It should be required reading for anyone involved in the world of software creation - from management to coders.
The content is well explained, engaging and clearly written.
A good job well done!
Comment | 
Was this review helpful to you?
13 of 14 people found the following review helpful
5.0 out of 5 stars If you manage coders, read this book August 11, 2003
In information security there are books about things and books on how to do things, this is a book *about* things.
Secure coding doesn't tell you how to write secure code, the purpose is to you a clear understanding of the enviornment needed to ensure application development is being done in a sane and robust way.
I was a bit nervous when one of the authors asked me to do a review of this book; I had just finished reviewing Inside Java, a masterpiece, but a tough read with a code example on every other page. Secure Coding is almost the polar opposite. There are only a couple examples of actual code. Instead the book weighs in at less than 200 content pages and is very approachable.
If you are responsible for managing software developers, then you should buy this book, read this book and make certain you understand what it teaches! This will prepare you for serious discussions with your coders and give you the questions to ask to ensure they are using good practice.
Comment | 
Was this review helpful to you?
Most Recent Customer Reviews
3.0 out of 5 stars very good 150-page book embedded in 200-page book
The book contains much useful advice, and the authors are knowledgeable and experienced in the area. Read more
Published on December 6, 2011 by bearieq
5.0 out of 5 stars Secure Coding
Great book! It's not very big but a lot of useful information. I am very pleased with this purchase. You get very good grasp on what secure coding is about.
Published on September 14, 2011 by Chingying L. Sloan
3.0 out of 5 stars Book is great but doesn't conform to its title
I am not an information security expert nor by profession but has been preparing myself to enter this interesting field for sometime now and this is the first book I bought related... Read more
Published on April 2, 2010 by Rommel Garcia
5.0 out of 5 stars Looking to get started with Software Security? Start Here.
When my clients are starting down the road to software security and ask me what book is the best starting place, this is the one I recommend. Read more
Published on February 13, 2007 by Gunnar Peterson
5.0 out of 5 stars "Secure Coding" Should Be THE BIBLE For IT Professionals
There are some books that I believe should be mandatory reading for any person studying computer science, information technology auditing, or some other related fields, and that... Read more
Published on July 12, 2005 by Christopher Byrne
5.0 out of 5 stars much-needed and indispensable
This is an excellent book that should be read by all software developers, script writers, system administrators, application designers, and system maintainers. Read more
Published on February 8, 2004 by James J. Lippard
4.0 out of 5 stars Required reading for programmers serious about security
In the movie Seabiscuit, the titular racehorse doesn't appear on screen until almost an hour into the movie. Nevertheless, the wait is worth it, and the movie was a blockbuster. Read more
Published on January 2, 2004 by Ben Rothke
5.0 out of 5 stars Secure Coding: Logico Philosophicus
Secure Coding is not a "technical" book, at least not in the traditional sense of the term. Read more
Published on August 21, 2003
5.0 out of 5 stars What every coder should read before programming
Graff and van Wyk's book is great for both an IT manager to get up to speed quickly on security concepts as well as for a coder who needs checklists and case studies to learn from. Read more
Published on August 15, 2003 by "ryan8391"
Search Customer Reviews
Only search this product's reviews

What Other Items Do Customers Buy After Viewing This Item?

Sell a Digital Version of This Book in the Kindle Store

If you are a publisher or author and hold the digital rights to a book, you can sell a digital version of it in our Kindle Store. Learn more


There are no discussions about this product yet.
Be the first to discuss this product with the community.
Start a new discussion
First post:
Prompts for sign-in

Look for Similar Items by Category