Customer Reviews

Secure Programming Cookbook for C and C++: Recipes for Cryptography, Authentication, Input Validation & More

5 star:		(8)
4 star:		(1)
3 star:		(2)
2 star:		(0)
1 star:		(1)

 

 

I thought I'd offer some insight on this book, particularly in light of a recently posted bad review that makes a bunch of criticisms that are quite wrong (I am pretty sure the review is due to a personal grudge held by someone who hasn't even read the book).

First, the goal of this book is to be a reference people can use to find solutions for "doing it right", not an elementary text on secure coding principles that gives a bunch of high-level advice that's still difficult to apply securely in practice. Security-relevant design and architecture principles are followed and discussed, but there's definitely a stated assumption that you have read a more elementary book such as "Building Secure Software", "Writing Secure Code" or the free "Secure Programming for Linux and UNIX HOWTO".

Second, the book covers all common security problems one sees in C and C++ programs, going so deep as to give working code and in-depth discussions. It spends hundreds of pages on how to implement and integrate cryptography into applications securely, a topic that is almost completely ignored in the elementary books (and even ignored in most crypto books, which teach building blocks, more than how to use them securely).

Many security problems that affect programs are largely language independent. We give C++-specific code in the few cases where there are C++-specific issues. But, for the most part, problems apply equally to C and C++. In those cases, the code is written in a subset of C that will work directly in C++ programs, but we don't take advantage of C++-specific features. To do so would result in a book nearly 1500 pages long!

All topics are covered for both Microsoft and Unix platforms (much of the code is cross-platform, and was tested on both). There are a couple of instances where a problem or solution doesn't apply to a particular platform. For example, "shatter" attacks are Windows specific, and the jail() protection mechanism works only on FreeBSD, not Windows. We have no platform bias, and even had the leading Windows secure programming expert from Microsoft review things.

This book gives detailed solutions for secure programming in a level of detail that no other book yet does, covering many topics that other books completely ignore.

To be truthful, I bought this book because the "gang" I hang out with is mentioned in the Acknowledgments section of the book. That was the ONLY reason when I sent money to Amazon.Com and purchased it for the dusty collection on my bookshelf.

But, when I got it and chuckled over the Acknowledgements section, I started to mindlessly flip through the book. Mindless page flipping soon turned to semi-conscious scanning. Semi-conscious scanning soon turned to serious reading. I find myself reading the book more and more, jumping back and forth between sections I find interesting and useful.

As a Windows C++ programmer for in-house tools, I do not dwell much on secure programming concepts. Yes, this is very, very bad way to program, so those of you reading this review should not try it at home. This book has shown the errors of my ways, revealed security issues that I have overlooked by accident or on purpose and gave concepts and examples that I can apply in my projects.

This book is one reference that I will be going back over and over again. The authors and editors have done a wonderful job to make the reading flow nice and easy. It is also very well laid out by stating the problem you may encounter, followed by a solution and then detailed discussion section with code samples.

For any C/C++ programmer making software to be used by more than one person, this reference book is a must.

You can still read the Acknowledgments and marvel at my name on there, of course.

If you are interested in encryption, you should probably get Bruce Schneier's Applied Cryptography, which is generally considered the standard summary of the field. But suppose you actually want to use some of the symmetric key or public key methods he describes? If you want to code from scratch, his book is a good starting point. But if you want to quickly avail yourself of the best existing methods and you don't want to reinvent the wheel by recoding? Also, it can be risky to do that. A mistake made in coding a crypto algorithm might render it insecure. Better to use reviewed, tested code.

If this describes your needs and you code in C or C++, then this book will be invaluable. Extensive code fragments that show how you can interface to existing crypto packages. Very detailed. You won't find theorems or any elegant maths here. No Chinese Remainder Theorem or Fermat's theorems. You have to already know or accept the theoretical underpinnings.

Given this, the book takes you into the nitty gritty of every major publicly available cryptosystem. With up to date assessments of their comparative strengths.

All of the above is aimed at application developers. The book also has sections for sysadmins of both unix and Microsoft operating systems, replete with suggestions on patching and good practice.

Don't be daunted by the book's heft. It is encyclopaedic in scope, and access is reasonably random access. The authors have striven to comprehensively span the field. You don't have to read from start to finish before you can commence using it.

If you develop software, any kind of software, you need this book.

The importance of understanding the security surrounding the development of software is finally being realized. This book provides a complete reference for the secure implementation of common operations that software developers often fail to do correctly.

One of the best things about this book is that it covers so many topics that are often left out of secure programming texts. It is in cookbook format which is really nice for quick reference as well as accommodating readers that have different levels of experience in this area. Both the problem and the solution are explained and real source code is provided leaving the reader with an understanding of the risks, and practical solutions that can be incorporated into their software projects.

The topics that impressed me most were: privilege separation, secure child process creation, executing external processes, safe file and string operations, random number generation, input validation, and the ways to safeguard against many types of attacks. There are also many good tips for safeguarding networked applications. For the more intensive apps, there is in-depth coverage of symmetric and public key crypto, key management, using OpenSSL, and dealing with X.509 certs (including validation techniques).

It's nice to see so much useful information related to secure software development packed into a single resource!

The title "Secure Programming Cookbook" is more than a reach, but downright misleading. I bought this book fully expecting to find recipes for using OpenSSL's crypto library to generate CSRs, handle private CA functions such as create Digital ID Certificates, and other functions actually used in writing secure applications. What I found was the author spending more time talking about products and services offered by Verisign, and very little code whatsoever. There is some code for verifying a certificate, and downloading a revocation list, but sadly I've found more useful information reading OpenSSL's lackluster man pages than I have in this book. If you're looking for high level information about "how stuff works", or some simple command-line help, this book will suit you. If you're looking for content living up to the book's title - content that would actually help you implement things like PKI - you'll unfortunately come up short.

This well-written book covers a lot of topics that I have not read in other books.

Its strengths include:

--Good coverage of cryptography programming
--Task-oriented solutions to specific programming problems
--Easy to navigate "cookbook" style ("with recipes" as the authors call them)

However, some areas of improvement might be:

--Could use more coverage of important subjects (buffer overflows, etc.)
--spends a lot of space on narrower examples (like explaining certain APIs that are documented well online)
--Sometimes jumps into material without much background explanation (which was confusing for me)

It is probably not the first book you should read on the subject. This is more of a recipe guide that is useful if you get stuck on coding a particular topic that happens to be covered. The authors have done a good job of explaining what coverage they do and don't include.

There are many books on how to write programs in C and C++, and many people learn to write programs from them. What few (if any) of them tell you is the safe way to develop programs. With the release of Secure Programming Cookbook there is now a wealth of knowledge on the subject in one handy tome.

The examples are clearly written and show clearly how the recipe will help in specific or general situations. There are a lot of solid discussion of input validation, environment handling, string handling, access controls, and cryptography. In fact there was more crypto discussion than I expected, but it's all very good and if not applicable today, hopefully it will be some day.

This book is jam packed with excellent examples and discussion of ways to prevent programs from doing bad, and most of the time unexpected or unplanned, things. The diligent C or C++ programmer should add this as yet another volume on the bookshelf tool chest that is next to their desk. Smart programmers will realize that having this book will only help them in the long run.

This book is an asset to anyone whose profession requires them to write code. In this day and age code must be designed and written from the beginning with security in mind. The code contained in this book solve real problems that occur everyday in the programming world. I would go so far as to say the code in this book outlines particularly good practices that could be applied to other languages with relative ease as well. So whether you currently program C or C++, on Windows or *nixs, I believe you can get a lot out of this book. I recommend it highly and suggest you place it right next to your copy of Applied Cryptography. ;)

This is a well-written and example oriented book for C/C++ programmers that covers secure programming in all aspects. I had been using this book for last one year now and It helps me as a quick reference and also real source code demonstrating practical approaches that can be incorporated into their software projects.

The book needs a little update but still helps any aspiring C/C++ programmer involved with crypto.

If you are not sure that you need this book, then you probably don't. But if there is something it the table of contents that you've got to know, and you've got to get it right, then this would be a good book to have. Chapter 12 on Anti-Tampering was a really enjoyable read, though probably a futile task.