Customer Reviews

Secure Programming with Static Analysis

5 star:		(8)
4 star:		(2)
3 star:		(0)
2 star:		(1)
1 star:		(0)

 

 

After having read every secure programming book in print, this is the book I would recommend to both working developers and students. The abundance of code examples in C/C++ and Java help this book stand out from the shelf of other secure programming books, but that's just the beginning of what sets this book apart from the rest.

While most secure programming books focus on the basics of security mistakes like buffer overflows, they're short on how to find and fix security flaws in a large body of code. Most of us have too much code to inspect manually line by line by the next release, so this book shows the reader how to effectively use static analysis tools as a part of the code review process to automate finding security bugs. The CD that comes with the book has a working demo version of the Fortify Source Code Analyzer tool, so the reader can gain hands-on experience with static analysis.

Once you've found the bugs, you could attempt to fix them one by one, or you could fix them in a consistent, structured manner using secure design strategies to solve problems like input validation and memory management that are the source of so many security problems. Secure Programming with Static Analysis has a readable and practical discussion of these strategies, with many code examples so the reader can easily apply these strategies. It also shows how to use static analysis tools to ensure that all of your code follows these strategies, so that no input escapes validation.

Every software developer needs to know how to program securely, and there's no better place to start learning than this book.

In this exceptional book, Brian Chess and Jacob West provide an invaluable resource to programmers. Armed with with the hands-on instruction provided in Secure Programming with Static Analysis, developers will finally be in a position to fully utilize technological advances to produce better code. Reading this book is a prerequisite for any serious programming.

Every software developer who has to write secure code should read this book. This book will tell you how to use static analysis tools to help you build more secure software. It's a great primer for software developers who are new to static analysis and for security practitioners who want to learn how recent advances in the field can improve their software.

I reviewed an pre-release version. It's good stuff. It's well-written, easy to read, and tells you what you need to know without getting bogged down in the details. Brian Chess and Jacob West have a great deal of experience in this area and they do a good job of conveying pragmatic information you can apply in practice to improve your software.

I had the privilege to read the manuscript of this book before its publication. Highly recommended to developers who are starting to learn application security from a more practical view. With lots of real code examples, this book explains security vulnerabilities from a coding practice perspective, which is unique and easy for an average developer to understand. In my opinion, this book is extremely valuable for an organization to promote security into a software development life cycle(SDLC). It uses easy-to-understand "coding" language and examples to explain many of the vulnerabilities and security concepts that are usually hard to learn for developers with little security experience and expertise. A must-have application security book for the average developers.

I brought this book as a course requirement and it has been much more than that. This book enlightens you with situations which you would have encountered previously but never realized how an adversary could exploit the situation to either break into your system or just cause havoc from outside. The authors have shared their company Software named Fortify which helps us analyze programs using static analysis. The only drawback is that the software is an out of date one which refuses to configure with windows 7 system and requires XP compatibility. Also understandably it is a demo version which has extreme constrains on the size of code being analyzed. Wish the authors would have looked into these minor details.

If you are an architect who really serious about building security to your large-scale applications, then this book would offer only a hello world to security. All you find is a full-blownup security chapter "Part 1 and 2" for Standalone application applications beyond that nothing but google-able content. The worst is Part III discusses on web apps, XML web services security, privacy and privileged programs - poorly written and highly repetitive content. To the most disappointment, there is no chapter to show how to put-to-gether all these stuff in a real world enterprise application. I also noticed the book if has the same Java examples from the Java site. The chapter on Web services security is a joke, shows the authors lack of understanding on Web services security fundamentals. After browsing all the pages, I don't found anything that shows how to incorporate them in a working security architecture. The book also trying to promote a product, maybe this book is relevant for those use the author suggested products.

I reviewed (gratis) this manuscript while in production...

Although there are several books that cover various aspects of software security practices, including my own, this one delves deeply into the most vital aspect of secure software development -- static code analysis.

It's something that far too few software developers practice and yet something that everyone writing software ought to be doing. There is simply no excuse any more for pervasive problems like buffer overflows, SQL injection, or cross-site scripting. ALL of these things can be prevented through static code analysis, like the type described in this book.

If you write software, buy and READ this book, and then refer to it every day.

First. Full disclosure. I am an ex-employee of Fortify Software. Second. I was a reviewer of this book. That said... I'd say the target audience for this book is 50% of developers and all the tire-kickers who don't think static analysis is possible (let alone accurate).

Why only 50% of developers? This is based upon one of my own heuristics when putting together (or working in large) development teams. i.e. 50% of the developers in the world shouldn't even be writing code, and, the world would be safer place if they weren't. Unfortunately they are. And, they need tools. And, one of those tools should be a static analysis tool focused on software security. I've only scanned a few hundred million lines of code at Fortune 500 companies over the past 5 years. And, the vast majority of that code proves to me that 50% of developers couldn't even write (compilation error free) a `Hello World' from scratch let alone find all of the cross-site scripting or buffer overflows in their own production code.

The tire-kickers are the other 50% of developers (architects, lead developers, etc). They need to try; findbugs, FxCop, splint, and the tool on the accompanying CD of this book. Some will be too smart to use a tool like the one in the accompanying CD. They won't see the value in giving their developers a tool that simply checks for the obvious. They have the policies in place that completely eliminate the possibility of the other developers `introducing vulnerabilities' into the code base and/or `checking in code that breaks the the build'. Wow! ... Other tire-kickers are not so smart. (Again, full disclosure. I'd fit into that category.) The only question that I would hope to answer from reading this book is; If I give a tool as described in this book to my dumbest developer... will they be able to produce better code. I know the answer. YOU have to read this book.

This outstanding book is written by two experts in static analysis, Brian Chess and Jacob West. Not only are these guys grounded in real computer science (both with graduate CS degrees focused on static analysis), but the best part is that they are practical too (they are the technical team behind the world's best static analysis tool for security).

There are seven software security touchpoints (or best practices) that every organization should integrate into its software development lifecycle (I describe them in detail in my book Software Security). The first and most important touchpoint is code review with a static analysis tool. If you are wondering what that means, buy this book.

If you are a developer worried about spotting security bugs in your code you need this book.

If you are a development manager who wants to build secure software you need this book.

If you are a lawyer interested in the state of the practice in software security you need this book.

If you work for Microsoft boy do you need this book.

Taking software security to the next level is an important intellectual achievement. Kudos to Brian and Jacob for a job well done.

gem
[...]

Chess and West describe methods of building security into your coding projects. As an integral part of the development process. There are tools out there which perform the static analysis described in the text. These are far removed from the early tools, which the book correctly describes as glorified grep. (That is, they were merely fancy parsers.)

The tools are not definitive, as you are cautioned. Often, their greatest virtue can be to point out source code that should be subject to manual scrutiny. In a large code base, of hundreds of thousands of lines, this can be invaluable assistance.

A quick comparative summary of various bug and security tools is also provided in Chapter 2. Specifically, figure 2.2 is a nice qualitative summary of these tools.

Various chapters of the book deal with problems also covered elsewhere. Like finding buffer overflows. Especially with string logic. While the Web also is now a source of weaknesses in web applications that are weak in input and output validation. You have to carefully filter anything that you solicit as user input on a web page.