Writing Secure Code" covers the major aspects of creating secure applications through the entire development process. Its short, easily-digested chapters can provide software designers, architects, developers, and testers with the training, theory, and techniques they need to take the right actions to ensure security.
Writing Secure Code
and over one million other books are available for Amazon Kindle.
Learn more
FREE Two-Day Shipping for students on millions of items. Learn more |
| ||||||||||||||||||||||||
|
There is a newer edition of this item:
|
Book Description
Editorial Reviews
From the Publisher
No more malicious attacks! Learn the best practices for writing secure code, with samples in Microsoft Visual Basic®.NET, Visual C++®, Perl, and Visual C#®.
About the Author
Michael Howard is a security program manager on the Microsoft WindowsXP team, focusing on secure design, programming and testing techniques. He works with hundreds of people both inside and outside the company to help them secure their applications each year. He is the primary author of DESIGING SECURE WEB-BASED APPLICATIONS FOR MICROSOFT WINDOWS 2000 from Microsoft Press. Prior to working in WindowsXP, Michael worked on next-generation Web server technologies and IIS. He has worked on Windows NT® security since 1992
David LeBlanc is a senior security technologist in ITG at Microsoft. His primary role is defending the Microsoft network from attack. He has worked in the security field throughout his professional life, including working at Internet Security Systems where he was the primary engineer on ISS’ award-winning security products. David serves on a number of external security-related advisory boards.
Product Details
Would you like to update product info or give feedback on images?
|
More About the Authors
Discover books, learn about writers, read author blogs, and more.
Customer Reviews
|
Share your thoughts with other customers:
|
||||||||||||||||||||||
|
Most Helpful Customer Reviews
121 of 141 people found the following review helpful:
3.0 out of 5 stars
Not writing non-secure code for Windows,
By Dmitry Dvoinikov (Ekaterinburg, Russia) - See all my reviews
This review is from: Writing Secure Code, Second Edition (Paperback)
The title of the book is misleading to begin with. The book is not about writing secure code. It's about (1) not writing non-secure code and (2) using Windows specific security APIs. (1) Not writing non-secure code. Covers several issues, some more obvious, like buffer overruns and validating user input, some more complex, like escaping URLs and socket security. I thought the book would teach me best practices about organizing code, as in "do like I do". Instead it goes like "don't do like I'm telling you". (2) Using Windows security APIs. This is THE BEST part of the book. Gives you a very good overview about several different APIs, including ACLs, protecting sensitive data, securing DCOM and .NET code, excellent tips on installing programs etc. etc. Keep in mind that this book is said to be used internally within Microsoft with "security pushes", with the audience of 8000 people, including not only developers of all levels, but managers as well, therefore the book is by definition a high level overview. Sometimes the book feels like MS educational course. Ex. (tip on p.77) "I created the ... diagrams ... using ... Microsoft Visio Professional 2002". That's cool, but what does it have to do with security ? Some topics should never be there. How about 3 pages of tips for a kernel driver writer ? It's a huge topic in itself and how many readers outside MS do this anyway ? Privacy issues are covered idealistically. Yeah, sure, if you put a specially crafted XML to the special place on your site, the users magically start trusting you... I'd better read about real situation with privacy, not how the government rules it to be. Oh, and how about 40 pages about cryptography ? Please... The book tries to show you the security process with development and testing. I can easily see they use this process in Microsoft, with 8000 people. For a small team it's completely useless. How about using 4 (!) people for a code review ? Sure, upon reading this book you will know that security code review is a must (if you have enough resources). Didn't you know that before ? The code samples are ugly. How about this: "... X is cool ... several pages of Perl (!) ... see what I mean ?". Ok, one of the authors admits to be a Perl fan, but how am I supposed to read through all this gibberish ? C(++) samples are not much better. May be they are fully functional and compilable and all, but please, they are huge and inconsistent in themselves. All in all, 5 stars for Microsoft, 3 stars for the rest of the world.
22 of 26 people found the following review helpful:
5.0 out of 5 stars
Great book if you're serious about writing secure code,
This review is from: Writing Secure Code, Second Edition (Paperback)
I got this book for free from Microsoft, because our company became a Microsoft Partner. I must admit that at first I was a little bit sceptical about it, because afterall this book is published by Microsoft and they have this reputation of selling rather insecure software themselves. But after reading the first few sections I knew it was going to be a very good read.The book explains in very clear language almost every aspect of secure programming and gives a good overview of all common security flaws that can (and will!) enter your programming code. You'll learn how to securely design, implement, test and deploy your programs. Ofcourse buffer overruns are handled (Public Enemy #1 according to the authors), but that's only the tip of the iceberg. The book does a great job by identifying and providing solutions to common security pitfalls. Topics that are handled include: database access, user privileges and Access Control, Cryptography, handling secret data, user input, encoding and internationalization, RPC, DCOM, DOS attacks, .NET and writing secure program documentation. I recommend this book to every programmer out there, even if you're not programming for the Win32-platform. Don't let the fact that this is a Microsoft publication refrain you from buying this book. If you are serious about writing secure programs this is the book to get.
18 of 21 people found the following review helpful:
5.0 out of 5 stars
Best book I have read about secure software,
By Mike Brava (Sydney, Australia) - See all my reviews
This review is from: Writing Secure Code (Paperback)
Too many books talk about how to secure a network, and discuss network-based attacks, but this book is different; it covers how to design, build and test the code at the end of the pipe - the application software.The book is complete in its explanation of how to make sure your application code, be it web-based or otherwise, is secured from attack. I learned a great deal from this book, and, based on code and design reviews of my company's code, the authors obviously know what they are talking about - as we made a lot of fixes, and added many new security test cases to our test suites. Simply put, we never knew we had problems, until we read this book, now it's mandatory reading for all our software engineers.
Share your thoughts with other customers: Create your own review
|
|
Inside This Book
(learn more)
First Sentence:
In memory of all those people who needlessly perished on September 11, 2001. Read the first page Key Phrases - Statistically Improbable Phrases (SIPs): (learn more)
effective bit size, malicious user views, canonical representation issues, generating good random numbers, network bandwidth attacks, running with least privilege, testing secure applications, impersonation functions, canonicalization bugs, array indexing errors, resource starvation attacks, cnf case, hexadecimal escape codes, security test plan, trust user input, canonicalization issues, common security mistakes, heap overruns, epilog code, salted hash, format string bugs, storing secrets, restricted token, security hugs, packet privacy Key Phrases - Capitalized Phrases (CAPs): (learn more)
Microsoft Windows, Microsoft Press, Visual Basic, Microsoft Visual, Internet Explorer, Visual Studio, Terminal Server, Internet Information Services, Ten Immutable Laws of Security, Program Files, Standard Template Library, United States, Internet Information Server, Internet Server, Table of Contents, Authenticated Users, Cryptographic Foibles, Internet Printing Protocol, Internet Protocol, Knowledge Base, Local Security Authority, Microsoft Corporation, Securing Web-Based Services, Active Template Library, Back Orifice New!
Books on Related Topics | Concordance | Text Stats Browse Sample Pages:
Front Cover | Front Flap | First Pages | Back Flap | Back Cover | Surprise Me!
In memory of all those people who needlessly perished on September 11, 2001. Read the first page Key Phrases - Statistically Improbable Phrases (SIPs): (learn more)
effective bit size, malicious user views, canonical representation issues, generating good random numbers, network bandwidth attacks, running with least privilege, testing secure applications, impersonation functions, canonicalization bugs, array indexing errors, resource starvation attacks, cnf case, hexadecimal escape codes, security test plan, trust user input, canonicalization issues, common security mistakes, heap overruns, epilog code, salted hash, format string bugs, storing secrets, restricted token, security hugs, packet privacy Key Phrases - Capitalized Phrases (CAPs): (learn more)
Microsoft Windows, Microsoft Press, Visual Basic, Microsoft Visual, Internet Explorer, Visual Studio, Terminal Server, Internet Information Services, Ten Immutable Laws of Security, Program Files, Standard Template Library, United States, Internet Information Server, Internet Server, Table of Contents, Authenticated Users, Cryptographic Foibles, Internet Printing Protocol, Internet Protocol, Knowledge Base, Local Security Authority, Microsoft Corporation, Securing Web-Based Services, Active Template Library, Back Orifice New!
Books on Related Topics | Concordance | Text Stats Browse Sample Pages:
Front Cover | Front Flap | First Pages | Back Flap | Back Cover | Surprise Me!
Citations (learn more)
This book cites 24
books:
See all 24 books this book cites
58
books
cite this book:
See all 58 books citing this book
- Fundamentals of Computer Security Technology by Edward Amoroso on page 35, page 461, and page 462
- Programming Windows Security by Keith Brown on page 461
- Practical Cryptography for Data Internetworks by William Stallings on page 464
- Building Internet Firewalls (2nd Edition) by Elizabeth D. Zwicky on page 464
- British Library by Philip Howard on page 2
See all 24 books this book cites
- The Security Development Lifecycle by Michael Howard on 13 pages
- 19 Deadly Sins of Software Security: Programming Flaws and How to Fix Them (Security One-off) by Michael Howard on 11 pages
- Assessing Network Security by Kevin Lam on 7 pages
- The Software Vulnerability Guide (Programming Series) (Charles River Media Programming) by Herbert H Thompson on 4 pages
- Hunting Security Bugs by Tom Gallagher on 4 pages
See all 58 books citing this book
Books on Related Topics
(learn more)
|
What Other Items Do Customers Buy After Viewing This Item?
Tags Customers Associate with This Product(What's this?)Click on a tag to find related items, discussions, and people.
|
Customer Discussions
|
This product's forum
Active discussions in related forums
Search Customer Discussions
|
Related forums
|
Listmania!
So You'd Like to...
|
|
