Writing Secure Code and over one million other books are available for Amazon Kindle. Learn more

Quantity:

Buy New


	Amazon Prime Free Trial required. Sign up when you check out. Learn More

Buy Used

Used - Good See details

$13.43 & eligible for FREE Super Saver Shipping on orders over $25. Details

Fulfilled by Amazon

Kindle Edition Read the Kindle edition on Kindle, iPhone, iPad, Android, BlackBerry, PC and Mac.

More Buying Choices

Have one to sell? Sell yours here

See all product images
See 1 customer image

Share your own customer images

Search inside this book

Start reading Writing Secure Code on your Kindle in under a minute.

Don't have a Kindle? Get your Kindle here, or download a FREE Kindle Reading App.

Writing Secure Code, Second Edition [Paperback]

Michael Howard (Author), David LeBlanc (Author)

(38 customer reviews) |

List Price:	$49.99
Price:	$28.43 & this item ships for FREE with Super Saver Shipping. Details
Deal Price:
You Save:	$21.56 (43%)
	Special Offers Available
	o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o

In Stock.
Ships from and sold by Amazon.com. Gift-wrap available.

Only 20 left in stock--order soon (more on the way).

Want it delivered Tuesday, May 29? Choose One-Day Shipping at checkout. Details

FREE Two-Day Shipping for students on millions of items. Learn more

	Amazon Price	New from	Used from
Kindle Edition	$22.79	--	--
Paperback	$28.43	--	--
See # more paperbacks
Show fewer paperbacks

Book Description

Publication Date: January 4, 2003 | ISBN-10: 0735617228 | ISBN-13: 978-0735617223 | Edition: 2nd ed.

Keep black-hat hackers at bay with the tips and techniques in this entertaining, eye-opening book! Developers will learn how to padlock their applications throughout the entire development process—from designing secure applications to writing robust code that can withstand repeated attacks to testing applications for security flaws. Easily digested chapters reveal proven principles, strategies, and coding techniques. The authors—two battle-scarred veterans who have solved some of the industry’s toughest security problems—provide sample code in several languages. This edition includes updated information about threat modeling, designing a security process, international issues, file-system issues, adding privacy to applications, and performing security code reviews. It also includes enhanced coverage of buffer overruns, Microsoft® .NET security, and Microsoft ActiveX® development, plus practical checklists for developers, testers, and program managers.

#outer_postBodyPS { display: none; } #psGradient { display: none; } #psPlaceHolder { display: none; } #psExpand { display: none; }

Special Offers and Product Promotions

Buy $50 in qualifying physical textbooks, get $2 in Amazon MP3 Credit. Here's how (restrictions apply)

Frequently Bought Together

Customers Who Bought This Item Also Bought

Code Complete: A Practical Handbook of Software …
› Steve McConnell

4.7 out of 5 stars (153)

Paperback

$29.54
Software Security: Building Security In
› Gary McGraw

4.8 out of 5 stars (21)

Paperback

$38.05
The Web Application Hacker's Handbook: …
› Dafydd Stuttard

4.8 out of 5 stars (6)

Paperback

$30.43
24 Deadly Sins of Software Security: Programming …
› Michael Howard

3.7 out of 5 stars (3)

Paperback

$27.16
The Security Development Lifecycle
› Michael Howard

4.5 out of 5 stars (4)

Paperback
Threat Modeling (Microsoft Professional)
› Frank Swiderski

3.7 out of 5 stars (9)

Paperback

Editorial Reviews

From the Publisher

No more malicious attacks! Learn the best practices for writing secure code, with samples in Microsoft Visual Basic®.NET, Visual C++®, Perl, and Visual C#®. --This text refers to an out of print or unavailable edition of this title.

About the Author

Michael Howard, CISSP, is a leading security expert. He is a senior security program manager at Microsoft® and the coauthor of The Software Security Development Lifecycle. Michael has worked on Windows security since 1992 and now focuses on secure design, programming, and testing techniques. He is the consulting editor for the Secure Software Development Series of books by Microsoft Press.

David LeBlanc, Ph.D., is a founding member of the Trustworthy Computing Initiative at Microsoft®. He has been developing solutions for computing security issues since 1992 and has created award-winning tools for assessing network security and uncovering security vulnerabilities. David is a senior developer in the Microsoft Office Trustworthy Computing group.

Product Details

Paperback: 798 pages
Publisher: Microsoft Press; 2nd ed. edition (January 4, 2003)
Language: English
ISBN-10: 0735617228
ISBN-13: 978-0735617223
Product Dimensions: 9.2 x 7.6 x 1.7 inches
Shipping Weight: 3 pounds (View shipping rates and policies)
Average Customer Review: 4.3 out of 5 stars See all reviews (38 customer reviews)
Amazon Best Sellers Rank: #55,245 in Books (See Top 100 in Books)

Would you like to update product info or give feedback on images?

More About the Authors

Discover books, learn about writers, read author blogs, and more.

David LeB...

Michael H...

Customer Reviews

4.3 out of 5 stars

Write a customer review

Most Helpful Customer Reviews

127 of 147 people found the following review helpful

Not writing non-secure code for Windows November 30, 2003

By Dmitry Dvoinikov

Format:Paperback

The title of the book is misleading to begin with. The book is not about writing secure code. It's about (1) not writing non-secure code and (2) using Windows specific security APIs.

(1) Not writing non-secure code. Covers several issues, some more obvious, like buffer overruns and validating user input, some more complex, like escaping URLs and socket security. I thought the book would teach me best practices about organizing code, as in "do like I do". Instead it goes like "don't do like I'm telling you".

(2) Using Windows security APIs. This is THE BEST part of the book. Gives you a very good overview about several different APIs, including ACLs, protecting sensitive data, securing DCOM and .NET code, excellent tips on installing programs etc. etc.

Keep in mind that this book is said to be used internally within Microsoft with "security pushes", with the audience of 8000 people, including not only developers of all levels, but managers as well, therefore the book is by definition a high level overview.

Sometimes the book feels like MS educational course. Ex. (tip on p.77) "I created the ... diagrams ... using ... Microsoft Visio Professional 2002". That's cool, but what does it have to do with security ?

Some topics should never be there. How about 3 pages of tips for a kernel driver writer ? It's a huge topic in itself and how many readers outside MS do this anyway ? Privacy issues are covered idealistically. Yeah, sure, if you put a specially crafted XML to the special place on your site, the users magically start trusting you... I'd better read about real situation with privacy, not how the government rules it to be. Oh, and how about 40 pages about cryptography ? Please...

The book tries to show you the security process with development and testing. I can easily see they use this process in Microsoft, with 8000 people. For a small team it's completely useless. How about using 4 (!) people for a code review ? Sure, upon reading this book you will know that security code review is a must (if you have enough resources). Didn't you know that before ?

The code samples are ugly. How about this: "... X is cool ... several pages of Perl (!) ... see what I mean ?". Ok, one of the authors admits to be a Perl fan, but how am I supposed to read through all this gibberish ? C(++) samples are not much better. May be they are fully functional and compilable and all, but please, they are huge and inconsistent in themselves.

All in all, 5 stars for Microsoft, 3 stars for the rest of the world.

1 Comment |

Was this review helpful to you?

Yes

22 of 26 people found the following review helpful

Great book if you're serious about writing secure code January 30, 2003

By Leon Zandman

Format:Paperback

I got this book for free from Microsoft, because our company became a Microsoft Partner. I must admit that at first I was a little bit sceptical about it, because afterall this book is published by Microsoft and they have this reputation of selling rather insecure software themselves. But after reading the first few sections I knew it was going to be a very good read.

The book explains in very clear language almost every aspect of secure programming and gives a good overview of all common security flaws that can (and will!) enter your programming code. You'll learn how to securely design, implement, test and deploy your programs. Ofcourse buffer overruns are handled (Public Enemy #1 according to the authors), but that's only the tip of the iceberg. The book does a great job by identifying and providing solutions to common security pitfalls. Topics that are handled include: database access, user privileges and Access Control, Cryptography, handling secret data, user input, encoding and internationalization, RPC, DCOM, DOS attacks, .NET and writing secure program documentation.

I recommend this book to every programmer out there, even if you're not programming for the Win32-platform. Don't let the fact that this is a Microsoft publication refrain you from buying this book. If you are serious about writing secure programs this is the book to get.

Comment |

Was this review helpful to you?

Yes

18 of 21 people found the following review helpful

Best book I have read about secure software December 27, 2001

By Mike Brava

Format:Paperback

Too many books talk about how to secure a network, and discuss network-based attacks, but this book is different; it covers how to design, build and test the code at the end of the pipe - the application software.

The book is complete in its explanation of how to make sure your application code, be it web-based or otherwise, is secured from attack.

I learned a great deal from this book, and, based on code and design reviews of my company's code, the authors obviously know what they are talking about - as we made a lot of fixes, and added many new security test cases to our test suites.

Simply put, we never knew we had problems, until we read this book, now it's mandatory reading for all our software engineers.

Comment |

Was this review helpful to you?

Yes

› See all 38 customer reviews

Write a customer review

Most Recent Customer Reviews

Secure code

Great book! I am very pleased with this purchase. A lot of valuable information. It helps me on my job.

Published 8 months ago by Chingying L. Sloan

must read

I recommend this book as must read in todays internet programming world.
I am not a internet programmer, but still this book covers lot of topics how my stand alone... Read more

Published on February 5, 2010 by Prashanth Jaligama

A must read

This book is a must read for any software development manager interested in understanding the nuances of writing secure code; and most importantly being able to communicate that... Read more

Published on January 3, 2010 by Anthony Edwards

Should be Microsoft Secure Code

I agree with a previous reviewer that the title is misleading - it should emphasize that this is primarily a book about not writing non-secure code on a Windows platform. Read more

Published on April 2, 2008 by John F. Dooley

A good security book especially if you develop on Windows

This is a good book as it does a good job covering the different sources of software insecurities:

- The classical buffer overflows on the stack and on the heap
-... Read more

Published on December 16, 2007 by Olivier Langlois

Did not enjoy this book

This book concentrates on a very important subject - writing secure code for Windows. In particular it focuses on two aspects: (a) correct coding techniques and how to avoid... Read more

Published on October 25, 2007 by Paz Offer

Okay overview

Okay overview. Not many details good for beginning programmers who are learning how to code right. Not really for understanding windows security or architecture, but then that is... Read more

Published on September 20, 2007 by Kinshumann

The most comprehensive, example-centric Microsoft secure coding book

I read six books on software security recently, namely "Writing Secure Code, 2nd Ed" by Michael Howard and David LeBlanc; "19 Deadly Sins of Software Security" by Michael Howard,... Read more

Published on November 1, 2006 by Richard Bejtlich

An eye opener

You think your data is safe, your website secured, your code foolproof.... think again. If you haven't read this book, probably none of the above are true. Read more

Published on June 21, 2006 by J. Silberstein

Good reference for Securing Microsoft Application Development.

I am happy with this book, it helped me quickly with all possible security options with Microsoft C++ and little bit of .NET framework. Read more

Published on February 12, 2006 by Craig Anderson

Front Cover | Table of Contents | First Pages | Index | Surprise Me!

Inside This Book (learn more)

First Sentence:
As the Internet grows in importance, applications are becoming highly interconnected. Read the first page

Key Phrases - Statistically Improbable Phrases (SIPs): (learn more)
protecting secret data, canonical representation issues, running with least privilege, unsigned long err, information disclosure threats, impersonation functions, security code review, secure coding techniques, threat modeling, building secure applications, heap overruns, malformed data, untrusted data, building secure systems, restricted token, security push, compact policy, network service account, security bugs, packet privacy, scripting issues, security defects, buffer overrun, threat trees, writing secure code

Key Phrases - Capitalized Phrases (CAPs): (learn more)
Internet Explorer, Microsoft Windows, Visual Basic, Microsoft Visual, Program Files, Visual Studio, Windows Security Push, Terminal Server, Microsoft Press, Mount Doom, Secure Windows Initiative, Authenticated Users, Cryptographic Foibles, Memory Descriptor List Read, Threat Description Attacker, Acme Incorporated, Active Template Library, Back Orifice, Microsoft Office, Power Users, Risk Damage, Code Complete, Configuration Properties, Domain Name System, Imports System

New!
Books on Related Topics | Concordance | Text Stats

Browse Sample Pages:
Front Cover | Table of Contents | First Pages | Index | Surprise Me!

Citations (learn more)

This book cites 16 books:

Trust in Cyberspace by Committee on Information Systems Trustworthiness in Back Matter
The Mathematical Theory of Communication by Claude E Shannon on page 270
Programming Windows Security by Keith Brown in Back Matter
Rain Forest by Laurie Agopian in Front Matter
How to Break Software: A Practical Guide to Testing W/CD by James A. Whittaker on page 596

See all 16 books this book cites

58 books cite this book:

The Security Development Lifecycle by Michael Howard on 13 pages
19 Deadly Sins of Software Security: Programming Flaws and How to Fix Them (Security One-off) by Michael Howard on 11 pages
Assessing Network Security by Kevin Lam on 7 pages
Hunting Security Bugs by Tom Gallagher on 4 pages
Security Operations Guide for Microsoft Windows 2000 Server (Patterns & Practices) by Microsoft Corporation on 4 pages

See all 58 books citing this book

Books on Related Topics (learn more)

Code Complete by Steve McConnell

Discusses:

Microsoft Windows Security Resource Kit by Brian Komar

Discusses:

MCAD/MCSD Self-Paced Training Kit by Tony Northrup

Discusses:

Improving Web Application Security by Microsoft Corporation

Discusses:

What Other Items Do Customers Buy After Viewing This Item?

Software Security: Building Security In by Gary McGraw Paperback
4.8 out of 5 stars (21)

$38.05

Code Complete: A Practical Handbook of Software Construction, Second Edition by Steve McConnell Paperback
4.7 out of 5 stars (153)

$29.54

The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws by Dafydd Stuttard Paperback
4.8 out of 5 stars (6)

$30.43

24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them by Michael Howard Paperback
3.7 out of 5 stars (3)

$27.16

› Explore similar items

Tags Customers Associate with This Product

(What's this?)

Click on a tag to find related items, discussions, and people.

security(5)

software security(3)

development(2)

programming(2)

software development(2)

software engineering(2)

own(1)

second edition(1)

secure software(1)

Agree with these tags?

See all 10 tags...

.jsOffDisplayBlock { display: block; } .jsOffDisplayInline { display: inline; } .jsOffVisibility { visibility: visible; } .jsOnDisplayBlock { display: none; } .jsOnDisplayNoneBlock { display: block; } .jsOnDisplayNoneInline { display: inline; } .jsOnDisplayInline { display: none; } .jsOnVisibility { visibility: hidden; } .jqOnDisplayBlock { display: none; } .jqOnDisplayInline { display: none; } .jqOnVisibility { visibility: hidden; } .jqOnDisplayNoneBlock { display: block; } .jqOnDisplayNoneInline { display: inline; }

Customer Discussions

This product's forum

Discussion	Replies	Latest Post
No discussions yet

Ask questions, Share opinions, Gain insight

Start a new discussion

Topic:

First post:

Receive e-mail when new posts are made

Prompts for sign-in

Guidelines

Active discussions in related forums

Discussion	Replies	Latest Post
Science forum UFO's	95	14 minutes ago
Science forum The fallacy of Darwinism and the evil associated	104	19 minutes ago
Science forum Abiogenesis be Manned- There is no evidence for life having started naturally on Earth.	4686	33 minutes ago
Science forum was the moon landing real or fake, and why?	2774	2 hours ago
Science forum Why are Darwinists here so scientifically illiterate?	4559	3 hours ago
Science forum Global warming is nothing but a hoax and a scare tactic	4866	3 hours ago
Textbook forum I just received a "very good" textbook without its disc - what are your thoughts?	205	11 hours ago
Textbook forum Slight Water Damage	10	2 days ago