Programming Books C Java PHP Python Learn more Browse Programming Books
Writing Secure Code (2nd Edition) (Developer Best Practices) and over one million other books are available for Amazon Kindle. Learn more

Sorry, this item is not available in
Image not available for
Image not available

To view this video download Flash Player

FREE Shipping on orders over $35.

Used - Very Good | See details
Access codes and supplements are not guaranteed with used items.
Have one to sell? Sell yours here
Start reading Writing Secure Code (2nd Edition) (Developer Best Practices) on your Kindle in under a minute.

Don't have a Kindle? Get your Kindle here, or download a FREE Kindle Reading App.

Writing Secure Code (2nd Edition) (Developer Best Practices) [Paperback]

David LeBlanc , Michael Howard
4.0 out of 5 stars  See all reviews (18 customer reviews)

Available from these sellers.

Free Two-Day Shipping for College Students with Amazon Student


Amazon Price New from Used from
Kindle Edition $22.99  
Paperback --  
Unknown Binding --  
Shop the New Digital Design Bookstore
Check out the Digital Design Bookstore, a new hub for photographers, art directors, illustrators, web developers, and other creative individuals to find highly rated and highly relevant career resources. Shop books on web development and graphic design, or check out blog posts by authors and thought-leaders in the design industry. Shop now

Book Description

December 14, 2002 0735617228 978-0735617223 2

Keep black-hat hackers at bay with the tips and techniques in this entertaining, eye-opening book! Developers will learn how to padlock their applications throughout the entire development process—from designing secure applications to writing robust code that can withstand repeated attacks to testing applications for security flaws. Easily digested chapters reveal proven principles, strategies, and coding techniques. The authors—two battle-scarred veterans who have solved some of the industry’s toughest security problems—provide sample code in several languages. This edition includes updated information about threat modeling, designing a security process, international issues, file-system issues, adding privacy to applications, and performing security code reviews. It also includes enhanced coverage of buffer overruns, Microsoft .NET security, and Microsoft ActiveX development, plus practical checklists for developers, testers, and program managers.

Editorial Reviews

About the Author

David LeBlanc, Ph.D., is a founding member of the Trustworthy Computing Initiative at Microsoft. He has been developing solutions for computing security issues since 1992 and has created award-winning tools for assessing network security and uncovering security vulnerabilities. David is a senior developer in the Microsoft Office Trustworthy Computing group.

Product Details

  • Series: Developer Best Practices
  • Paperback: 800 pages
  • Publisher: Microsoft Press; 2 edition (December 14, 2002)
  • Language: English
  • ISBN-10: 0735617228
  • ISBN-13: 978-0735617223
  • Product Dimensions: 9.2 x 7.6 x 1.7 inches
  • Shipping Weight: 3 pounds
  • Average Customer Review: 4.0 out of 5 stars  See all reviews (18 customer reviews)
  • Amazon Best Sellers Rank: #224,776 in Books (See Top 100 in Books)

More About the Authors

Discover books, learn about writers, read author blogs, and more.

Customer Reviews

Most Helpful Customer Reviews
136 of 157 people found the following review helpful
3.0 out of 5 stars Not writing non-secure code for Windows November 30, 2003
The title of the book is misleading to begin with. The book is not about writing secure code. It's about (1) not writing non-secure code and (2) using Windows specific security APIs.
(1) Not writing non-secure code. Covers several issues, some more obvious, like buffer overruns and validating user input, some more complex, like escaping URLs and socket security. I thought the book would teach me best practices about organizing code, as in "do like I do". Instead it goes like "don't do like I'm telling you".
(2) Using Windows security APIs. This is THE BEST part of the book. Gives you a very good overview about several different APIs, including ACLs, protecting sensitive data, securing DCOM and .NET code, excellent tips on installing programs etc. etc.
Keep in mind that this book is said to be used internally within Microsoft with "security pushes", with the audience of 8000 people, including not only developers of all levels, but managers as well, therefore the book is by definition a high level overview.
Sometimes the book feels like MS educational course. Ex. (tip on p.77) "I created the ... diagrams ... using ... Microsoft Visio Professional 2002". That's cool, but what does it have to do with security ?
Some topics should never be there. How about 3 pages of tips for a kernel driver writer ? It's a huge topic in itself and how many readers outside MS do this anyway ? Privacy issues are covered idealistically. Yeah, sure, if you put a specially crafted XML to the special place on your site, the users magically start trusting you... I'd better read about real situation with privacy, not how the government rules it to be. Oh, and how about 40 pages about cryptography ? Please...
The book tries to show you the security process with development and testing.
Read more ›
Was this review helpful to you?
10 of 11 people found the following review helpful
2.0 out of 5 stars Did not enjoy this book October 25, 2007
This book concentrates on a very important subject - writing secure code for Windows. In particular it focuses on two aspects: (a) correct coding techniques and how to avoid security pitfalls, and (b) the particular Windows security API and its usage.
For the above reason I will rate this book with 2.5 stars.
Why not 5 stars?
I found the text well padded with the author opinions, stories, and samples, which in many cases I felt where unneeded for me.
I also found it very exhausting trying to fish-out from all the text, the knowledge that I felt I needed.
Some of the motives kept on coming up. I will try to summon here few, using my words:
1. This book is extremely important thus you must read it.
2. This book is extremely important thus you must read it.
3. Some developers don't understand anything about security.
4. You cannot believe how ignorant or lazy developers can be.
5. Most developers will give wrong answer for my next question.
And so on...
Many of the examples in the book show 'what NOT to do' and common mistakes rather then what to do.
I must admit that somewhere around the middle of the book I started to read it in a selective way, trying to avoid redundant text.
Comment | 
Was this review helpful to you?
22 of 28 people found the following review helpful
5.0 out of 5 stars Great book if you're serious about writing secure code January 30, 2003
I got this book for free from Microsoft, because our company became a Microsoft Partner. I must admit that at first I was a little bit sceptical about it, because afterall this book is published by Microsoft and they have this reputation of selling rather insecure software themselves. But after reading the first few sections I knew it was going to be a very good read.
The book explains in very clear language almost every aspect of secure programming and gives a good overview of all common security flaws that can (and will!) enter your programming code. You'll learn how to securely design, implement, test and deploy your programs. Ofcourse buffer overruns are handled (Public Enemy #1 according to the authors), but that's only the tip of the iceberg. The book does a great job by identifying and providing solutions to common security pitfalls. Topics that are handled include: database access, user privileges and Access Control, Cryptography, handling secret data, user input, encoding and internationalization, RPC, DCOM, DOS attacks, .NET and writing secure program documentation.
I recommend this book to every programmer out there, even if you're not programming for the Win32-platform. Don't let the fact that this is a Microsoft publication refrain you from buying this book. If you are serious about writing secure programs this is the book to get.
Comment | 
Was this review helpful to you?
11 of 13 people found the following review helpful
3.0 out of 5 stars Strong on issues, weak in depth December 24, 2002
By sean
A pretty good book if you are not very familiar with security issues. It has a very good introductory on threat modeling concepts from software engineering point of view.
It does a good job alerting developers of potential risks in their day-to-day coding practices. Although this is achieved somtimes through blatant bluff.
When it comes down to the hardcore issues, the book just scratches the surface most of the time.
A typical software product manager's writing with some technical touch. This is said because of the quality of the sample code presented. If you have read Jeffrey Ritchter's book, you know what I mean.
Comment | 
Was this review helpful to you?
21 of 27 people found the following review helpful
5.0 out of 5 stars Required readind, not just at MS May 3, 2004
Every professional developer should read this book, period!
This book provides a great overview of what techniques are important when writing secure applications, and what pitfalls to avoid. The book does a good job at making a point through examples and by explaining possible exploits.
This book tries to cover a lot of ground. Most of the things discussed are for C++ developers. However, most of the things discussed are of general interest no matter what language one develops with.
I found myself wishing that the book covered a bit more about my development environment of choice: Visual Studio .NET. As mentioned above, I found all the content very interesting and applicable, but I think it would be good to have more than one chapter covering .NET specifically. I do realize however, that this book was first written before .NET. Perhaps someone will dedicate a book completely to .NET ("Writing Secure .NET Code" anyone?).
This book provides a solid foundation and teaches developers what to look for. However, the book is written for developers and managers alike and does not cover tons of implementation details. I would recommend this book to everyone as a first book to read about secure application development. It is not the last book people should read however. There are a number of good books available for a variety of environments (including .NET) that discuss specific implementations of various security and privacy techniques. Get several of those books as well!
Bottom line: This is a great book. Developers must read it. No "ifs" and "buts". Once you are done with this one though, get other security books and keep on reading...
Comment | 
Was this review helpful to you?
Most Recent Customer Reviews
3.0 out of 5 stars Good, but dated
The timeless advice in this book should be at the front of every programmer's mind every day. Things like
- There's no such thing as a small security flaw,
- If you see... Read more
Published 8 months ago by wiredweird
5.0 out of 5 stars Excellent
I opened the box with hesitation as I have been burned purchasing used books before, but to my surprise it was in excellent condition. The information will be of great help to me. Read more
Published 11 months ago by Ralyn Gibbons
5.0 out of 5 stars Secure code
Great book! I am very pleased with this purchase. A lot of valuable information. It helps me on my job.
Published on September 14, 2011 by Chingying L. Sloan
5.0 out of 5 stars must read
I recommend this book as must read in todays internet programming world.
I am not a internet programmer, but still this book covers lot of topics how my stand alone... Read more
Published on February 5, 2010 by Pachi
5.0 out of 5 stars A must read
This book is a must read for any software development manager interested in understanding the nuances of writing secure code; and most importantly being able to communicate that... Read more
Published on January 3, 2010 by Anthony Edwards
2.0 out of 5 stars Should be Microsoft Secure Code
I agree with a previous reviewer that the title is misleading - it should emphasize that this is primarily a book about not writing non-secure code on a Windows platform. Read more
Published on April 2, 2008 by John F. Dooley
4.0 out of 5 stars The most comprehensive, example-centric Microsoft secure coding book
I read six books on software security recently, namely "Writing Secure Code, 2nd Ed" by Michael Howard and David LeBlanc; "19 Deadly Sins of Software Security" by Michael Howard,... Read more
Published on November 1, 2006 by Richard Bejtlich
5.0 out of 5 stars An eye opener
You think your data is safe, your website secured, your code foolproof.... think again. If you haven't read this book, probably none of the above are true. Read more
Published on June 21, 2006 by J. Silberstein
4.0 out of 5 stars Good reference for Securing Microsoft Application Development.
I am happy with this book, it helped me quickly with all possible security options with Microsoft C++ and little bit of .NET framework. Read more
Published on February 11, 2006 by Craig Anderson
4.0 out of 5 stars Excellent reading for any programmer
This is an excellent book for any beginner to intermediate programmer who would like to know the hooks and corners of securing the code. Read more
Published on August 15, 2003 by "cltss"
Search Customer Reviews
Search these reviews only


There are no discussions about this product yet.
Be the first to discuss this product with the community.
Start a new discussion
First post:
Prompts for sign-in

Look for Similar Items by Category