Customer Reviews

Writing Secure Code, Second Edition

5 star:		(25)
4 star:		(5)
3 star:		(3)
2 star:		(4)
1 star:		(1)

 

 

The title of the book is misleading to begin with. The book is not about writing secure code. It's about (1) not writing non-secure code and (2) using Windows specific security APIs.

(1) Not writing non-secure code. Covers several issues, some more obvious, like buffer overruns and validating user input, some more complex, like escaping URLs and socket security. I thought the book would teach me best practices about organizing code, as in "do like I do". Instead it goes like "don't do like I'm telling you".

(2) Using Windows security APIs. This is THE BEST part of the book. Gives you a very good overview about several different APIs, including ACLs, protecting sensitive data, securing DCOM and .NET code, excellent tips on installing programs etc. etc.

Keep in mind that this book is said to be used internally within Microsoft with "security pushes", with the audience of 8000 people, including not only developers of all levels, but managers as well, therefore the book is by definition a high level overview.

Sometimes the book feels like MS educational course. Ex. (tip on p.77) "I created the ... diagrams ... using ... Microsoft Visio Professional 2002". That's cool, but what does it have to do with security ?

Some topics should never be there. How about 3 pages of tips for a kernel driver writer ? It's a huge topic in itself and how many readers outside MS do this anyway ? Privacy issues are covered idealistically. Yeah, sure, if you put a specially crafted XML to the special place on your site, the users magically start trusting you... I'd better read about real situation with privacy, not how the government rules it to be. Oh, and how about 40 pages about cryptography ? Please...

The book tries to show you the security process with development and testing. I can easily see they use this process in Microsoft, with 8000 people. For a small team it's completely useless. How about using 4 (!) people for a code review ? Sure, upon reading this book you will know that security code review is a must (if you have enough resources). Didn't you know that before ?

The code samples are ugly. How about this: "... X is cool ... several pages of Perl (!) ... see what I mean ?". Ok, one of the authors admits to be a Perl fan, but how am I supposed to read through all this gibberish ? C(++) samples are not much better. May be they are fully functional and compilable and all, but please, they are huge and inconsistent in themselves.

All in all, 5 stars for Microsoft, 3 stars for the rest of the world.

I got this book for free from Microsoft, because our company became a Microsoft Partner. I must admit that at first I was a little bit sceptical about it, because afterall this book is published by Microsoft and they have this reputation of selling rather insecure software themselves. But after reading the first few sections I knew it was going to be a very good read.

The book explains in very clear language almost every aspect of secure programming and gives a good overview of all common security flaws that can (and will!) enter your programming code. You'll learn how to securely design, implement, test and deploy your programs. Ofcourse buffer overruns are handled (Public Enemy #1 according to the authors), but that's only the tip of the iceberg. The book does a great job by identifying and providing solutions to common security pitfalls. Topics that are handled include: database access, user privileges and Access Control, Cryptography, handling secret data, user input, encoding and internationalization, RPC, DCOM, DOS attacks, .NET and writing secure program documentation.

I recommend this book to every programmer out there, even if you're not programming for the Win32-platform. Don't let the fact that this is a Microsoft publication refrain you from buying this book. If you are serious about writing secure programs this is the book to get.

Too many books talk about how to secure a network, and discuss network-based attacks, but this book is different; it covers how to design, build and test the code at the end of the pipe - the application software.

The book is complete in its explanation of how to make sure your application code, be it web-based or otherwise, is secured from attack.

I learned a great deal from this book, and, based on code and design reviews of my company's code, the authors obviously know what they are talking about - as we made a lot of fixes, and added many new security test cases to our test suites.

Simply put, we never knew we had problems, until we read this book, now it's mandatory reading for all our software engineers.

Every professional developer should read this book, period!

This book provides a great overview of what techniques are important when writing secure applications, and what pitfalls to avoid. The book does a good job at making a point through examples and by explaining possible exploits.

This book tries to cover a lot of ground. Most of the things discussed are for C++ developers. However, most of the things discussed are of general interest no matter what language one develops with.

I found myself wishing that the book covered a bit more about my development environment of choice: Visual Studio .NET. As mentioned above, I found all the content very interesting and applicable, but I think it would be good to have more than one chapter covering .NET specifically. I do realize however, that this book was first written before .NET. Perhaps someone will dedicate a book completely to .NET ("Writing Secure .NET Code" anyone?).

This book provides a solid foundation and teaches developers what to look for. However, the book is written for developers and managers alike and does not cover tons of implementation details. I would recommend this book to everyone as a first book to read about secure application development. It is not the last book people should read however. There are a number of good books available for a variety of environments (including .NET) that discuss specific implementations of various security and privacy techniques. Get several of those books as well!

Bottom line: This is a great book. Developers must read it. No "ifs" and "buts". Once you are done with this one though, get other security books and keep on reading...

A pretty good book if you are not very familiar with security issues. It has a very good introductory on threat modeling concepts from software engineering point of view.

It does a good job alerting developers of potential risks in their day-to-day coding practices. Although this is achieved somtimes through blatant bluff.

When it comes down to the hardcore issues, the book just scratches the surface most of the time.

A typical software product manager's writing with some technical touch. This is said because of the quality of the sample code presented. If you have read Jeffrey Ritchter's book, you know what I mean.

When deciding on whether or not to buy a book, I normally read the reviews to find out what people did not like. After checking out this book, I am shocked at the comments one of the reviewers wrote, as he unfairly panned the book on something that it was not intended to solve.
If you are looking for a heavy coders book to show you how to code security in your apps, this is probably not the best place to look. While there is some code, that is not the primary focus. You will also be disappointed if you are looking for code samples that easily migrate to other systems.
The book is, overall, very Microsoft-centric. Whether this is good or bad depends largely on your point of view. While you can apply many of the techniques to any platform to shore up holes in your code.
There are many of the security mistakes in this book that I found almost laughable, until I tested code on a few collegues sites. If you code your SQL strings in ADO, for example, you might be leaving a way for a malicious user to gain admin rights to your SQL Server.
If you think there is no way in the world you would ever need a book on security holes in code, then this book is probably tailor made for you. Understand, of course, if you do not do windows, the code samples will be far less useful than if you do.

This is an excellent book for any beginner to intermediate programmer who would like to know the hooks and corners of securing the code.

The book starts rather philosophically and for any one who read Steve Maguire's book this might seem like a bit boring. But the real meat wont come until the part 2 where the author takes straight dive into the coding with lots of examples. Some of the web related examples deserve double clapping just for the effort the examples are bringing out the case of bad-news. This got to open up any programmer's eye and any managers mouth (in shock! that is).

The author takes us mostly into the world of Windows and C/C++ and some what into .NET and managed code behavior and security lapses one can get easily into.

While I enjoyed this book thoroughly, I just could not give it 5 stars because of its bia towards Windows and .NET framework. This can be accompanied with Steve Maguire's excellent book on Writing Solid "C" Code.

For an expert this book only offers few bits of additional information. This might be the case as the author tried to address many facets of programming and didn't concentrate on one subject alone. Ideally this book can be made into a separate series of books each concentrating on a single topic of interest.

I bought this book after the *Bill Gates* email came out about Microsoft being serious about security. I figured that when he sends email like this to the company, it's important. And when **he recommends this book** in the email, it's something worth looking at. It is - Writing Secure Code is great. It's an easy read, full of great design, development and testing principles and ideas.

The first couple of chapters revolve around design, in fact ch2 is over 70pp long, and it's all about how to design secure systems.

The bulk of the book focuses on secure coding, including buffer overruns, sockets, RPC, COM, Crypto, canoniclization issues, least privilege, storing secret data, Web apps - and more!

The last part of the book discusses common .NET coding errors, and how to build security test plans.

What makes this book utterly unique is it really teaches you how to design and test secure applications, as well as how to write them. The design and test stuff I have seen nowhere else.

The book is worth every penny, and I now know why Bill Gates recommends the book to all Microsoft developers.

I am happy with this book, it helped me quickly with all possible security options with Microsoft C++ and little bit of .NET framework. The book drills well enough on the Microsoft specific implementation guidelines for authentication, authorization, cryptographic options, database connectivity etc. It helps most part, but the book is weak on security options related to XML Web services particularly technologies related to WS-Security and Passport (Identity federation options). I am not a Microsoft developer so I do understand the security holes with every Microsoft application..(never heard of a Java virus), so I always wondered why the authors did'nt suggest to secure their own applications from redmond. If you are a C# developer, I am sure you will like it...and it certainly worth a buy.

I bought this after reading other reviews, and like many of them I found this book worth every cent. The three manjor portions of the book: secure design, secure coding and security testing are really well explained. In fact, I have never seen any other material in any book on security design and testing.

And to those that thing there are no good SSL examples, I have two comments, (a) yes, there is material in the book on when to use SSL (and when not to!) and (b) SSL is no panacea, sometimes SSL is not the correct solution to use, and this book offers exceptional recommendations on how to determine if SSL is indeed the correct solution or not.