Secure Programming Cookbook for C and C++: Recipes for Cryptography, Authentication, Input Validation & More (Paperback)

by John Viega (Author), Matt Messier (Author)
Key Phrases: symmetric encryption, input validation, authentication method, Solution Use, Public Key Infrastructure, Random Numbers (more...)

Editorial Reviews

Review
"This is a book that's long overdue and makes for an interesting and deeply technical read on a topic that we should all core about more. Yes, it's limited to C and C++ readers, but with the majority of key applications being written in these languages that's where the biggest benefit can be had - give the sample chapter a read, and you'll soon be on your way to the books store to buy the rest of it." "A powerful and initially somewhat scary book that will quickly get you thinking about security while you program - as opposed to as an afterthought." - Paul Hudson, LinuxFormat, Christmas 03 - Rating 10/10 - Top Stuff Award

Product Description
Secure Programming Cookbook for C and C++ is an important new resource for developers serious about writing secure code. It contains a wealth of solutions to problems faced by those who care about the security of their applications. It covers a wide range of topics, including safe initialization, access control, input validation, symmetric and public key cryptography, cryptographic hashes and MACs, authentication and key exchange, PKI, random numbers, and anti-tampering. The rich set of code samples provided in the book's more than 200 recipes will help programmers secure the C and C++ programs they write for both Unix® (including Linux®) and Windows® environments. The book's web site supplements the book by providing a place to post new recipes, including those written in additional languages like Perl, Java, and Python. Monthly prizes will reward the best recipes submitted by readers. The Secure Programming Cookbook for C and C++ is destined to become an essential part of any developer's library, a code companion developers will turn to again and again as they seek to protect their systems from attackers and reduce the risks they face in today's dangerous world.

See all Editorial Reviews

Product Details

• Paperback: 790 pages
• Publisher: O'Reilly Media, Inc. (July 14, 2003)
• Language: English
• ISBN-10: 0596003943
• ISBN-13: 978-0596003944
• Product Dimensions: 9 x 6.9 x 1.5 inches
• Shipping Weight: 2.4 pounds (View shipping rates and policies)
• Average Customer Review: 4.6 out of 5 stars See all reviews (12 customer reviews)
• Amazon.com Sales Rank: #121,399 in Books (See Bestsellers in Books)

  Popular in these categories: (What's this?)

  #13 in	Books > Computers & Internet > Programming > Algorithms > Cryptography
  #19 in	Books > Computers & Internet > Networking > Network Programming

Customer Reviews

Most Helpful Customer Reviews

31 of 32 people found the following review helpful:

5.0 out of 5 stars Much more than I had expected, very good., August 4, 2003

By	Erik "Erik" - See all my reviews

I hadn't anticipated the heavy amount of crypto related chapters in this book. I honestly had only read about the input validation, avoiding overflows, and access control portions. It turns out it covers those areas plus a wide range of crypto related code. It goes over the fundamentals of Symmetric Crypto in great detail, from simple base64 encoding to parallelizing Encryption and decryption in arbitrary modes. All of the crypto related portions of this book are very clear. I highly recommend this book if you are doing any kind of crypto, whether it's simply encrypting a password, a file, or setting up a socket based secure communication tunnel.

The Networking chapter is a very good reference section for creating SSL clients and servers, as well as using kerberos or securing your connections to your database. There is almost 80 pages of information related to generating random numbers and data from using /dev/random to gathering entropy from Mouse Evens on Win32.

The one chapter I didn't expect to see here that was quite good was Chapter 12, Anti-Tampering. This chapter goes over obfuscating your code, detecting binary modifications, disguising boolean values, etc. It even shows you how to detect SoftICE and other debuggers, which can be useful for attempting to block people from cracking your commercial software. Although, I believe all attempts end up being rather futile when someone is determined enough.

This book really is a must for anyone who is programming. If not just for the basics of protecting yourself from overflows and validating input and environment variables, than definitely for the extremely well written sections on crypto. This book has earned a permanent spot next to K&R and UNP on my desk.

36 of 39 people found the following review helpful:

5.0 out of 5 stars An author's perspective, October 15, 2003

By	John Viega (Boston, MA) - See all my reviews

I thought I'd offer some insight on this book, particularly in light of a recently posted bad review that makes a bunch of criticisms that are quite wrong (I am pretty sure the review is due to a personal grudge held by someone who hasn't even read the book).

First, the goal of this book is to be a reference people can use to find solutions for "doing it right", not an elementary text on secure coding principles that gives a bunch of high-level advice that's still difficult to apply securely in practice. Security-relevant design and architecture principles are followed and discussed, but there's definitely a stated assumption that you have read a more elementary book such as "Building Secure Software", "Writing Secure Code" or the free "Secure Programming for Linux and UNIX HOWTO".

Second, the book covers all common security problems one sees in C and C++ programs, going so deep as to give working code and in-depth discussions. It spends hundreds of pages on how to implement and integrate cryptography into applications securely, a topic that is almost completely ignored in the elementary books (and even ignored in most crypto books, which teach building blocks, more than how to use them securely).

Many security problems that affect programs are largely language independent. We give C++-specific code in the few cases where there are C++-specific issues. But, for the most part, problems apply equally to C and C++. In those cases, the code is written in a subset of C that will work directly in C++ programs, but we don't take advantage of C++-specific features. To do so would result in a book nearly 1500 pages long!

All topics are covered for both Microsoft and Unix platforms (much of the code is cross-platform, and was tested on both). There are a couple of instances where a problem or solution doesn't apply to a particular platform. For example, "shatter" attacks are Windows specific, and the jail() protection mechanism works only on FreeBSD, not Windows. We have no platform bias, and even had the leading Windows secure programming expert from Microsoft review things.

This book gives detailed solutions for secure programming in a level of detail that no other book yet does, covering many topics that other books completely ignore.

15 of 16 people found the following review helpful:

5.0 out of 5 stars Bought it for one reason but ended up using it., October 16, 2003

By	"lucincia" (Cedar Rapids, IA United States) - See all my reviews

To be truthful, I bought this book because the "gang" I hang out with is mentioned in the Acknowledgments section of the book. That was the ONLY reason when I sent money to Amazon.Com and purchased it for the dusty collection on my bookshelf.

But, when I got it and chuckled over the Acknowledgements section, I started to mindlessly flip through the book. Mindless page flipping soon turned to semi-conscious scanning. Semi-conscious scanning soon turned to serious reading. I find myself reading the book more and more, jumping back and forth between sections I find interesting and useful.

As a Windows C++ programmer for in-house tools, I do not dwell much on secure programming concepts. Yes, this is very, very bad way to program, so those of you reading this review should not try it at home. This book has shown the errors of my ways, revealed security issues that I have overlooked by accident or on purpose and gave concepts and examples that I can apply in my projects.

This book is one reference that I will be going back over and over again. The authors and editors have done a wonderful job to make the reading flow nice and easy. It is also very well laid out by stating the problem you may encounter, followed by a solution and then detailed discussion section with code samples.

For any C/C++ programmer making software to be used by more than one person, this reference book is a must.

You can still read the Acknowledgments and marvel at my name on there, of course.