Writing Secure Code, Second Edition (Paperback)

(1) Not writing non-secure code. Covers several issues, some more obvious, like buffer overruns and validating user input, some more complex, like escaping URLs and socket security. I thought the book would teach me best practices about organizing code, as in "do like I do". Instead it goes like "don't do like I'm telling you".

(2) Using Windows security APIs. This is THE BEST part of the book. Gives you a very good overview about several different APIs, including ACLs, protecting sensitive data, securing DCOM and .NET code, excellent tips on installing programs etc. etc.

Keep in mind that this book is said to be used internally within Microsoft with "security pushes", with the audience of 8000 people, including not only developers of all levels, but managers as well, therefore the book is by definition a high level overview.

Sometimes the book feels like MS educational course. Ex. (tip on p.77) "I created the ... diagrams ... using ... Microsoft Visio Professional 2002". That's cool, but what does it have to do with security ?

Some topics should never be there. How about 3 pages of tips for a kernel driver writer ? It's a huge topic in itself and how many readers outside MS do this anyway ? Privacy issues are covered idealistically. Yeah, sure, if you put a specially crafted XML to the special place on your site, the users magically start trusting you... I'd better read about real situation with privacy, not how the government rules it to be. Oh, and how about 40 pages about cryptography ? Please...

The book tries to show you the security process with development and testing. I can easily see they use this process in Microsoft, with 8000 people. For a small team it's completely useless. How about using 4 (!) people for a code review ? Sure, upon reading this book you will know that security code review is a must (if you have enough resources). Didn't you know that before ?

The code samples are ugly. How about this: "... X is cool ... several pages of Perl (!) ... see what I mean ?". Ok, one of the authors admits to be a Perl fan, but how am I supposed to read through all this gibberish ? C(++) samples are not much better. May be they are fully functional and compilable and all, but please, they are huge and inconsistent in themselves.

All in all, 5 stars for Microsoft, 3 stars for the rest of the world.

The book is complete in its explanation of how to make sure your application code, be it web-based or otherwise, is secured from attack.

I learned a great deal from this book, and, based on code and design reviews of my company's code, the authors obviously know what they are talking about - as we made a lot of fixes, and added many new security test cases to our test suites.

Simply put, we never knew we had problems, until we read this book, now it's mandatory reading for all our software engineers.

The book explains in very clear language almost every aspect of secure programming and gives a good overview of all common security flaws that can (and will!) enter your programming code. You'll learn how to securely design, implement, test and deploy your programs. Ofcourse buffer overruns are handled (Public Enemy #1 according to the authors), but that's only the tip of the iceberg. The book does a great job by identifying and providing solutions to common security pitfalls. Topics that are handled include: database access, user privileges and Access Control, Cryptography, handling secret data, user input, encoding and internationalization, RPC, DCOM, DOS attacks, .NET and writing secure program documentation.

I recommend this book to every programmer out there, even if you're not programming for the Win32-platform. Don't let the fact that this is a Microsoft publication refrain you from buying this book. If you are serious about writing secure programs this is the book to get.