Enter your mobile number or email address below and we'll send you a link to download the free Kindle App. Then you can start reading Kindle books on your smartphone, tablet, or computer - no Kindle device required.

  • Apple
  • Android
  • Windows Phone
  • Android

To get the free app, enter your mobile phone number.

Building Secure Software: How to Avoid Security Problems the Right Way 1st Edition

4.0 out of 5 stars 26 customer reviews
ISBN-13: 978-0201721522
ISBN-10: 020172152X
Why is ISBN important?
This bar-code number lets you verify that you're getting exactly the right version or edition of a book. The 13-digit and 10-digit formats both work.
Scan an ISBN with your phone
Use the Amazon App to scan ISBNs and compare prices.
Have one to sell? Sell on Amazon
Buy used
Condition: Used: Like New
Access codes and supplements are not guaranteed with used items.
44 Used from $0.01
FREE Shipping on orders over $25.
More Buying Choices
15 New from $8.89 44 Used from $0.01
Free Two-Day Shipping for College Students with Prime Student Free%20Two-Day%20Shipping%20for%20College%20Students%20with%20Amazon%20Student

ITPro.TV Video Training
Take advantage of IT courses online anywhere, anytime with ITPro.TV. Learn more.
click to open popover

Editorial Reviews

From the Back Cover

"This book is useful, practical, understandable, and comprehensive. The fact that you have this book in your hands is a step in the right direction. Read it, learn from it. And then put its lessons into practice." --From the Foreword by Bruce Schneier, CTO, Counterpane, and author of Secrets and Lies "A must-read for anyone writing software for the Internet." --Jeremy Epstein, Director, Product Security and Performance, webMethods "This book tackles complex application security problems like buffer overflows, race conditions, and applied cryptography in a manner that is straightforward and easy to understand. This is a must for any application developer or security professional." --Paul Raines, Global Head of Information Risk Management, Barclays Capital

Most organizations have a firewall, antivirus software, and intrusion detection systems, all of which are intended to keep attackers out. So why is computer security a bigger problem today than ever before? The answer is simple--bad software lies at the heart of all computer security problems. Traditional solutions simply treat the symptoms, not the problem, and usually do so in a reactive way. This book teaches you how to take a proactive approach to computer security.

Building Secure Software cuts to the heart of computer security to help you get security right the first time. If you are serious about computer security, you need to read this book, which includes essential lessons for both security professionals who have come to realize that software is the problem, and software developers who intend to make their code behave. Written for anyone involved in software development and use--from managers to coders--this book is your first step toward building more secure software. Building Secure Software provides expert perspectives and techniques to help you ensure the security of essential software. If you consider threats and vulnerabilities early in the devel-opment cycle you can build security into your system. With this book you will learn how to determine an acceptable level of risk, develop security tests, and plug security holes before software is even shipped.

Inside you'll find the ten guiding principles for software security, as well as detailed coverage of:

  • Software risk management for security
  • Selecting technologies to make your code more secure
  • Security implications of open source and proprietary software
  • How to audit software
  • The dreaded buffer overflow
  • Access control and password authentication
  • Random number generation
  • Applying cryptography
  • Trust management and input
  • Client-side security
  • Dealing with firewalls

    Only by building secure software can you defend yourself against security breaches and gain the confidence that comes with knowing you won't have to play the "penetrate and patch" game anymore. Get it right the first time. Let these expert authors show you how to properly design your system; save time, money, and credibility; and preserve your customers' trust.

  • About the Author

    John Viega is the CTO of Secure Software Solutions (www.securesw.com) and a noted expert in the area of software security. He is responsible for numerous tools in this area, including code scanners (ITS4 and RATS), random number suites (EGADS), automated repair tools, and secure programming libraries. He is also the original author of Mailman, the GNU mailing list manager.

    Gary McGraw, Cigital's CTO, is a leading authority on software security. Dr. McGraw is coauthor of the groundbreaking books Building Secure Software and Exploiting Software (both from Addison-Wesley). While consulting for major software producers and consumers, he has published over ninety peer-reviewed technical publications, and functions as principal investigator on grants from DARPA, the National Science Foundation, and NIST's Advanced Technology Program. He serves on the advisory boards of Authentica, Counterpane, and Fortify Software. He is also an advisor to the computer science departments at University of California, Davis, and the University of Virginia, as well as the School of Informatics at Indiana University.


    The latest book club pick from Oprah
    "The Underground Railroad" by Colson Whitehead is a magnificent novel chronicling a young slave's adventures as she makes a desperate bid for freedom in the antebellum South. See more

    Product Details

    • Hardcover: 528 pages
    • Publisher: Addison-Wesley Professional; 1 edition (October 4, 2001)
    • Language: English
    • ISBN-10: 020172152X
    • ISBN-13: 978-0201721522
    • Product Dimensions: 7.6 x 1.3 x 9.4 inches
    • Shipping Weight: 2.3 pounds
    • Average Customer Review: 4.0 out of 5 stars  See all reviews (26 customer reviews)
    • Amazon Best Sellers Rank: #254,067 in Books (See Top 100 in Books)

    Customer Reviews

    Top Customer Reviews

    By Mike Tarrani HALL OF FAMETOP 50 REVIEWER on April 10, 2002
    Format: Hardcover
    What makes this book so important is that the authors provide an analysis of the major problems with all software, and give a collection of techniques with which to address the recurring problems, such as buffer overflows, access control exposures, randomness flaws and other security-related defects. They do not attempt to provide specific solutions. Instead they raise an awareness of the common problems, discuss the underlying causes, and give a framework with which developers can use as the basis for developing secure software.
    Key points of this book that I found especially useful include:
    (1) Even treatment of commercial and open source software. I found this refreshing because there are two camps, Microsoft developers and open source advocates, each of which criticize the other. Yes, Microsoft has a bad reputation for security, but the open source faction has its own challenges, and the authors show the strengths and weaknesses of each in an objective manner.
    (2)Surprises, such as documented cases of peer reviews that failed. I am an advocate of this technique, yet a case where a flawed, two-line piece of code that was extensively reviewed by literally thousands of reviewers and readers of a technical publication slipped by without notice for a long time.
    (3) The ten guiding principles for software security encapsulate the essence of building secure software. This list and the discussion of each principle should be required reading for every architect, developed and QA engineer.Chapter 1 (Introduction to Software Security) and Chapter 6 (Auditing Software) give a framework for security and a methodical approach to quality assurance. These, in my opinion, are the heart of the book.
    Read more ›
    Comment 28 people found this helpful. Was this review helpful to you? Yes No Sending feedback...
    Thank you for your feedback.
    Sorry, we failed to record your vote. Please try again
    Report abuse
    Format: Hardcover
    As I say in the Preface of this book, "We wouldn't have to spend so much time, money, and effort on network security if we didn't have such bad software security." We all know that security is risk management. _Building Secure Software_ takes the same risk-management approach to security that I espouse in _Secrets and Lies_. But while my recent focus is on detection and response, this book focuses on prevention. Most importantly, it focuses on prevention where it should occur: during software design.
    _Building Secure Software_ is a critical tool in the understanding of secure software. Viega and McGraw have done an excellent job of laying out both the theory and practice of secure software design. Their book is useful, practical, understandable, and comprehensive. It won't magically turn you into a software security expert, but it will make you more sensitive to software security. And the more sensitive you are to the problem, the more likely you are to work toward a solution.
    Comment 46 people found this helpful. Was this review helpful to you? Yes No Sending feedback...
    Thank you for your feedback.
    Sorry, we failed to record your vote. Please try again
    Report abuse
    Format: Hardcover
    For more than 20 years security professionals have bemoaned the abysmal state of software, and why it doesn't get any better. Viega and McGraw have put together a wonderful handbook that takes a big step in helping developers build more secure and reliable software. It addresses the tough practical problems that lead to technical disasters like Nimda and Code Red. Readers learn how vulnerabilities are exploited and how to avoid having the vulnerabilities. Key topics include buffer overflows, avoiding malicious input, proper random number selection, and many more.
    If there were only one security book I could make required reading for every programmer in the world, this would be it.
    Comment 18 people found this helpful. Was this review helpful to you? Yes No Sending feedback...
    Thank you for your feedback.
    Sorry, we failed to record your vote. Please try again
    Report abuse
    Format: Hardcover
    Viega and McGraw have finally written the book that the technical
    community has been clamoring for. This is a refershing view of how to
    build secure systems from two of the world's leading experts. Their risk
    management approach to security is a central theme throughout the book.
    Whether it's avoiding buffer overflows in your code, or understanding
    component integration and interaction, this book offers readers a
    comprehensive, hype-free guide. The authors demonstrate that
    understanding and managing risks is an important component to any
    systems project. This well written book is a must read for anyone
    interested in designing, building, or managing systems.
    Comment 22 people found this helpful. Was this review helpful to you? Yes No Sending feedback...
    Thank you for your feedback.
    Sorry, we failed to record your vote. Please try again
    Report abuse
    Format: Hardcover
    This is a thoughtful and well written approach to application security that anyone involved with application security from web application designers to security architects should digest and re-digest regularly. John Viega avoids the sensationalist tactical approach of many security books and focuses on what matters in the real world. To use an analogy "if you think you may have cancer, you need to be taking blood tests and x-rays, not seeing if you have dilated pupils !". This is the surgeons general approach to preventing cancer !
    Comment 14 people found this helpful. Was this review helpful to you? Yes No Sending feedback...
    Thank you for your feedback.
    Sorry, we failed to record your vote. Please try again
    Report abuse
    Format: Hardcover
    As a Windows developer, I am little disappointed. The authors have probably much more experience with developing Unix and Java software that Windows software. This wouldn't be necessarily a bad thing, if they did their homework and check things with a Windows expert. But they didn't. The result is that the book contains some incorrect and misleading information in Windows-related sections. For example:
    1. In the footnote on page 56 authors state, that there are "no DCOM implementations for the UNIX world". Not true - there is at least one popular DCOM implementation for UNIX - EntireX from Software AG.
    2. On page 58 authors say, that delegation of identity is not available for DCOM. Wrong - delegation with unlimited number of identity transfers is a standard feature of Windows 2000 and XP.
    3. On page 382 authors claim that Microsoft SQL server does not support encryption. Again not true - SQL 2000 can use either SSL or standard Windows RPC encryption to encrypt all traffic between the client and the server.
    These kind of mistakes almost make you wonder if they were intentional. Anyway, if you are developing on Unix it is probably a good book (I cannot judge - I'm not an UNIX expert). If you are a Windows developer, you should probably treat it more as a general overview of potential software security problems and not rely on it when it comes to details.
    Comment 34 people found this helpful. Was this review helpful to you? Yes No Sending feedback...
    Thank you for your feedback.
    Sorry, we failed to record your vote. Please try again
    Report abuse

    Most Recent Customer Reviews