Enter your mobile number below and we'll send you a link to download the free Kindle App. Then you can start reading Kindle books on your smartphone, tablet, or computer - no Kindle device required.
Getting the download link through email is temporarily not available. Please check back later.

  • Apple
  • Android
  • Windows Phone
  • Android

To get the free app, enter your mobile phone number.

Secure Coding: Principles and Practices 1st Edition

4.6 out of 5 stars 19 customer reviews
ISBN-13: 978-0596002428
ISBN-10: 0596002424
Why is ISBN important?
This bar-code number lets you verify that you're getting exactly the right version or edition of a book. The 13-digit and 10-digit formats both work.
Scan an ISBN with your phone
Use the Amazon App to scan ISBNs and compare prices.
Have one to sell? Sell on Amazon
Buy used
Condition: Used - Good
Condition: Used: Good
Comment: The item shows wear from consistent use, but it remains in good condition and works perfectly. All pages and cover are intact (including the dust cover, if applicable). Spine may show signs of wear. Pages may include limited notes and highlighting. May include "From the library of" labels.
Access codes and supplements are not guaranteed with used items.
35 Used from $1.85
FREE Shipping on orders over $25.
More Buying Choices
10 New from $12.42 35 Used from $1.85
Free Two-Day Shipping for College Students with Prime Student Free%20Two-Day%20Shipping%20for%20College%20Students%20with%20Amazon%20Student

ITPro.TV Video Training
Take advantage of IT courses online anywhere, anytime with ITPro.TV. Learn more.
click to open popover

Editorial Reviews


"This is an extremely useful little book in best O'Reilly tradition and I recommend it not only to programmers but also to security architects who work with programmers. It gives you a lot of insights that you don't often come across." Information Security Bulletin, September

About the Author

Kenneth R. van Wyk is an internationally recognized information security expert and author of the O'Reilly Media books, Incident Response and Secure Coding. In addition to providing consulting and training services through his company, KRvW Associates, LLC, he currently holds numerous positions: as a monthly columnist for on-line security portal, eSecurityPlanet, and a Visiting Scientist at Carnegie Mellon University's Software Engineering Institute.

Ken has 20+ years experience as an IT Security practitioner in the academic, military, and commercial sectors. He has held senior and executive technologist positions at Tekmark, Para-Protect, Science Applications International Corporation (SAIC), in addition to the U.S. Department of Defense and Carnegie Mellon and Lehigh Universities.

Ken also served a two-year elected position as a member of the Steering Committee, and a one-year elected position as the Chairman of the Steering Committee, for the Forum of Incident Response and Security Teams (FIRST) organization. At the Software Engineering Institute of Carnegie Mellon University, Ken was one of the founders of the Computer Emergency Response Team (CERT®). He holds an engineering degree from Lehigh University and is a frequent speaker at technical conferences, and has presented papers and speeches for CSI, ISF, USENIX, FIRST, AusCERT, and others. Ken is also a CERT® Certified Computer Security Incident Handler.


New York Times best sellers
Browse the New York Times best sellers in popular categories like Fiction, Nonfiction, Picture Books and more. See more

Product Details

  • Paperback: 200 pages
  • Publisher: O'Reilly Media; 1st edition (July 2003)
  • Language: English
  • ISBN-10: 0596002424
  • ISBN-13: 978-0596002428
  • Product Dimensions: 6 x 0.6 x 9 inches
  • Shipping Weight: 10.6 ounces
  • Average Customer Review: 4.6 out of 5 stars  See all reviews (19 customer reviews)
  • Amazon Best Sellers Rank: #1,161,966 in Books (See Top 100 in Books)

Customer Reviews

Top Customer Reviews

By Jeremy Allison on November 17, 2003
Format: Paperback
Some of the reviewers here are missing the point of this book. It's not a "secure code cookbook" in that it doesn't give specific code examples. Such things are quickly obsolete anyway.
This book teaches you how to *think* about security, how to think about and *design* code that will be secure. It isn't a "add this snippit of code to your input buffer validation function" sort of book. There are many of these books, and they're useful in their place, but this book writes about the design of secure code, not the actual specifics.
To continue the cooking analogy, this is a book on how to write receipes, not a book *of* receipes.
Disclaimer, I helped review this book - and I think it's the sort of work that has been sorely missing in the field (I was also given a free copy for doing the review work).
Jeremy Allison,
Samba Team.
Comment 20 people found this helpful. Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback.
Sorry, we failed to record your vote. Please try again
Report abuse
Format: Paperback Verified Purchase
You may have a hi-tech lock on your door, 100% unpickable. If I can just slam my shoulder against the door and jerk it loose from the frame, the fancy lock is irrelevant.
Passwords, encryption, and all the rest are the lock. This book is more about making the door and frame strong. Remember the Blaster worm? That wasn't a 'security' problem. It exploited bugs in Windows that supposedly had nothing to do with security.
This book is about building programs that resist attack. That doesn't mean copying a safe code fragment into your program and declaring it safe - that idea is ludicrous. Instead, this book is about the process that designs and implements strong programs. It starts with architecture and design documents, then follows through to design and maintenance.
The weakness of this book is lack of detail - how to build fail-safe code, what needs to be on design and inspection checklists, etc. There's good reason for that: each sub-topic needs books, if not whole libraries of its own. Take fault tolerance, for example. It may not sound like security, but an attack is meant to cause system failures, and fault tolerance is design to withstand failures. Fault tolerance is a huge topic, with journals and literature all its own. This book can barely mention the idea, while still giving other topics their due. It's a start, though.
Much of the advice may sound drearily familiar: code reviews, security audits, configuration control, error checking, and all the other things that take the 'fun' out of programming. If people want that kind of 'fun', then stop calling them software engineers. They're not ready for adult responsibilities.
Before anything else, software security requires correct behavior from a program. I really hope I don't hear objections to that as a basic design goal.
Comment 22 people found this helpful. Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback.
Sorry, we failed to record your vote. Please try again
Report abuse
Format: Paperback
In the 11th century, Moses Maimonides taught us that the highest form of charity is to teach a man to fish. If you give him a fish, he can eat today. If you teach him to fish he can eat forever.
In the same way, Mark G. Graff and Kenneth R. van Wyk have provided an excellent book that gives us a framework for thinking about security rather than trying to give specific rules that might have been invalid before the book came off the press. "Secure Coding" gives the reader the ability to envision, architect, design, code, and implement a security framework that truly meets the needs of its stakeholders.
The authors don't provide a cookbook. In their own words: "When you picked up this book, perhaps you thought that we could provide certain security? Sadly, no one can."
Instead, they deliver a robust mental model and a framework to understand security and to architect, design, develop, and operate secure systems. They present best practices in the field of security, the reasons for using them, and suggestions on deciding which practices are appropriate in your particular case.
Their approach is to realize that the objective is not to make a system totally secure, but to make it just secure enough. Deciding what is "just secure enough" is a business and not a technical decision. It is based on weighing risk versus cost.
There are substantial references throughout the book as well as an appendix of resources. The book is filled with examples of security failures and, more importantly, an excellent post mortem on each to show what could have been done to avoid the problem. The authors are extremely familiar with UNIX environments and this comes through in the examples. However, you don't need to be a UNIX guru to glean valuable lessons from the examples.
Read more ›
Comment 20 people found this helpful. Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback.
Sorry, we failed to record your vote. Please try again
Report abuse
Format: Paperback
In information security there are books about things and books on how to do things, this is a book *about* things.
Secure coding doesn't tell you how to write secure code, the purpose is to you a clear understanding of the enviornment needed to ensure application development is being done in a sane and robust way.
I was a bit nervous when one of the authors asked me to do a review of this book; I had just finished reviewing Inside Java, a masterpiece, but a tough read with a code example on every other page. Secure Coding is almost the polar opposite. There are only a couple examples of actual code. Instead the book weighs in at less than 200 content pages and is very approachable.
If you are responsible for managing software developers, then you should buy this book, read this book and make certain you understand what it teaches! This will prepare you for serious discussions with your coders and give you the questions to ask to ensure they are using good practice.
Comment 13 people found this helpful. Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback.
Sorry, we failed to record your vote. Please try again
Report abuse

Most Recent Customer Reviews