- Hardcover: 392 pages
- Publisher: Auerbach Publications; 1 edition (June 16, 2010)
- Language: English
- ISBN-10: 143982696X
- ISBN-13: 978-1439826966
- Product Dimensions: 6.3 x 1 x 9.4 inches
- Shipping Weight: 1.4 pounds (View shipping rates and policies)
- Average Customer Review: 5.0 out of 5 stars See all reviews (3 customer reviews)
- Amazon Best Sellers Rank: #1,674,169 in Books (See Top 100 in Books)
Enter your mobile number or email address below and we'll send you a link to download the free Kindle App. Then you can start reading Kindle books on your smartphone, tablet, or computer - no Kindle device required.
To get the free app, enter your mobile phone number.
Secure and Resilient Software Development 1st Edition
Use the Amazon App to scan ISBNs and compare prices.
Featured IT certification guides sponsored by Pearson. Learn more.
Customers who bought this item also bought
What other items do customers buy after viewing this item?
... provides a strong foundation for anyone getting started in application security. Most application security books fall into two categories: business-oriented and vague or ridiculously super technical. Mark and Laksh draw on their extensive experience to bridge this gap effectively. The book consistently links important technical concepts back to the business reasons for application security with interesting stories about real companies dealing with application security issues.
-Jeff Williams, Chair, The OWASP Foundation
About the Author
Mark S. Merkow, CISSP, CISM, CSSLP, works at PayPal Inc. (an eBay company) in Scottsdale, Arizona, as Manager of Security Consulting and IT Security Strategy in the Information Risk Management area. Mark has over 35 years of experience in information technology in a variety of roles, including applications development, systems analysis and design, security engineer, and security manager. Mark holds a Masters in Decision and Info Systems from Arizona State University (ASU), a Masters of Education in Distance Learning from ASU, and a BS in Computer Info Systems from ASU. In addition to his day job, Mark engages in a number of extracurricular activities, including consulting, course development, online course delivery, writing e-business columns, and writing books on information technology and information security.
Mark has authored or co-authored nine books on IT and has been a contributing editor to four others.
Mark remains very active in the information security community, working in a variety of roles for the Financial Services Information Sharing and Analysis Center (FS-ISAC), the Financial Services Technology Consortium (FSTC), and the Financial Services Sector Coordinating Council (FSCCC) on Homeland Security and Critical Infrastructure Protection.
Lakshmikanth Raghavan (Laksh) works at PayPal Inc. (an eBay company) as Staff Information Security Engineer in the Information Risk Management area. He has over eight years of experience in the areas of information security and information risk management and has been providing consulting services to Fortune 500 companies and financial services companies around the world in his previous stints. He is a Certified Ethical Hacker (CEH) and also maintains the Certified Information Security Manager (CISM) certificate from ISACA (previously known as the Information Systems Audit and Control Association). Laksh holds a Bachelor's degree in Electronics & Telecommunication Engineering from the University of Madras, India. Laksh enjoys writing security-related articles and has spoken on the various dimensions of software security at industry forums and security conferences.
If you are a seller for this product, would you like to suggest updates through seller support?
Top Customer Reviews
The book is comprehensive. It covers areas with which most infosec professionals and software developers are not likely to be familiar. For example, the authors recount the history of application security testing as far back as the Orange Book and Common Criteria (CC). Incidentally, Mark co-authored an excellent book on the CC, namely "Computer Security Assurance Using the Common Criteria" (Thomson, 2005). In the current book, issues with the CC approach are raised ... and by someone who should know!
Among the many useful chapters, I personally derived the most from Chapters 8 and 9, which are about testing custom applications and commercial-off-the-shelf software respectively. I also was interested in reading Chapter 11 on metrics and maturity models. I found the coverage of these topics to be extensive, although I have my own opinion regarding the lack of meaningful metrics for security in general and application security in particular.
I suspect, however, that many readers will be more interested in the design and coding phases of the SDLC (software development life cycle), rather than the testing phase. And these readers will not be disappointed. It was encouraging to see that resiliency is given top billing, as it is often neglected by developers, although software engineers might well see the importance of building resilient systems.
Having given the reader a taste of what he or she needs to know in order to produce or acquire secure and resilient software, the authors point the reader to sources of further education, including the various certifications that can be earned.
The book is rounded out with a very helpful glossary of terms, and a couple of appendices. The first covers the top 25 most dangerous programming errors (according to CWE/SANS), and the second describes OWASP's Enterprise Security API project.
All in all this is a book packed with valuable information for those designing, developing or supporting secure and resilient software. It is full of useful and actionable suggestions. And it fills a gap that really needed filling. It gives the reader a sound grounding and good understanding of the issues relating to the development of secure and resilient software and points the reader in the right direction for building further upon the base established by the book.
[This review was excerpted from a column published on [...] on July 19, 2010]
They are a perhaps an ideal pair of book authors because they have such complementary viewpoints and skills. I have known Mark for - good grief! - about twenty years. There is a great deal of solid theory that underpins information security, and Mark is one of few practitioners who both understand this theory, as well as know how to put it into practice. This is surprisingly rare. Laksh, on the other hand, is one of the best application security guys you'll ever meet. He knows the theory and the practice of both how to defend and attack applications. (They're both really nice people too, although that might be less relevant to their writing skills.)
Individually, they're both very strong. In combination, they and - therefore this book - are very, very good. The book builds from a firm theoretical foundation, and works up into a detailed explanation of the various ways in which applications and systems can be attacked, and how these attacks can be defeated by careful system design, coding and testing. It takes that and then moves into the ways in which enterprises can build full-blown programs to secure their applications, and finally into emerging industry standards such as BSIMM & OWASP.
I have a bunch of security books on my bookshelf, and the majority of the ones on secure / resilient software practices are not great. This, on the other hand is one of those rare books that is both interesting and informative on the first read, and very helpful as a reference work on subsequent reads. Strongly recommended.
Legal disclaimer - Please note that nothing in the above should be construed as anything other than the personal / professional opinion of this reviewer, and certainly not as the formal view of our employer.