Enter your mobile number or email address below and we'll send you a link to download the free Kindle App. Then you can start reading Kindle books on your smartphone, tablet, or computer - no Kindle device required.

  • Apple
  • Android
  • Windows Phone
  • Android

To get the free app, enter your mobile phone number.

Software Security: Building Security In 1st Edition

4.6 out of 5 stars 30 customer reviews
ISBN-13: 978-0321356703
ISBN-10: 0321356705
Why is ISBN important?
This bar-code number lets you verify that you're getting exactly the right version or edition of a book. The 13-digit and 10-digit formats both work.
Scan an ISBN with your phone
Use the Amazon App to scan ISBNs and compare prices.
Trade in your item
Get a $14.51
Gift Card.
Have one to sell? Sell on Amazon
Buy used On clicking this link, a new layer will be open
$43.00 On clicking this link, a new layer will be open
Buy new On clicking this link, a new layer will be open
$47.47 On clicking this link, a new layer will be open
More Buying Choices
35 New from $39.96 31 Used from $32.10
Free Two-Day Shipping for College Students with Prime Student Free%20Two-Day%20Shipping%20for%20College%20Students%20with%20Amazon%20Student

Windows 10 For Dummies Video Training
Get up to speed with Windows 10 with this video training course from For Dummies. Learn more.
$47.47 FREE Shipping. In Stock. Ships from and sold by Amazon.com. Gift-wrap available.
click to open popover

Frequently Bought Together

  • Software Security: Building Security In
  • +
  • 24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them
Total price: $87.89
Buy the selected items together

Editorial Reviews


"Overall, I rekon this was the best new security book I've seen this year.  It certainly made me think more than any other security book I've read recently.  I'd consider it a must-buy for the serious practitioner."--Ross Anderson, Professor of Security Engineering, University of Cambridge Computer Laboratory

From the Back Cover

This is the Mobipocket version of the print book. ""When it comes to software security, the devil is in the details. This book tackles the details." "
--Bruce Schneier, CTO and founder, Counterpane, and author of "Beyond Fear" and "Secrets and Lies" ""McGraw's book shows you how to make the 'culture of security' part of your development lifecycle.""
--Howard A. Schmidt, Former White House Cyber Security Advisor ""McGraw is leading the charge in software security. His advice is as straightforward as it is actionable. If your business relies on software (and whose doesn't), buy this book and post it up on the lunchroom wall.""
--Avi Rubin, Director of the NSF ACCURATE Center; Professor, Johns Hopkins University; and coauthor of "Firewalls and Internet Security" Beginning where the best-selling book "Building Secure Software" left off, "Software Security" teaches you how to put software security into practice.The software security best practices, or touchpoints, described in this book have their basis in good software engineering and involve explicitly pondering security throughout the software development lifecycle. This means knowing and understanding common risks (including implementation bugsand architectural flaws), designing for security, and subjecting all software artifacts to thorough, objective risk analyses and testing. "Software Security" is about putting the touchpoints to work for you. Because you can apply these touchpoints to the software artifacts you already produce as you develop software, you can adopt this book's methods without radically changing the way you work. Inside you'll find detailed explanations of
  • Risk management frameworks and processes
  • Code review using static analysis tools
  • Architectural risk analysis
  • Penetration testing
  • Security testing
  • Abuse case development
In addition to the touchpoints, "Software Security" covers knowledge management, training and awareness, and enterprise-level software security programs. Now that the world agrees that software security is central to computer security, it is time to put philosophy into practice. Create your own secure development lifecycle by enhancing your existing software development lifecycle with the touchpoints described in this book. Let this expert author show you how to build more secure software by building security in.

The latest book club pick from Oprah
"The Underground Railroad" by Colson Whitehead is a magnificent novel chronicling a young slave's adventures as she makes a desperate bid for freedom in the antebellum South. See more

Product Details

  • Paperback: 448 pages
  • Publisher: Addison-Wesley Professional; 1 edition (February 2, 2006)
  • Language: English
  • ISBN-10: 0321356705
  • ISBN-13: 978-0321356703
  • Product Dimensions: 7 x 1.3 x 9.2 inches
  • Shipping Weight: 1.9 pounds (View shipping rates and policies)
  • Average Customer Review: 4.6 out of 5 stars  See all reviews (30 customer reviews)
  • Amazon Best Sellers Rank: #164,596 in Books (See Top 100 in Books)

Customer Reviews

Top Customer Reviews

Format: Paperback
I read six books on software security recently, namely "Writing Secure Code, 2nd Ed" by Michael Howard and David LeBlanc; "19 Deadly Sins of Software Security" by Michael Howard, David LeBlanc, and John Viega; "Software Security" by Gary McGraw; "The Security Development Lifecycle" by Michael Howard and Steve Lipner; "High-Assurance Design" by Cliff Berg; and "Security Patterns" by Markus Schumacher, et al. Each book takes a different approach to the software security problem, although the first two focus on coding bugs and flaws; the second two examine development processes; and the last two discuss practices or patterns for improved design and implementation. My favorite of the six is Gary McGraw's, thanks to his clear thinking and logical analysis. The other five are still noteworthy books. All six will contribute to the production of more security software.

Gary McGraw's book gets my vote as the best of the six because it made the biggest impact on the way I look at the software security problem. First, Gary emphasizes the differences between bugs (coding errors) and flaws (deeper architectural problems). He shows that automated code inspection tools can be applied more or less successfully to the first problem set, but human investigation is required to address the second. Gary applauds the diversity of backgrounds found in today's security professionals, but wonders what will happen when this rag-tag bunch (myself included) is eventually replaced by "formally" trained college security graduates.

Second, Gary explains that although tools cannot replace a flaw-finding human, they can assist programmers trying to avoid writing bugs.
Read more ›
1 Comment 61 people found this helpful. Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback.
Sorry, we failed to record your vote. Please try again
Report abuse
Format: Paperback
On the one hand, it is risky for me to praise this book. I make my living teaching and practicing computer security. If everyone writing software these days were to read this book, I might eventually find myself out of business.

Gary McGraw, one of the leading security luminaries int he world, has got it right. Security cannot be added to systems once they are built. It must be designed in from the very beginning. The security posture and design must be considered in every phase of the development of a system - from the early design to the actual coding of the instructions.

Gary has done a fanstastic job explaining how to build secure systems, and detailing the importance and complexity of software security.

I've always been a big fan of Gary's, and with this latest installment in his 3 part series, Gary has provided readers with the most important advice and instruction to help keep the bad guys out of your systems.
1 Comment 36 people found this helpful. Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback.
Sorry, we failed to record your vote. Please try again
Report abuse
Format: Paperback
When my company began to investigate software security, we all mistakenly assumed it would be possible to just train the developers what mistakes not to make and all would be well with the world. This book was the first step toward fixing that misunderstanding. Dr. McGraw does an excellent job of describing the environment and the practices that are required when implementing secure coding in the lifecycle. But, he's also managed to prioritize the "touchpoints" so that each can be added in turn to a new development effort rather than requiring any single massive change. Overall an excellent read and good set of guidelines for implementation
Comment 11 people found this helpful. Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback.
Sorry, we failed to record your vote. Please try again
Report abuse
Format: Paperback
The root cause of many security vulnerabilities is poorly written software. Often, software applications are written without security in mind. The logical, yet elusive, solution is to ensure that software developers are trained in writing secure code.

Software Security: Building Security In is a valiant attempt to show software developers how to do just that. The book is the latest step in Gary McGraw's software security series, whose previous titles include Building Secure Software and Exploiting Software.

In past decades, writing secure code was left to the military and banking industry. Today, with everything on networks, all sectors must get into the act.

Much of the problem is that organizations target their security elsewhere--specifically on networks--rather than on software. But so many malicious attacks are directed at software that it is foolish to leave this vulnerability exposed.

McGraw goes into detail not only about writing secure code but also about key related areas, which he terms "the seven touchpoints of software security."

These points comprise code review, architectural risk analysis, penetration testing, risk-based security tests, abuse cases, security requirements, and security operations. A major portion of the book effectively discusses these "touchpoints," making the work a recommended tool for inculcating software developers with a security mind-set.
Comment 10 people found this helpful. Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback.
Sorry, we failed to record your vote. Please try again
Report abuse
Format: Paperback Verified Purchase
This book was prescribed for a course I took in 2011-12. While the book covers the fundamentals well, the enclosed CD, which provides a copy of Fortify software didn't work. Assignments using the software on the CD was part of our course, and since the CD didn't work, the quality of course (not to mention the grades) suffered.

As it turns out Gary McGraw offered fortify as a freeware, and without properly identifying the impact on this product( the book), he sold the software to HP. This is another case of lack of thorough due diligence prior to closing mergers and acquisitions. Unfortunately as always is the case customers ( in this case the students) were the losers.

Of course, part of missed due diligence was our faculty that had not vetted if everything worked before conducting the course.

Good book if only updated with relevant tools.
1 Comment 3 people found this helpful. Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback.
Sorry, we failed to record your vote. Please try again
Report abuse

Most Recent Customer Reviews

Set up an Amazon Giveaway

Software Security: Building Security In
Amazon Giveaway allows you to run promotional giveaways in order to create buzz, reward your audience, and attract new followers and customers. Learn more about Amazon Giveaway
This item: Software Security: Building Security In

Pages with Related Products. See and discover other items: computer security, computer network