Home » Review: 19 Deadly Sins of Software Security

Add new comment

Review: 19 Deadly Sins of Software Security

Book Reviews
19 Deadly Sins of Software Security: Programming Flaws and How to Fix Them by Michael Howard, David LeBlanc and John Viega

Review by Steven Alexander Jr.

This is the first of (hopefully) many book reviews that I'll be posting here on the LOPSA site. For this review, I've chosen a software book that I think many sysadmins will find useful. There are already other good books on the subject but my suspicion is that most sysadmins just don't have the time or inclination to read them. The most widely read alternatives, Building Secure Software and Writing Secure Code are, respectively, over five and six hundred pages each and deal with some topics that most code-writing sysadmins won't ever care about. 19 Deadly Sins is only about three hundred pages long and the chapters can be read out of order.

The book is based on Amit Yoran's assertion that nineteen common mistakes account for 95% of the discovered vulnerabilities in software. The book cover each of the nineteen and discuss what the problem is, what it looks like in different languages, how to find it and how to fix it. The book includes examples in C/C++, C#, Java, Perl, PHP and Visual Basic.

The best thing about this book is that it is so concise. You don't have to invest a lot of time to get something out of it. The chapters are short and can be read out of order. The coverage of each problem is simple and to the point. This is a book that can help you write safer programs right now.

Despite being so short, the book covers a lot of ground. It doesn't focus on any particular language or type of software. The book covers buffer overflows, format string attacks, cross site scripting, SQL injection and several other problems. It's useful whether you're writing software in C, Perl or Visual Basic and whether you're writing web apps or SUID programs.

Most importantly, the authors know what they are talking about and the advice th ey give is reliable.

I think this book is well suited for junior developers (as a first book) and for system administrators who write their own tools. Professional developers should also read more in-depth books such as Howard and LeBlanc's Writing Secure Code or Viega and McGraw's Building Secure Software.

Read the rest of this entry...
add new comment | 4153 reads

Reply


*

  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <hr> <dl> <dt> <dd> <h2> <h3> <h4> <pre> <i> <table> <tr> <th> <td> <img> <div> <p> <br> <blockquote> <font>
  • Lines and paragraphs break automatically.
  • Images can be added to this post.
  • Easily link to terms in various wikis or other websites by typing [prefix:term]. Use the "|" character to create a "piped link," e.g., "[w:public transport|public transportation]" displays as "public transportation." For a full list of available prefixes and the websites to which they point, see interwiki.
  • You may use [inline:xx] tags to display uploaded files or images inline.
  • Web and e-mail addresses are automatically converted into links.
  • Web and e-mail addresses are automatically converted into links.
  • Lines and paragraphs break automatically.
  • You may use [inline:xx] tags to display uploaded files or images inline.
  • Images can be added to this post.
  • You may use [inline:xx] tags to display uploaded files or images inline.
  • Easily link to terms in various wikis or other websites by typing [[prefix:term]]. Use the "|" character to create a "piped link," e.g., "[[w:public transport|public transportation]]" displays as "public transportation." For a full list of available prefixes and the websites to which they point, see interwiki.
  • WikiText is converted to HTML (supported WikiText formatting will show in the long tip format).
More information about formatting options
Verify comment authorship
Captcha Image: you will need to recognize the text in it.
*
Please type in the letters/numbers that are shown in the image above.