Review: 19 Deadly Sins of Software Security

Recent Updates

The National Society of Black Engineers/Black Data Processing Associates Member Number 70634 - 3d

Upcoming events

LOPSA-Madison: Thur 09/11: Exploring PowerShell (5 days)
LOPSA Live! IRC chat with the board and community (5 days)
ABLEconf: enable Free Software in Arizona (14 days)
LOPSA Live! IRC chat with the board and community (33 days)
ACM CHIMIT 2008 Symposium (69 days)

Book Reviews

Buy it now

19 Deadly Sins of Software Security: Programming Flaws and How to Fix Them by Michael Howard, David LeBlanc and John Viega

Review by Steven Alexander Jr.

This is the first of (hopefully) many book reviews that I'll be posting here on the LOPSA site. For this review, I've chosen a software book that I think many sysadmins will find useful. There are already other good books on the subject but my suspicion is that most sysadmins just don't have the time or inclination to read them. The most widely read alternatives, Building Secure Software and Writing Secure Code are, respectively, over five and six hundred pages each and deal with some topics that most code-writing sysadmins won't ever care about. 19 Deadly Sins is only about three hundred pages long and the chapters can be read out of order.

The book is based on Amit Yoran's assertion that nineteen common mistakes account for 95% of the discovered vulnerabilities in software. The book cover each of the nineteen and discuss what the problem is, what it looks like in different languages, how to find it and how to fix it. The book includes examples in C/C++, C#, Java, Perl, PHP and Visual Basic.

The best thing about this book is that it is so concise. You don't have to invest a lot of time to get something out of it. The chapters are short and can be read out of order. The coverage of each problem is simple and to the point. This is a book that can help you write safer programs right now.

Despite being so short, the book covers a lot of ground. It doesn't focus on any particular language or type of software. The book covers buffer overflows, format string attacks, cross site scripting, SQL injection and several other problems. It's useful whether you're writing software in C, Perl or Visual Basic and whether you're writing web apps or SUID programs.

Most importantly, the authors know what they are talking about and the advice th ey give is reliable.

I think this book is well suited for junior developers (as a first book) and for system administrators who write their own tools. Professional developers should also read more in-depth books such as Howard and LeBlanc's Writing Secure Code or Viega and McGraw's Building Secure Software.

Bookmark/Search this post with:

delicious | digg

digg |

technorati

add new comment | 4152 reads

Navigation

Recent Updates

Upcoming events

Review: 19 Deadly Sins of Software Security