"What makes this book so important is that it reflects the experiences of two of the industry's most experienced hands at getting real-world engineers to understand just what they're being asked for when they're asked to write secure code. The book reflects Michael Howard's and David LeBlanc's experience in the trenches working with developers years after code was long sin"What makes this book so important is that it reflects the experiences of two of the industry's most experienced hands at getting real-world engineers to understand just what they're being asked for when they're asked to write secure code. The book reflects Michael Howard's and David LeBlanc's experience in the trenches working with developers years after code was long since shipped, informing them of problems." --From the Foreword by Dan Kaminsky, Director of Penetration Testing, IOActiveEradicate the Most Notorious Insecure Designs and Coding VulnerabilitiesFully updated to cover the latest security issues, 24 Deadly Sins of Software Security reveals the most common design and coding errors and explains how to fix each one-or better yet, avoid them from the start. Michael Howard and David LeBlanc, who teach Microsoft employees and the world how to secure code, have partnered again with John Viega, who uncovered the original 19 deadly programming sins. They have completely revised the book to address the most recent vulnerabilities and have added five brand-new sins. This practical guide covers all platforms, languages, and types of applications. Eliminate these security flaws from your code:SQL injectionWeb server- and client-related vulnerabilitiesUse of magic URLs, predictable cookies, and hidden form fieldsBuffer overrunsFormat string problemsInteger overflowsC++ catastrophesInsecure exception handlingCommand injectionFailure to handle errorsInformation leakageRace conditionsPoor usabilityNot updating easilyExecuting code with too much privilegeFailure to protect stored dataInsecure mobile codeUse of weak password-based systemsWeak random numbersUsing cryptography incorrectlyFailing to protect network trafficImproper use of PKITrusting network name resolution...
|Title||:||24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them|
|Number of Pages||:||432 Pages|
|Status||:||Available For Download|
|Last checked||:||21 Minutes ago!|
24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them Reviews
A poor overview of practical security problems. Unclear and garbled explanations of how to prevent problems, along with pages and pages of useless code that does not server to illustrate the problem or show how to defend against it. Verbose, formulaic and annoying. Look for another book if you want something on practical application security.
If you know almost nothing about software security, need a quick, broad introduction, and have this book laying around, it won't be a complete waste of your time. Otherwise I'm guessing you'll do better elsewhere.My notes:The Foreword states it is rare that software can kill people. I'm not sure how the authors could be unaware or dismiss how our society relies on ubiquitous computing systems to keep us safe. A quick reflection on the embedded code running numerous vehicles, medical devices, and industrial machinery shows the danger incorrectly implemented system pose.There seems to be a bias for Microsoft technologies throughout.Java is knocked for lacking an unsigned int primitive. In cases where this could matter isn't it a trade off between simpler code or a simpler language? Either way it is nice to know you can't mix signed and unsigned with Java avoiding a whole host of squirrely problems.Shorter and simpler seem to be conflate, several examples and explanations express a preference for more cryptic code over easier to understand but longer code.I found the Chroot Jail section confusing, granted my personal state diagram has many transitions to this node.A non-proofreading read found several typos in a book focused on details.A filename string length check example required 3 or more characters but no rationale.MS IIS not following line termination standard is claimed to not be wrong where following standards is a fairly consistent message otherwise.Permission control in Java not mentioned in relevant sections.Redemption example code for protecting stored data did not follow safe use of strlen as described in an earlier chapter.14 pages into weak passwords before salt is mentioned and no explanation is given though the rest of the book seems to assume a fairly innocent reader.Was anyone still using Palm Pilots in 2010? It seems to make a poor example.Lots of recommendations on what not to log but very little on what is useful to log. To be fair it isn't easy to strike a good balance between hiding internal state and structure from malevolent actors and providing useful information to developers.I am not a software security expert and apologize for any misstatements. Feel free to correct me with my thanks.
A must have for all developers. There are some special topics that is related to only C/C++ but the rest is really important to consider.