CDN$ 62.99
Only 1 left in stock (more on the way).
Ships from and sold by Gift-wrap available.
Secure Programming with S... has been added to your Cart
Have one to sell?
Flip to back Flip to front
Listen Playing... Paused   You're listening to a sample of the Audible audio edition.
Learn more
See this image

Secure Programming with Static Analysis Paperback – Jun 29 2007

See all 3 formats and editions Hide other formats and editions
Amazon Price
New from Used from
Kindle Edition
"Please retry"
"Please retry"
CDN$ 62.99
CDN$ 62.99 CDN$ 29.92

Save an Additional 10% on Textbooks When you Join Amazon Student

Special Offers and Product Promotions

  • Amazon Student members save an additional 10% on Textbooks with promo code TEXTBOOK10. Enter code TEXTBOOK10 at checkout. Here's how (restrictions apply)

No Kindle device required. Download one of the Free Kindle apps to start reading Kindle books on your smartphone, tablet, and computer.

  • Apple
  • Android
  • Windows Phone
  • Android

To get the free app, enter your e-mail address or mobile phone number.

Product Details

  • Paperback: 624 pages
  • Publisher: Addison-Wesley Professional; 1 edition (June 29 2007)
  • Language: English
  • ISBN-10: 0321424778
  • ISBN-13: 978-0321424778
  • Product Dimensions: 17.5 x 3.6 x 22.9 cm
  • Shipping Weight: 930 g
  • Average Customer Review: Be the first to review this item
  • Amazon Bestsellers Rank: #566,556 in Books (See Top 100 in Books)
  •  Would you like to update product info, give feedback on images, or tell us about a lower price?

  • See Complete Table of Contents

Product Description

From the Back Cover

The First Expert Guide to Static Analysis for Software Security!


Creating secure code requires more than just good intentions. Programmers need to know that their code will be safe in an almost infinite number of scenarios and configurations. Static source code analysis gives users the ability to review their work with a fine-toothed comb and uncover the kinds of errors that lead directly to security vulnerabilities. Now, there's a complete guide to static analysis: how it works, how to integrate it into the software development processes, and how to make the most of it during security code review. Static analysis experts Brian Chess and Jacob West look at the most common types of security defects that occur today. They illustrate main points using Java and C code examples taken from real-world security incidents, showing how coding errors are exploited, how they could have been prevented, and how static analysis can rapidly uncover similar mistakes. This book is for everyone concerned with building more secure software: developers, security engineers, analysts, and testers.


Coverage includes:


Why conventional bug-catching often misses security problems

How static analysis can help programmers get security right

The critical attributes and algorithms that make or break a static analysis tool

36 techniques for making static analysis more effective on your code

More than 70 types of serious security vulnerabilities, with specific solutions

Example vulnerabilities from Firefox, OpenSSH, MySpace, eTrade, Apache httpd, and many more

Techniques for handling untrusted input

Eliminating buffer overflows: tactical and strategic approaches

Avoiding errors specific to Web applications, Web services, and Ajax

Security-aware logging, debugging, and error/exception handling

Creating, maintaining, and sharing secrets and confidential information

Detailed tutorials that walk you through the static analysis process


“We designed Java so that it could be analyzed statically. This book shows you how to apply advanced static analysis techniques to create more secure, more reliable software.

-Bill Joy,Co-founder of Sun Microsystems, co-inventor of the Java programming language


“'Secure Programming with Static Analysis' is a great primer on static analysis for security-minded developers and security practitioners. Well-written, easy to read, tells you what you need to know.

-David Wagner,Associate Professor, University of California Berkeley


“Software developers are the first and best line of defense for the security of their code. This book gives them the security development knowledge and the tools they need in order to eliminate vulnerabilities before they move into the final products that can be exploited.

-Howard A. Schmidt,Former White House Cyber Security Advisor


BRIAN CHESSis Founder and Chief Scientist of Fortify Software, where his research focuses on practical methods for creating secure systems. He holds a Ph.D. in Computer Engineering from University of California Santa Cruz, where he studied the application of static analysis to finding security-related code defects.


JACOB WESTmanages Fortify Software's Security Research Group, which is responsible for building security knowledge into Fortify's products. He brings expertise in numerous programming languages, frameworks, and styles together with deep knowledge about how real-world systems fail.


CD contains a working demonstration version of Fortify Software's Source Code Analysis (SCA) product; extensive Java and C code samples; and the tutorial chapters from the book in PDF format.



Part I: Software Security and Static Analysis        1

1          The Software Security Problem          3

2          Introduction to Static Analysis 21

3          Static Analysis as Part of the Code Review Process    47

4          Static Analysis Internals          71

Part II: Pervasive Problems            115

5          Handling Input 117

6          Buffer Overflow           175

7          Bride of Buffer Overflow         235

8          Errors and Exceptions  265

Part III: Features and Flavors         295

9          Web Applications        297

10         XML and Web Services           349

11         Privacy and Secrets     379

12         Privileged Programs    421

Part IV: Static Analysis in Practice  457

13         Source Code Analysis Exercises for Java        459

14         Source Code Analysis Exercises for C 503

Epilogue          541

References      545

Index   559



About the Author

B rian Chess is a founder of Fortify Software. He currently serves as Fortify’s Chief Scientist, where his work focuses on practical methods for creating secure systems. Brian holds a Ph.D. in Computer Engineering from the University of California at Santa Cruz, where he studied the application of static analysis to the problem of finding security-relevant defects in source code. Before settling on security, Brian spent a decade in Silicon Valley working at huge companies and small startups. He has done research on a broad set of topics, ranging from integrated circuit design all the way to delivering software as a service. He lives in Mountain View, California.


J acob West manages Fortify Software’s Security Research Group, which is responsible for building security knowledge into Fortify’s products. Jacob brings expertise in numerous programming languages, frameworks, and styles together with knowledge about how real-world systems can fail. Before joining Fortify, Jacob worked with Professor David Wagner at the

University of California at Berkeley to develop MOPS (MOdel Checking Programs for Security properties), a static analysis tool used to discover security vulnerabilities in C programs. When he is away from the keyboard, Jacob spends time speaking at conferences and working with customers to advance their understanding of software security. He lives in San Francisco, California.


See all Product Description

Customer Reviews

There are no customer reviews yet on
5 star
4 star
3 star
2 star
1 star

Most Helpful Customer Reviews on (beta) HASH(0xabc8aa5c) out of 5 stars 13 reviews
18 of 26 people found the following review helpful
HASH(0xabb1e8a0) out of 5 stars Disappointing and Lacks details Feb. 17 2008
By Craig Anderson - Published on
Format: Paperback
If you are an architect who really serious about building security to your large-scale applications, then this book would offer only a hello world to security. All you find is a full-blownup security chapter "Part 1 and 2" for Standalone application applications beyond that nothing but google-able content. The worst is Part III discusses on web apps, XML web services security, privacy and privileged programs - poorly written and highly repetitive content. To the most disappointment, there is no chapter to show how to put-to-gether all these stuff in a real world enterprise application. I also noticed the book if has the same Java examples from the Java site. The chapter on Web services security is a joke, shows the authors lack of understanding on Web services security fundamentals. After browsing all the pages, I don't found anything that shows how to incorporate them in a working security architecture. The book also trying to promote a product, maybe this book is relevant for those use the author suggested products.
13 of 19 people found the following review helpful
HASH(0xabb7be94) out of 5 stars The best book for learning how to fix your code July 5 2007
By James Walden - Published on
Format: Paperback
After having read every secure programming book in print, this is the book I would recommend to both working developers and students. The abundance of code examples in C/C++ and Java help this book stand out from the shelf of other secure programming books, but that's just the beginning of what sets this book apart from the rest.

While most secure programming books focus on the basics of security mistakes like buffer overflows, they're short on how to find and fix security flaws in a large body of code. Most of us have too much code to inspect manually line by line by the next release, so this book shows the reader how to effectively use static analysis tools as a part of the code review process to automate finding security bugs. The CD that comes with the book has a working demo version of the Fortify Source Code Analyzer tool, so the reader can gain hands-on experience with static analysis.

Once you've found the bugs, you could attempt to fix them one by one, or you could fix them in a consistent, structured manner using secure design strategies to solve problems like input validation and memory management that are the source of so many security problems. Secure Programming with Static Analysis has a readable and practical discussion of these strategies, with many code examples so the reader can easily apply these strategies. It also shows how to use static analysis tools to ensure that all of your code follows these strategies, so that no input escapes validation.

Every software developer needs to know how to program securely, and there's no better place to start learning than this book.
2 of 3 people found the following review helpful
HASH(0xabb4f804) out of 5 stars Recommend a Different Book Aug. 18 2015
By R. Smith - Published on
Format: Paperback Verified Purchase
I typically review systems and commercial software from a security stand point. Recently, there has been a push to review software that is developed in-house utilizing tools such as Burpsuite and Fortify SCA. The classes that have been offered to my co-workers have been best described as How-To install the Fortify software. I was hoping to find a book with an in-depth view of utilizing Fortify to analyze source code. While the main focus of the book is not on Fortify, I was hoping that the 2 Chapters (Tutorials) would be a good start as this is the only book I know of that deals with Fortify (except the proprietary HP manuals).

Why not just use the proprietary manuals and play with the software at work? Simple, I do not have time to read through manuals and play at work. I need something I can work with at home. The biggest problem I have with this book is that the software included is no longer functional. To install, you have to get a license from the Fortify website which is now owned by HP. Neither the authors nor HP will provide a license so the software is useless.

If you are looking for a book to aide in secure code analysis, this is not the book for you. Secure Programming with Static Analysis… I read as make your applications secure by using static code analysis to identify problems. While the authors do give a fair amount of bad code to learn from, the details are less forth coming than in other books. Rather than give examples of how to use static code analysis tools to identify and correct problems, the authors give details of how they wrote rules to identify the problematic code. So if you are a programmer wanting to write your own "Fortify" software, this is a great start. I deducted 1 star because I felt the book only lives up to the “secure programming” portion of its name. You will not be getting any hands-on with Static Analysis from this book (as I mentioned the software no longer functions).

At the time the book was written, it probably was cutting edge knowledge and software security as described by the author was believed to be a job only a programmer could do. This is the way the book is written. Books like The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws are much friendlier towards non-programmers and have way more detail than this book. In fact the WAHH describes how a non-programmer may perform secure code analysis with a little research and gives you enough information to get started. It may seem unfair to judge this book published in 2007 by information available in 2015. However, I feel it is more unfair that someone like myself will purchase it based on the reviews when better books are available. I deducted 2 stars for the limited (and old) information.

To address comments about how the WAHH does not address some of the topics (in-depth) that are covered in this book such as native compiled languages, I would recommend Hacking: The Art of Exploitation, 2nd Edition but it not for the faint of heart. The Shellcoder's Handbook: Discovering and Exploiting Security Holes might be more in-line with my previous recommendation, however I have yet to read this book so I will reserve judgment.

In all, I am giving the book 2 stars as the information contained in it may be useful to other readers but there are far better sources to go too. In fact, I hope the whole industry dumps the use of Fortify in favor of open source alternatives that the worker bees can actually get their hands on. Check out OWASP for a list of alternatives. If you are a developer looking into secure programming, after reading the previously mentioned book check out US Cert/SEI secure programming [language of choice] books. This book will likely make it into my trash very soon unless you want to buy it???
1 of 1 people found the following review helpful
HASH(0xabb880a8) out of 5 stars ComputerWrangler Sept. 27 2015
By Computer Wrangler - Published on
Format: Paperback Verified Purchase
OK book, but I purchased it for the practice software for HP Fortify - which doesn't work. HP no longer supports it, and it won't run without HP support.. I sent the book back.
HASH(0xabb881b0) out of 5 stars Secure Programming With Static Analysis -by Brain Chess and Jacob West Feb. 20 2011
By Vishal .S - Published on
Format: Paperback Verified Purchase
I brought this book as a course requirement and it has been much more than that. This book enlightens you with situations which you would have encountered previously but never realized how an adversary could exploit the situation to either break into your system or just cause havoc from outside. The authors have shared their company Software named Fortify which helps us analyze programs using static analysis. The only drawback is that the software is an out of date one which refuses to configure with windows 7 system and requires XP compatibility. Also understandably it is a demo version which has extreme constrains on the size of code being analyzed. Wish the authors would have looked into these minor details.