Have one to sell?
Flip to back Flip to front
Listen Playing... Paused   You're listening to a sample of the Audible audio edition.
Learn more
See this image

Writing Secure Code Paperback – Nov 3 2001

4.7 out of 5 stars 21 customer reviews

See all 3 formats and editions Hide other formats and editions
Amazon Price
New from Used from
"Please retry"
CDN$ 24.00 CDN$ 8.25

There is a newer edition of this item:

Unlimited FREE Two-Day Shipping for Six Months When You Try Amazon Student

No Kindle device required. Download one of the Free Kindle apps to start reading Kindle books on your smartphone, tablet, and computer.

  • Apple
  • Android
  • Windows Phone
  • Android

To get the free app, enter your e-mail address or mobile phone number.

Product Details

  • Paperback: 477 pages
  • Publisher: Microsoft Press; Pap/Cdr edition (Nov. 3 2001)
  • Language: English
  • ISBN-10: 0735615888
  • ISBN-13: 978-0735615885
  • Product Dimensions: 18.7 x 3.4 x 23.2 cm
  • Shipping Weight: 1.1 Kg
  • Average Customer Review: 4.7 out of 5 stars 21 customer reviews
  • Amazon Bestsellers Rank: #1,845,690 in Books (See Top 100 in Books)
  •  Would you like to update product info, give feedback on images, or tell us about a lower price?

Product Description

From the Publisher

No more malicious attacks! Learn the best practices for writing secure code, with samples in Microsoft Visual Basic®.NET, Visual C++®, Perl, and Visual C#®.

About the Author

Michael Howard is a security program manager on the Microsoft WindowsXP team, focusing on secure design, programming and testing techniques. He works with hundreds of people both inside and outside the company to help them secure their applications each year. He is the primary author of DESIGING SECURE WEB-BASED APPLICATIONS FOR MICROSOFT WINDOWS 2000 from Microsoft Press. Prior to working in WindowsXP, Michael worked on next-generation Web server technologies and IIS. He has worked on Windows NT® security since 1992

David LeBlanc is a senior security technologist in ITG at Microsoft. His primary role is defending the Microsoft network from attack. He has worked in the security field throughout his professional life, including working at Internet Security Systems where he was the primary engineer on ISS’ award-winning security products. David serves on a number of external security-related advisory boards.

Inside This Book

(Learn More)
First Sentence
In memory of all those people who needlessly perished on September 11, 2001. Read the first page
Explore More
Browse Sample Pages
Front Cover | Excerpt | Back Cover
Search inside this book:

Customer Reviews

4.7 out of 5 stars
Share your thoughts with other customers

Top Customer Reviews

Format: Paperback
This is a good book as it does a good job covering the different sources of software insecurities:

- The classical buffer overflows on the stack and on the heap
- Canonical issues on input
- The least privilege principle
- There is a brief overview on how store a secret

On the last point, the authors know well the topic. If you are using cryptography to protect something in your software but just store the private key in a global variable then you are helping tremendously the job of hackers as all they will have to do is look into your executable binary to search for something that looks like a key. A security measure is as strong as its weakest element and no hacker is foolish enough to attack a cryptographic algorithm that is proven strong. Even if you store the key in a secure place, all that is needed to retrieve the key is to perform a memory dump at the right time just before the software use the key. At least, you can make hackers job harder as there is nothing you can do to make your software 100% safe against hacker if the software is valuable enough to motivate them to hack your software. All you can do by improving your software security is to buy you some time before your software is hacked. All that to say that there is not bullet proof solution against hackers but the book gives solid leads to improve software security in that aspect.

In this book, there is a strong emphasis on Microsoft security technologies. The Windows Crypto API and the Microsoft OSes privileges API are described in length. If you develop on Windows and want to make your software more secure then this is an excellent book for you.
Read more ›
1 of 1 people found this helpful. Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback.
Sorry, we failed to record your vote. Please try again.
Report abuse
Format: Paperback
I bought this book after the *Bill Gates* email came out about Microsoft being serious about security. I figured that when he sends email like this to the company, it's important. And when **he recommends this book** in the email, it's something worth looking at. It is - Writing Secure Code is great. It's an easy read, full of great design, development and testing principles and ideas.
The first couple of chapters revolve around design, in fact ch2 is over 70pp long, and it's all about how to design secure systems.
The bulk of the book focuses on secure coding, including buffer overruns, sockets, RPC, COM, Crypto, canoniclization issues, least privilege, storing secret data, Web apps - and more!
The last part of the book discusses common .NET coding errors, and how to build security test plans.
What makes this book utterly unique is it really teaches you how to design and test secure applications, as well as how to write them. The design and test stuff I have seen nowhere else.
The book is worth every penny, and I now know why Bill Gates recommends the book to all Microsoft developers.
Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback.
Sorry, we failed to record your vote. Please try again.
Report abuse
Format: Paperback
When deciding on whether or not to buy a book, I normally read the reviews to find out what people did not like. After checking out this book, I am shocked at the comments one of the reviewers wrote, as he unfairly panned the book on something that it was not intended to solve.
If you are looking for a heavy coders book to show you how to code security in your apps, this is probably not the best place to look. While there is some code, that is not the primary focus. You will also be disappointed if you are looking for code samples that easily migrate to other systems.
The book is, overall, very Microsoft-centric. Whether this is good or bad depends largely on your point of view. While you can apply many of the techniques to any platform to shore up holes in your code.
There are many of the security mistakes in this book that I found almost laughable, until I tested code on a few collegues sites. If you code your SQL strings in ADO, for example, you might be leaving a way for a malicious user to gain admin rights to your SQL Server.
If you think there is no way in the world you would ever need a book on security holes in code, then this book is probably tailor made for you. Understand, of course, if you do not do windows, the code samples will be far less useful than if you do.
Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback.
Sorry, we failed to record your vote. Please try again.
Report abuse
Format: Paperback
There's no other book like this on the market. It is an extremely practical book with lessons learned from security teams at Microsoft. Not only do they tell you about real-life problems they've experienced, they tell you what to avoid and how to best fix security problems. The best thing I like about the book is that it comes with code examples throughout the book that you can use when building your secure applications. It goes completely down and dirty to the details, but with a good 30,000 foot view of how to address security from a Project Management level too.
We've (Foundstone) have been performing security assessments on products and applications for years and have seen the same problems they address in the book out in the software industry. But I still learned a lot of new tricks from the book, especially regarding the Microsoft platform. My only fear is that if people start reading this book, I'll be out of a job!
If you write code, are a project manager, tester, you need to go buy this book, especially if you are working on the Microsoft platform.
Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback.
Sorry, we failed to record your vote. Please try again.
Report abuse

Most recent customer reviews