|
||||||||||||||||||
|
||||||||||||||||||
|
||||||||||||||||||
| ||||||||||||
Frequently Bought Together
Product Details
|
Product Description
Book Description
Keep black-hat hackers at bay with the tips and techniques in this entertaining, eye-opening book! Developers will learn how to padlock their applications throughout the entire development process—from designing secure applications to writing robust code that can withstand repeated attacks to testing applications for security flaws. Easily digested chapters reveal proven principles, strategies, and coding techniques. The authors—two battle-scarred veterans who have solved some of the industry’s toughest security problems—provide sample code in several languages. This edition includes updated information about threat modeling, designing a security process, international issues, file-system issues, adding privacy to applications, and performing security code reviews. It also includes enhanced coverage of buffer overruns, Microsoft® .NET security, and Microsoft ActiveX® development, plus practical checklists for developers, testers, and program managers.
From the Publisher
As the Internet grows in importance, applications are becoming highly interconnected. Read the first page
Concordance
Front Cover | Copyright | Table of Contents | Excerpt | Index
Tag this product(What's this?)Think of a tag as a keyword or label you consider is strongly related to this product.
Tags will help all customers organize and find favorite items. |
What Other Items Do Customers Buy After Viewing This Item?
Customer Reviews
|
Share your thoughts with other customers:
|
||||||||||||||||||||||
|
Most helpful customer reviews
3 of 3 people found the following review helpful
3.0 out of 5 stars
Not writing non-secure code for Windows,
By Dmitry Dvoinikov (Ekaterinburg, Russia) - See all my reviews
This review is from: Writing Secure Code: Practical Strategies and Proven Techniques for Building Secure Applications in a Networked World (Paperback)
The title of the book is misleading to begin with. The book is not about writing secure code. It's about (1) not writing non-secure code and (2) using Windows specific security APIs. (1) Not writing non-secure code. Covers several issues, some more obvious, like buffer overruns and validating user input, some more complex, like escaping URLs and socket security. I thought the book would teach me best practices about organizing code, as in "do like I do". Instead it goes like "don't do like I'm telling you". (2) Using Windows security APIs. This is THE BEST part of the book. Gives you a very good overview about several different APIs, including ACLs, protecting sensitive data, securing DCOM and .NET code, excellent tips on installing programs etc. etc. Keep in mind that this book is said to be used internally within Microsoft with "security pushes", with the audience of 8000 people, including not only developers of all levels, but managers as well, therefore the book is by definition a high level overview. Sometimes the book feels like MS educational course. Ex. (tip on p.77) "I created the ... diagrams ... using ... Microsoft Visio Professional 2002". That's cool, but what does it have to do with security ? Some topics should never be there. How about 3 pages of tips for a kernel driver writer ? It's a huge topic in itself and how many readers outside MS do this anyway ? Privacy issues are covered idealistically. Yeah, sure, if you put a specially crafted XML to the special place on your site, the users magically start trusting you... I'd better read about real situation with privacy, not how the government rules it to be. Oh, and how about 40 pages about cryptography ? Please... The book tries to show you the security process with development and testing. I can easily see they use this process in Microsoft, with 8000 people. For a small team it's completely useless. How about using 4 (!) people for a code review ? Sure, upon reading this book you will know that security code review is a must (if you have enough resources). Didn't you know that before ? The code samples are ugly. How about this: "... X is cool ... several pages of Perl (!) ... see what I mean ?". Ok, one of the authors admits to be a Perl fan, but how am I supposed to read through all this gibberish ? C(++) samples are not much better. May be they are fully functional and compilable and all, but please, they are huge and inconsistent in themselves. All in all, 5 stars for Microsoft, 3 stars for the rest of the world.
1 of 1 people found the following review helpful
4.0 out of 5 stars
A good security book especially if you develop on Windows,
By Olivier Langlois "www.OlivierLanglois.net" (Montreal, Quebec Canada) - See all my reviews (REAL NAME)
This review is from: Writing Secure Code (Paperback)
This is a good book as it does a good job covering the different sources of software insecurities:- The classical buffer overflows on the stack and on the heap - Canonical issues on input - The least privilege principle - There is a brief overview on how store a secret On the last point, the authors know well the topic. If you are using cryptography to protect something in your software but just store the private key in a global variable then you are helping tremendously the job of hackers as all they will have to do is look into your executable binary to search for something that looks like a key. A security measure is as strong as its weakest element and no hacker is foolish enough to attack a cryptographic algorithm that is proven strong. Even if you store the key in a secure place, all that is needed to retrieve the key is to perform a memory dump at the right time just before the software use the key. At least, you can make hackers job harder as there is nothing you can do to make your software 100% safe against hacker if the software is valuable enough to motivate them to hack your software. All you can do by improving your software security is to buy you some time before your software is hacked. All that to say that there is not bullet proof solution against hackers but the book gives solid leads to improve software security in that aspect. In this book, there is a strong emphasis on Microsoft security technologies. The Windows Crypto API and the Microsoft OSes privileges API are described in length. If you develop on Windows and want to make your software more secure then this is an excellent book for you. If you develop on another platform, there is still something for you in this book as there are a lot of code snippets that are platform independent to improve software security such as input validation for file names to protect yourself against canonization bugs. This is a very good book about software security but I do not recommend it simply because there is a new edition of it.
5.0 out of 5 stars
Required readind, not just at MS,
By
This review is from: Writing Secure Code: Practical Strategies and Proven Techniques for Building Secure Applications in a Networked World (Paperback)
Every professional developer should read this book, period!This book provides a great overview of what techniques are important when writing secure applications, and what pitfalls to avoid. The book does a good job at making a point through examples and by explaining possible exploits. This book tries to cover a lot of ground. Most of the things discussed are for C++ developers. However, most of the things discussed are of general interest no matter what language one develops with. I found myself wishing that the book covered a bit more about my development environment of choice: Visual Studio .NET. As mentioned above, I found all the content very interesting and applicable, but I think it would be good to have more than one chapter covering .NET specifically. I do realize however, that this book was first written before .NET. Perhaps someone will dedicate a book completely to .NET ("Writing Secure .NET Code" anyone?). This book provides a solid foundation and teaches developers what to look for. However, the book is written for developers and managers alike and does not cover tons of implementation details. I would recommend this book to everyone as a first book to read about secure application development. It is not the last book people should read however. There are a number of good books available for a variety of environments (including .NET) that discuss specific implementations of various security and privacy techniques. Get several of those books as well! Bottom line: This is a great book. Developers must read it. No "ifs" and "buts". Once you are done with this one though, get other security books and keep on reading...
Share your thoughts with other customers: Create your own review
Want to see more reviews on this item?
|
Most recent customer reviews |
Listmania!
Look for similar items by category
- Books > Business & Investing > Industries & Professions > E-commerce
- Books > Computers & Internet > Programming > Software Design, Testing & Engineering > Software Development
- Books > Computers & Internet > Software
- Books > Computers & Internet > Web Development > Security & Encryption > Encryption
- Books > Professional & Technical > Professional Science > Mathematics
- Books > Qualifying Textbooks - Fall 2007 > Business & Investing
- Books > Qualifying Textbooks - Fall 2007 > Computers & Internet
Look for similar items by subject
Feedback
|
