Writing Secure Code, Second Edition

It does a good job alerting developers of potential risks in their day-to-day coding practices. Although this is achieved somtimes through blatant bluff.

When it comes down to the hardcore issues, the book just scratches the surface most of the time.

A typical software product manager's writing with some technical touch. This is said because of the quality of the sample code presented. If you have read Jeffrey Ritchter's book, you know what I mean.

Rating:
Summary: Great book!
Review: after reading the secure web app chapter, i rushed out and fixed about seven errors in my web-based finance app. the security bugs were bugs i didn't know i had!

we've also built cross-site scripting tests based on the commentary in the testing chapter.

GREAT BOOK!

Rating:
Summary: Exceptional book
Review: An excellent discussion of designing and writing secure code!

I had the opportunity to see Michael Howard speak at this year's Professional Developers Conference -- he opened my eyes to the programmatic side of security and clearly knows whereof he speaks.

(...)the authors begin with the business case, discuss how to integrate security awareness into the development process, and then move into discussions of techniques in a well-organized fashion. Example code is clear and to the point.

I highly recommend this book to anyone sincerely interested in writing high-quality software.

Rating:
Summary: Crikey!
Review: As a newcomer to security issues in networked systems, I read this book going progressively whiter, realising that most code, my own included, had glaring invitations to the ill-adjusted individuals that get kicks from spreading malware and owning other people's computers to do me some damage. This changes everything. This book is the first toolbox I have ever encountered for giving developers a better than even chance against the hackers. More power to Howard and LeBlanc's elbows! Well done, gentlemen.

Rating:
Summary: A Must buy
Review: Covers WIndows and Web security coding bugs like no other book. Very complete, and an easy read. The Web section is the only one of it's kind!

Note, this book is not focused on security features (SSL, IPSec etc), but rather how to build secure applications, and is a 'must have' for Web and Windows developers/designers and testers.

Rating:
Summary: Dear Mr. Gates...
Review: Dear Bill,

Oh boy, what a nifty little bit of propaganda this book is. Really gives the reader the idea that Microsoft cares about secure code. Never mind the gaping hole that Microsoft announced in the news (March 2004), or the worm that took down several hundred thousand machines, or the insecure-by-default mode that Windows boxes install in. Ahem, I'm sure Longhorn will solve everything.

Bill, security professionals everywhere should take their hats off to you and extend their thanks because, without a doubt, you're keeping them in business. You, and your cute little sweater and corduroy pants combo.

The solution to your problems, Bill, is simple: ahem, AUDIT YOUR CODE YOU *&^% CHEAP #$%^&* SON-OF-A-LAWYER.

Therein lies the problem. You see, that would be expensive (wouldn't it?); and no matter how cheap those workers are over in India, and no matter how many positions you ship over to China, Microsoft will make more money by simply piling on more features and selling a faulty product. What the hell, they can always offer patches after the fact, right? What's a few hundred megabytes of patch binaries on a T1 anyway?

So don't worry Bill, give your high-paid executive security specialists the afternoon off (hell, they couldn't protect you from an errant cream pie). Leave your wallet on the table in the front hall, along with your cell phones and your car keys. Take a stroll down to my neck of the woods; far away from the controlled climate, antique oak furniture, and the catered meals of your comfortable aristocratic existence. Come down to South Los Angeles...

Come and see why security matters, and why you can only hide from the problem for so long... until it comes looking for you.

Rating:
Summary: Required readind, not just at MS
Review: Every professional developer should read this book, period!

This book provides a great overview of what techniques are important when writing secure applications, and what pitfalls to avoid. The book does a good job at making a point through examples and by explaining possible exploits.

This book tries to cover a lot of ground. Most of the things discussed are for C++ developers. However, most of the things discussed are of general interest no matter what language one develops with.

I found myself wishing that the book covered a bit more about my development environment of choice: Visual Studio .NET. As mentioned above, I found all the content very interesting and applicable, but I think it would be good to have more than one chapter covering .NET specifically. I do realize however, that this book was first written before .NET. Perhaps someone will dedicate a book completely to .NET ("Writing Secure .NET Code" anyone?).

This book provides a solid foundation and teaches developers what to look for. However, the book is written for developers and managers alike and does not cover tons of implementation details. I would recommend this book to everyone as a first book to read about secure application development. It is not the last book people should read however. There are a number of good books available for a variety of environments (including .NET) that discuss specific implementations of various security and privacy techniques. Get several of those books as well!

Bottom line: This is a great book. Developers must read it. No "ifs" and "buts". Once you are done with this one though, get other security books and keep on reading...

Rating:
Summary: Finally! A Great Book about security!
Review: Finally a book written by authors who know their stuff and can express themselves well. I have read many books about security and most of them focus simply on how things work, but not ho to use them effectivley when designing and building networked applications. However, this book delivers: it is rich in depth and breadth, and is really easy to read.

What's surprising, is I thought I knew how to build secure apps, 'til I read this book!

Rating:
Summary: If you write software then buy this book!
Review: I bought this after reading other reviews, and like many of them I found this book worth every cent. The three manjor portions of the book: secure design, secure coding and security testing are really well explained. In fact, I have never seen any other material in any book on security design and testing.

And to those that thing there are no good SSL examples, I have two comments, (a) yes, there is material in the book on when to use SSL (and when not to!) and (b) SSL is no panacea, sometimes SSL is not the correct solution to use, and this book offers exceptional recommendations on how to determine if SSL is indeed the correct solution or not.