Writing Secure Code, Second Edition

We've (Foundstone) have been performing security assessments on products and applications for years and have seen the same problems they address in the book out in the software industry. But I still learned a lot of new tricks from the book, especially regarding the Microsoft platform. My only fear is that if people start reading this book, I'll be out of a job!

If you write code, are a project manager, tester, you need to go buy this book, especially if you are working on the Microsoft platform.

Rating:
Summary: Good eye-openner book
Review: This book does a great job on showing you that security is not exactly a feature you add to your software, but should be a part of every single line of code you write.

The text is very clear and fun, providing an easy and productive reading. As the book is based in some problems and techniches encountered/developed on the security push made at Microsoft on early 2002, it is very practical and realistic.

Good reading for anyone trying to develop a better vision of software security.

Rating:
Summary: An Excellent Book
Review: This book tells you the nuts and bolts of secure programming in great detail and explained real well.

I especially enjoy the anecdotes, the authors obviously know their stuff and have plenty of experience!

This book covers real-world-apps and how to build them based on threats and common security coding mistakes.

It's a great book!

Rating:
Summary: Pretty good...
Review: This book was prety good. I liked it less after thinking about some of the reviews here. One reviewer has a good point that this is not a book for the hardcore coder. It is more about high-level how to secure-it stuff. Still, I thought the other reviewer had a good point too about SSL. I didn't think about it until after i finished the book, but the topic wasn't covered at all. Is it really something where there are no pitfalls to using it? It's okay not to tell me about the API, but even if SSL doesn't have any problems, i would have at least liked to hear "use this, it will secure all your network connections, then you won't have to worry about any network attacks" or something like that.

Rating:
Summary: This is a must read....
Review: This is a must read for todays savvy devloper. Michael is obviously a talented individual who shares his insight in a simple no nonsense fashion. You can spend 10 yrs making all these mistakes and learning from them or just read this book! I have brought several for our department that have become well thumbed in only a few weeks.

Rating:
Summary: Not perfect, but perhaps the best you will get!
Review: This is a wonderful book that covers things that are often glossed over in other security books. For instance, the coverage of access control lists, and the difficulties of controlling them, are well covered. I wish it had more information on the .NET Framework (there are I believe 2 chapters covering .NET security issues) but the editing is clean (something I am a bit of a finatic about) and the writing style is good enough to make this relatively dry topic an enjoyable read.

Rating:
Summary: Excellent reading for any programmer
Review: This is an excellent book for any beginner to intermediate programmer who would like to know the hooks and corners of securing the code.

The book starts rather philosophically and for any one who read Steve Maguire's book this might seem like a bit boring. But the real meat wont come until the part 2 where the author takes straight dive into the coding with lots of examples. Some of the web related examples deserve double clapping just for the effort the examples are bringing out the case of bad-news. This got to open up any programmer's eye and any managers mouth (in shock! that is).

The author takes us mostly into the world of Windows and C/C++ and some what into .NET and managed code behavior and security lapses one can get easily into.

While I enjoyed this book thoroughly, I just could not give it 5 stars because of its bia towards Windows and .NET framework. This can be accompanied with Steve Maguire's excellent book on Writing Solid "C" Code.

For an expert this book only offers few bits of additional information. This might be the case as the author tried to address many facets of programming and didn't concentrate on one subject alone. Ideally this book can be made into a separate series of books each concentrating on a single topic of interest.

Rating:
Summary: Best book I have read about secure software
Review: Too many books talk about how to secure a network, and discuss network-based attacks, but this book is different; it covers how to design, build and test the code at the end of the pipe - the application software.

The book is complete in its explanation of how to make sure your application code, be it web-based or otherwise, is secured from attack.

I learned a great deal from this book, and, based on code and design reviews of my company's code, the authors obviously know what they are talking about - as we made a lot of fixes, and added many new security test cases to our test suites.

Simply put, we never knew we had problems, until we read this book, now it's mandatory reading for all our software engineers.

Rating:
Summary: MICROSOFT SHOULD PRACTICE WHAT IT PREACHES
Review: Well, well, well, the Micro$oft Press is publishing a book on seure coding best practices. Sort of seems ironic doesn't it? After all, this is the same company that sells an operaing system that has new holes popping up every day. Micro$oft should start a new online forum called the "hole of the week club." THIS IS NOT A COMPANY THAT PRACTICES WHAT IT PREACHES.

Bill Gates initially tried to downplay security holes as exceptions to the rule. Make no mistake about it, these are not exceptions to the rule; these holes pop up every day in dozens of places. Security problems are business as usual at Micro$oft. They don't really care, as long as the public keeps buying new releases.

A while back, Micro$oft made a big deal out of cramming all of their developers into an auditorium for several hours scolding. I know, I was there in the back row trying to hear what the suits were saying at the lectern. The sound system was a disaster.

Security is not something that can happen overnight. In fact, with a 50+ million-line code base, it would take years of source code auditing and proactive inspection to tighten up Windows. Micro$oft would literally have to freeze development for the next decade. We all know that this will never happen. Bill Gates, and his handy lightning rod Steve Balmer, are too busy packing in new features. This only serves to increase the already prolific stream of security flaws.

Given all of this, LeBlanc's book is not what it seems. The truth is, Micro$oft is run by a bunch of HYPOCRITES! They somehow hope that by publishing a book on secure coding that they will give the public the impression that Robert Short and Dave Cutler are "serious" about security. It's all a bunch of fluff and marketing hype. Take it from an insider. The system is so big that we've lost R&D engineers who took a wrong turn while wandering around the Kernel.

When will this madness end? Probably when large corporations and federal agencies threaten to sue Micro$oft. Eventually, it will get to the point where Windows will put our national security at risk (if it already doesn't) and the legislators will start making noise about liability laws. Windows is big business, and the people running the show won't makes changes until they become financially salient.

I hope you're listening Mr. Gates, it's time to change your prioritites and business process. Before it's too late...

Rating:
Summary: Very good book on security mistakes and how to fix them
Review: When deciding on whether or not to buy a book, I normally read the reviews to find out what people did not like. After checking out this book, I am shocked at the comments one of the reviewers wrote, as he unfairly panned the book on something that it was not intended to solve.
If you are looking for a heavy coders book to show you how to code security in your apps, this is probably not the best place to look. While there is some code, that is not the primary focus. You will also be disappointed if you are looking for code samples that easily migrate to other systems.
The book is, overall, very Microsoft-centric. Whether this is good or bad depends largely on your point of view. While you can apply many of the techniques to any platform to shore up holes in your code.
There are many of the security mistakes in this book that I found almost laughable, until I tested code on a few collegues sites. If you code your SQL strings in ADO, for example, you might be leaving a way for a malicious user to gain admin rights to your SQL Server.
If you think there is no way in the world you would ever need a book on security holes in code, then this book is probably tailor made for you. Understand, of course, if you do not do windows, the code samples will be far less useful than if you do.