This essential book for all software developers--regardless of platform, language, or type of application--outlines the “19 deadly sins” of software security and shows how to fix each one. Best-selling authors Michael Howard and David LeBlanc, who teach Microsoft employees how to secure code, have partnered with John Viega, the man who uncovered the 19 deadly programming sins to write this much-needed book. Coverage includes:
- Windows, UNIX, Linux, and Mac OS X
- C, C++, C#, Java, PHP, Perl, and Visual Basic
- Web, small client, and smart-client applications
In early 2004, Amit Yoran, then the director of the National Cyber Security Division at the U.S. Department of Homeland Security, announced that about 95 percent of software security bugs come from 19 “common, well-understood” programming mistakes. We are not going to insult your intelligence and explain the need for secure software in today’s interconnected world—we assume you know the reasons—but we will outline how to find and remedy these common security defects in your code.
The worrisome thing about security defects is they are really easy to make, and the results of a very simple one-line error can be catastrophic. The coding defect that led to the Blaster worm was two lines long.
If there is only one bit of wisdom we can offer you, it’s this: “No programming language or platform will make your software secure for you. Only you can do that.” There is a lot of literature on creating secure software, and the authors of this book have written some of the most influential material, but there is a need for a small, easy-to-read, pragmatic book on the subject that covers all the bases quickly.
When writing this book, we stuck by a simple set of rules to keep it pragmatic:
Keep it simple. We didn’t focus on unnecessary drivel. There are no war stories, no funny anecdotes; it’s just the pertinent facts. You probably just want to get your job done, and wish to make your code as a good as possible in the shortest amount of time; hence we kept the book simple so you can refer to it rapidly and get the facts you need.
Keep it short. A follow-on from the previous point: by focusing on the facts, and nothing else, we were able to keep the book short. In fact, we’ll keep this introduction short too.
Make it cross platform. The Internet is a complex place, with myriads of interconnected computing devices running different operating systems and written using many programming languages. We wanted to make this book appeal to all developers, so the examples in this book apply to most operating systems.
Make it cross language. A follow-on from the previous point: most examples apply to different languages, and we show plenty of security defects in numerous languages throughout the book.