Writing Secure Code, Second Edition
Some years ago i worked for a software house with over 30 developers, of which only one other had read the first edition of this book. I don’t think that was uncommon. Few developers cared about application security in general terms, their encounters with security being an inconvenience that either ‘broke’ code or (often post-exploit) resulted in ‘extra work’ bug-fixing. I use the past-tense, but i’ve really no evidence to suggest that things have changed all that much. Hopefully the wider distribution and publicity granted this second edition will help change that.
The book is organised into four major sections.
The first provides background material that outlines the need to secure systems and techniques for designing secure systems. It is carefully written, appropriately illustrated and has only two very small code examples (one of which pseudo-code, the other a couple of lines of asp), making it good for photocopying and distribution to project managers…
The second and third sections provide the bulk of the book – secure coding techniques. As you’d expect buffer overruns, acls, least privilege, crypto, canonical mistakes, sql injection, cross site scripting, dos attacks, to name a few are all covered, and there are chapters on internationalisation, sockets, rpc, and one – surprisingly small – on .net. I say surprisingly because a good part of the marketing for this book was that it was updated to cover .net, which it has – but not to the extent you’d think. If you’re looking for an in-depth analysis of .net security, this work doesn’t have it. But it doesnt needs it – if there is one single message in the second and third sections it is that there is no replacement for responsible, informed programming regardless of the syntax or technology used. The chapter entitled ‘All Input Is Evil’ makes that point well, it – like the others – applies whether you use .net or not.
The final section covers ‘everything else’ – testing, code reviews, installation, error messages, and a good – but brief – chapter on privacy and data security, and an excellent chapter on general good practises.
Part of what made the first edition a classic, to my mind, is that it addressed the security fundamentals *every* programmer on a microsoft platform should be aware of. After reading it i was in doubt of the importance of application security, the core principles, threats and coding countermeasures, and i went on to apply those in subsequent projects. This edition builds, updates and expands on the first and is, simply, required reading. unlike many sequels, it does not disappoint.
