After much blood, sweat and tears, a new software security book, written by me, David LeBlanc and John Viega went to the printers today, and should be available in time for Blackhat :) It has the ever-so catchy title of "The 19 Deadly Sins of Software Security."
Y'all probably know David, he was the co-author of Writing Secure Code with me. John is an old hat at this security stuff too, he's written a bunch of books mainly focusing on open source security, including Building Secure Software, Network Security OpenSSL and Secure Programming Cookbook for C and C++.
So why on earth did we write another book on the subject? Easy, we wanted a book the industry could use, John's an open source guy and David and I are primarily Windows guys and we wanted to create book that covered all popular languages *C, C++, C#, Java, PHP, Perl, VB etc) and all popular platforms (Windows, Linux, Unix and Mac OS X.)
The book is carved up into 19 chapters, or Sins, and each is only 10-15pp long. The Sins are:
Each chapter is carved into the following sections:
OverviewA brief introduction to the problem, not too deep, limited to 6-12 paragraphs.
The Sin ExplainedThe core essence of the defect, what is the principle mistake that makes this A Bad Thing?
Sample Code DefectSample code. Use at least two languages if possible, and show variations if possible too.
Spotting the Defect PatternOutside of the defect itself, what designs must a developer follow to lead up to the vulnerability?
Spotting the Defect during Code ReviewWhat to look for in code to spot the flaw. Remember, developers are time constrained, and in many instances knowledge constrained too, so anything you can do to make this step easier is good!
Testing the Defect during TestTools and techniques you can use to test for this kind of defect.
Example Defects Examples from CVE or SecurityFocus of this kind of defect, with some commentary from us.
Redemption StepsHow to fix the problem in code. Once again, show many languages, and if possible, variants.
Extra Defensive MeasuresOther defenses you can put in place that do not fix the problem, but may make it harder for a bad guy to exploit a potential defect.
Other ResourcesBook chapters, web links etc.
SummaryA list of DO’s, DO NOT’s and CONSIDER’s
A critical design goal, from the outset, was to be short and to the point; no war stories, no gossip, just the facts.
We're very happy with this book, it's the first book to focus on the broad industry-wide issue of security and we believe it covers *ALL* the bases.