CELEBRATE EARTH WEEK
Save 70% on video training and simulators now through April 27*—use code EARTH. Shop now.
This eBook includes the following formats, accessible from your Account page after purchase:
EPUB The open industry format known for its reflowable content and usability on supported mobile devices.
MOBI The eBook format compatible with the Amazon Kindle and Amazon Kindle applications.
PDF The popular standard, used most often with the free Adobe® Reader® software.
This eBook requires no passwords or activation to read. We customize your eBook by discreetly watermarking it with your name, making it uniquely yours.
Most organizations have a firewall, antivirus software, and intrusion detection systems, all of which are intended to keep attackers out. So why is computer security a bigger problem today than ever before? The answer is simple--bad software lies at the heart of all computer security problems. Traditional solutions simply treat the symptoms, not the problem, and usually do so in a reactive way. This book teaches you how to take a proactive approach to computer security.
Building Secure Software cuts to the heart of computer security to help you get security right the first time. If you are serious about computer security, you need to read this book, which includes essential lessons for both security professionals who have come to realize that software is the problem, and software developers who intend to make their code behave. Written for anyone involved in software development and use–from managers to coders–this book is your first step toward building more secure software. Building Secure Software provides expert perspectives and techniques to help you ensure the security of essential software. If you consider threats and vulnerabilities early in the devel-opment cycle you can build security into your system. With this book you will learn how to determine an acceptable level of risk, develop security tests, and plug security holes before software is even shipped.
Inside you'll find the ten guiding principles for software security, as well as detailed coverage of:
Only by building secure software can you defend yourself against security breaches and gain the confidence that comes with knowing you won't have to play the "penetrate and patch" game anymore. Get it right the first time. Let these expert authors show you how to properly design your system; save time, money, and credibility; and preserve your customers' trust.
It's All about the Software.
Dealing with Widespread Security Failures.
Technical Trends Affecting Software Security.
What Is Security?.
Isn't That Just Reliability?
Penetrate and Patch Is Bad.
On Art and Engineering.
Traceability and Auditing.
Privacy and Confidentiality.
Know Your Enemy: Common Software Security Pitfalls.
Software Project Goals.
An Overview of Software Risk Management for Security.
The Role of Security Personnel.
Software Security Personnel in the Life Cycle.
Design for Security.
A Dose of Reality.
Getting People to Think about Security.
Software Risk Management in Practice.
When Development Goes Astray.
When Security Analysis Goes Astray.
The Common Criteria.
Choosing a Language.
Choosing a Distributed Object Platform.
EJB and RMI.
Choosing an Operating System.
Defense in Depth and Authentication.
Security by Obscurity.
Security for Shrink-Wrapped Software.
Security by Obscurity Is No Panacea.
The Flip Side: Open-Source Software.
Is the “Many-Eyeballs Phenomenon<170) Real?
Why Vulnerability Detection Is Hard.
On Publishing Cryptographic Algorithms.
Two More Open-Source Fallacies.
The Microsoft Fallacy.
The Java Fallacy.
An Example: GNU Mailman Security.
More Evidence: Trojan Horses.
To Open Source or Not to Open Source.
Another Security Lesson from Buffer Overflows.
Beating the Drum.
Principle 1: Secure the Weakest Link.
Principle 2: Practice Defense in Depth.
Principle 3: Fail Securely.
Principle 4: Follow the Principle of Least Privilege.
Principle 5: Compartmentalize.
Principle 6: Keep It Simple.
Principle 7: Promote Privacy.
Principle 8: Remember That Hiding Secrets Is Hard.
Principle 9: Be Reluctant to Trust.
Principle 10: Use Your Community Resources.
Architectural Security Analysis.
Reporting Analysis Findings.
Implementation Security Analysis.
Auditing Source Code.
Source-level Security Auditing Tools.
Using RATS in an Analysis.
The Effectiveness of Security Scanning of Software.
What Is a Buffer Overflow?
Why Are Buffer Overflows a Security Problem?
Defending against Buffer Overflow.
Internal Buffer Overflows.
More Input Overflows.
Tools That Can Help.
Smashing Heaps and Stacks.
Decoding the Stack.
To Infinity and Beyond!
A UNIX Exploit.
What About Windows?
The UNIX Access Control Model.
How UNIX Permissions Work.
Modifying File Attributes.
The Programmatic Interface.
Access Control in Windows NT.
What Is a Race Condition?
Avoiding TOCTOU Problems.
Secure File Access.
Other Race Conditions.
Pseudo-random Number Generators.
Examples of PRNGs.
The Blum-Blum-Shub PRNG.
The Tiny PRNG.
Attacks Against PRNGs.
How to Cheat in On-line Gambling.
Statistical Tests on PRNGs.
Entropy Gathering and Estimation.
Poor Entropy Collection: How to Read “Secret” Netscape Messages.
Practical Sources of Randomness.
Random Numbers for Windows.
Random Numbers for Linux.
Random Numbers in Java.
Developers Are Not Cryptographers.
Common Cryptographic Libraries.
Programming with Cryptography.
Public Key Encryption.
More Uses for Cryptographic Hashes.
SSL and TLS (Transport Layer Security.
A Few Words on Trust.
Examples of Misplaced Trust.
Trust Is Transitive.
Protection from Hostile Callers.
Invoking Other Programs Safely.
Problems from the Web.
Format String Attacks.
Automatically Detecting Input Problems.
Adding Users to a Password Database.
Using Views for Access Control.
Security against Statistical Attacks.
Copy Protection Schemes.
Thwarting the Casual Pirate.
Other License Features.
Other Copy Protection Schemes.
Authenticating Untrusted Clients.
Responding to Misuse.
Basic Obfuscation Techniques.
Encrypting Program Parts.
Peer to Peer.
The Ultimate Goals of Cryptography.
Attacks on Cryptography.
Types of Cryptography.
Types of Symmetric Algorithms.
Security of Symmetric Algorithms.
Public Key Cryptography.
Cryptographic Hashing Algorithms.
Other Attacks on Cryptographic Hashes.
What's a Good Hash Algorithm to Use?