Recent SCO/Linux News

From: Kathryn Barrett <kathrynb@oreilly.com>
Subject: O'Reilly Releases "Secure Coding: Principles & Practices"
Date: Mon, 30 Jun 2003 22:35:51 GMT

Avoid Costly Security Flaws with O'Reilly's 
"Secure Coding: Principles & Practices"

Sebastopol, CA--Rarely a week goes by without an announcement of a new
attack on computer systems. Viruses, worms, denials of service, and
password sniffers are attacking all types of systems--from banks to
e-commerce sites to seemingly impregnable government and military
computers--at an alarming rate.

But, according to Kenneth R. van Wyk, coauthor of the new book, "Secure
Coding: Principles and Practices" (O'Reilly, US $29.95), "there are
really very few classes of errors being made." Despite their many
manifestations and targets, nearly all attacks have one fundamental
cause: the code underlying these computers and networks is not secure.

"Secure software doesn't happen by accident," says van Wyk. "The vast
majority of security flaws being announced today are entirely
avoidable."

Writing secure code isn't easy, and there are no quick fixes to bad
code. According to Mark G. Graff, coauthor of "Secure Coding:
Principles and Practices," to build code that repels attack, software
developers must "understand where vulnerabilities come from and
counteract those tendencies with time-proven practices."

"Good programmers write good code, bad programmers write bad code, but
all programmers seem to write insecure code," says Marcus J. Ranum,
principal author of the DEC SEAL firewall, TIS Gauntlet firewall, and
Network Flight Recorder Intrusion Detection System. "Kudos to Mark and
Ken for their explanation of the reasons it's so hard to write good
secure code and what to do about it!"

"Secure Coding: Principles and Practices" makes the case that
developers must be vigilant throughout the entire code lifecycle:

-Architecture: during this stage, applying security principles such as
"least privilege" will help limit even the impact of successful
attempts to subvert software.

-Design: during this stage, designers must determine how programs will
behave when confronted with fatally flawed input data. The book also
offers advice about performing security retrofitting when you don't
have the source code--ways of protecting software from being exploited
even if bugs can't be fixed.

-Implementation: during this stage, programmers must sanitize all
program input (the character streams representing a programs' entire
interface with its environment--not just the command lines and
environment variables that are the focus of most security analysis).

-Testing: during this stage, programs must be checked using both static
code checkers and runtime testing methods--for example, the fault
injection systems now available to check for the presence of such flaws
as buffer overflow.

-Operations: during this stage, patch updates must be installed in a
timely fashion. In early 2003, sites that had diligently applied
Microsoft SQL Server updates were spared the impact of the Slammer worm
that did serious damage to thousands of systems.

Trial and error can be a time consuming, costly, and embarrassing
lesson when it comes to secure code. van Wyk and Graff have managed to
pack decades of experience in secure coding into a concise and engaging
book. "We have grey hairs, and we earned 'em learning the lessons we
teach in the book," laughs Graff.

Jeremy Allison, the coauthor of Samba calls "Secure Coding": "A
wonderful book...I wish it had been available when I was writing parts
of Samba. I might not have had the last two security embarrassments to
my name." Stephen E. Hansen, Information Security officer for Google,
Inc., agrees: "I wish I had this book years ago as it has taken me
years to figure these things out for myself."


Additional Resources:

To see what critics, security professionals, executives, academics,and
other readers have said about "Secure Coding: Principles and
Practices," see:
http://www.oreilly.com/catalog/securecdng/reviews.html

For more info on the book, including Table of Contents, author bios,
and index:  http://www.oreilly.com/catalog/securecdng/

Chapter 1, "No Straight Thing," is available online:
http://www.oreilly.com/catalog/securecdng/chapter/index.html

For a cover graphic in JPEG format, go to:
ftp://ftp.ora.com/pub/graphics/book_covers/hi-res/0596002424.jpg

Secure Coding: Principles & Practices 
By Mark G. Graff, Kenneth R. van Wyk
ISBN 0-596-00242-4, 224 pages, $29.95 US, $46.95 CA, 20.95 UK
order@oreilly.com
1-800-998-9938
1-707-827-7000
http://www.oreilly.com

About O'Reilly 
O'Reilly & Associates is the premier information source for
leading-edge computer technologies. The company's books, conferences,
and web sites bring to light the knowledge of technology innovators.
O'Reilly books, known for the animals on their covers, occupy a
treasured place on the shelves of the developers building the next
generation of software. O'Reilly conferences and summits bring alpha
geeks and forward-thinking business leaders together to shape the
revolutionary ideas that spark new industries. From the Internet to
XML, open source, .NET, Java, and web services, O'Reilly puts
technologies on the map. For more information: http://www.oreilly.com

# # #

O'Reilly is a registered trademark of O'Reilly & Associates, Inc. All
other trademarks are property of their respective owners.

Index

Jump to Comments

Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them. I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. I also may own stock in companies mentioned here. If you have any question, please do feel free to contact me.

Specific links that take you to pages that allow you to purchase the item I reviewed are very likely to pay me a commission. Many of the books I review were given to me by the publishers specifically for the purpose of writing a review. These gifts and referral fees do not affect my opinions; I often give bad reviews anyway.

We use Google third-party advertising companies to serve ads when you visit our website. These companies may use information (not including your name, address, email address, or telephone number) about your visits to this and other websites in order to provide advertisements about goods and services of interest to you. If you would like more information about this practice and to know your choices about not having this information used by these companies, click here.