TEAM Zarate Tarrani Notes From the Field

In my 5 April entry I promised to give a more in-depth review of Building Secure Software: How to Avoid Security Problems the Right Way by John Viega and Gary McGraw.

What makes this book so important is that the authors provide an analysis of the major problems with all software, and give a collection of techniques with which to address the recurring problems, such as buffer overflows, access control exposures, randomness flaws and other security-related defects. They do not attempt to provide specific solutions. Instead they raise an awareness of the common problems, discuss the underlying causes, and give a framework with which developers can use as the basis for developing secure software.

Key points of this book that I found especially useful include:

• Even treatment of commercial and open source software. I found this refreshing because there are two camps, Microsoft developers and open source advocates, each of which criticize the other. Yes, Microsoft has a bad reputation for security, but the open source faction has its own challenges, and the authors show the strengths and weaknesses of each in an objective manner.
• Surprises, such as documented cases of peer reviews that failed. I am an advocate of this technique, yet a case where a flawed, two-line piece of code that was extensively reviewed by literally thousands of reviewers and readers of a technical publication slipped by without notice for a long time.
• The ten guiding principles for software security encapsulate the essence of building secure software. This list and the discussion of each principle should be required reading for every architect, developed and QA engineer.
Chapter 1 (Introduction to Software Security) and Chapter 6 (Auditing Software) give a framework for security and a methodical approach to quality assurance. These, in my opinion, are the heart of the book.

In addition to software security from a developer's point of view, this book also addresses other areas that need to be closely examined in order to achieve a solid security posture. In particular I liked Chapter 14, which covers database security, especially the treatment of statistical attacks. If you're a DBA this alone will make the book worth buying because despite the most careful design of views and access controls you may still be vulnerable in surprising ways. The chapters on Client-side security and firewall issues are also filled with excellent information, as is Appendix A (Cryptography Basics).

The authors have imparted the sum of their extensive experience in this book. It's up to you to take that experience and apply it. The book's accompanying website adds further value.