skip to content
Building secure software : how to avoid security problems the right way Preview this item
ClosePreview this item

Building secure software : how to avoid security problems the right way

Author: John Viega; Gary McGraw
Publisher: Boston : Addison-Wesley, ©2002.
Series: Addison-Wesley professional computing series.
Edition/Format:   eBook : Document : EnglishView all editions and formats
"Building Secure Software cuts to the heart of computer security to help you get security right the first time. If you are serious about computer security, you need to read this book, which includes essential lessons for both security professionals who have come to realize that software is the problem, and software developers who intend to make their code behave. Written for anyone involved in software development  Read more...

(not yet rated) 0 with reviews - Be the first.

More like this

Find a copy online

Find a copy in the library

&AllPage.SpinnerRetrieving; Finding libraries that hold this item...


Additional Physical Format: Print version:
Viega, John.
Building secure software.
Boston : Addison-Wesley, ©2002
(DLC) 2001046055
Material Type: Document, Internet resource
Document Type: Internet Resource, Computer File
All Authors / Contributors: John Viega; Gary McGraw
ISBN: 9780672334092 0672334097 020172152X 9780201721522
OCLC Number: 607840440
Reproduction Notes: Electronic reproduction. [S.l.] : HathiTrust Digital Library, 2010. MiAaHDL
Description: 1 online resource (xxx, 493 pages) : illustrations.
Details: Master and use copy. Digital master created according to Benchmark for Faithful Digital Reproductions of Monographs and Serials, Version 1. Digital Library Federation, December 2002.
Contents: Foreword. Preface. Organization.Code Examples.Contacting Us.Acknowledgments. 1. Introduction to Software Security. It's All about the Software.Dealing with Widespread Security Failures.Bugtraq.CERT Advisories.RISKS Digest.Technical Trends Affecting Software Security.The 'ilities.What Is Security?.Isn't That Just Reliability?Penetrate and Patch Is Bad.On Art and Engineering.Security Goals.Prevention.Traceability and Auditing.Monitoring.Privacy and Confidentiality.Multilevel Security.Anonymity.Authentication.Integrity.Know Your Enemy: Common Software Security Pitfalls.Software Project Goals.Conclusion.2. Managing Software Security Risk. An Overview of Software Risk Management for Security.The Role of Security Personnel.Software Security Personnel in the Life Cycle.Deriving Requirements.Risk Assessment.Design for Security.Implementation.Security Testing.A Dose of Reality.Getting People to Think about Security.Software Risk Management in Practice.When Development Goes Astray.When Security Analysis Goes Astray.The Common Criteria.Conclusion.3. Selecting Technologies. Choosing a Language.Choosing a Distributed Object Platform.CORBA.DCOM.EJB and RMI.Choosing an Operating System.Authentication Technologies.Host-Based Authentication.Physical Tokens.Biometric Authentication.Cryptographic Authentication.Defense in Depth and Authentication.Conclusion.4. On Open Source and Closed Source. Security by Obscurity.Reverse Engineering.Code Obfuscation.Security for Shrink-Wrapped Software.Security by Obscurity Is No Panacea.The Flip Side: Open-Source Software.Is the "Many-Eyeballs Phenomenon<170) Real?Why Vulnerability Detection Is Hard.Other Worries.On Publishing Cryptographic Algorithms.Two More Open-Source Fallacies.The Microsoft Fallacy.The Java Fallacy.An Example: GNU Mailman Security.More Evidence: Trojan Horses.To Open Source or Not to Open Source.Another Security Lesson from Buffer Overflows.Beating the Drum.Conclusion.5. Guiding Principles for Software Security. Principle 1: Secure the Weakest Link.Principle 2: Practice Defense in Depth.Principle 3: Fail Securely.Principle 4: Follow the Principle of Least Privilege.Principle 5: Compartmentalize.Principle 6: Keep It Simple.Principle 7: Promote Privacy.Principle 8: Remember That Hiding Secrets Is Hard.Principle 9: Be Reluctant to Trust.Principle 10: Use Your Community Resources.Conclusion.6. Auditing Software. Architectural Security Analysis.Attack Trees.Reporting Analysis Findings.Implementation Security Analysis.Auditing Source Code.Source-level Security Auditing Tools.Using RATS in an Analysis.The Effectiveness of Security Scanning of Software.Conclusion.7. Buffer Overflows. What Is a Buffer Overflow?Why Are Buffer Overflows a Security Problem?Defending against Buffer Overflow.Major Gotchas.Internal Buffer Overflows.More Input Overflows.Other Risks.Tools That Can Help.Smashing Heaps and Stacks.Heap Overflows.Stack Overflows.Decoding the Stack.To Infinity and Beyond!Attack Code.A UNIX Exploit.What About Windows?Conclusion.8. Access Control. The UNIX Access Control Model.How UNIX Permissions Work.Modifying File Attributes.Modifying Ownership.The umask.The Programmatic Interface.Setuid Programming.Access Control in Windows NT.Compartmentalization.Fine-Grained Privileges.Conclusion.9. Race Conditions. What Is a Race Condition?Time-of-Check, Time-of-Use.Broken passwd.Avoiding TOCTOU Problems.Secure File Access.Temporary Files.File Locking.Other Race Conditions.Conclusion.10. Randomness and Determinism. Pseudo-random Number Generators.Examples of PRNGs.The Blum-Blum-Shub PRNG.The Tiny PRNG.Attacks Against PRNGs.How to Cheat in On-line Gambling.Statistical Tests on PRNGs.Entropy Gathering and Estimation.Hardware Solutions.Software Solutions.Poor Entropy Collection: How to Read "Secret" Netscape Messages.Handling Entropy.Practical Sources of Randomness.Tiny.Random Numbers for Windows.Random Numbers for Linux.Random Numbers in Java.Conclusion.11. Applying Cryptography. General Recommendations.Developers Are Not Cryptographers.Data Integrity.Export Laws.Common Cryptographic Libraries.Cryptlib.OpenSSL.Crypto++.BSAFE.Cryptix.Programming with Cryptography.Encryption.Hashing.Public Key Encryption.Threading.Cookie Encryption.More Uses for Cryptographic Hashes.SSL and TLS (Transport Layer Security.Stunnel.One-Time Pads.Conclusion.12. Trust Management and Input Validation. A Few Words on Trust.Examples of Misplaced Trust.Trust Is Transitive.Protection from Hostile Callers.Invoking Other Programs Safely.Problems from the Web.Client-side Security.Perl Problems.Format String Attacks.Automatically Detecting Input Problems.Conclusion.13. Password Authentication. Password Storage.Adding Users to a Password Database.Password Authentication.Password Selection.More Advice.Throwing Dice.Passphrases.Application-Selected Passwords.One-Time Passwords.Conclusion.14. Database Security. The Basics.Access Control.Using Views for Access Control.Field Protection.Security against Statistical Attacks.Conclusion.15. Client-side Security. Copy Protection Schemes.License Files.Thwarting the Casual Pirate.Other License Features.Other Copy Protection Schemes.Authenticating Untrusted Clients.Tamperproofing.Antidebugger Measures.Checksums.Responding to Misuse.Decoys.Code Obfuscation.Basic Obfuscation Techniques.Encrypting Program Parts.Conclusion.16. Through the Firewall. Basic Strategies.Client Proxies.Server Proxies.SOCKS.Peer to Peer.Conclusions.Appendix A. Cryptography Basics. The Ultimate Goals of Cryptography.Attacks on Cryptography.Types of Cryptography.Symmetric Cryptography.Types of Symmetric Algorithms.Security of Symmetric Algorithms.Public Key Cryptography.Cryptographic Hashing Algorithms.Other Attacks on Cryptographic Hashes.What's a Good Hash Algorithm to Use?Digital Signatures.Conclusions.References. Index.
Series Title: Addison-Wesley professional computing series.
Responsibility: John Viega, Gary McGraw.


Shows you how to avoid security problems the right way.  Read more...


User-contributed reviews
Retrieving GoodReads reviews...
Retrieving DOGObooks reviews...


Be the first.
Confirm this request

You may have already requested this item. Please select Ok if you would like to proceed with this request anyway.

Linked Data

Primary Entity

<> # Building secure software : how to avoid security problems the right way
    a schema:MediaObject, schema:Book, schema:CreativeWork ;
    library:oclcnum "607840440" ;
    library:placeOfPublication <> ;
    library:placeOfPublication <> ; # Boston
    schema:about <> ; # Computer software--Development
    schema:about <> ; # Segurança de computadores
    schema:about <> ; # System design
    schema:about <> ; # Computer security
    schema:about <> ; # Computer software--Development
    schema:about <> ; # Computer software--Development
    schema:about <> ;
    schema:about <> ; # Gestão da segurança em sistemas computacionais
    schema:about <> ; # Segurança de software
    schema:bookFormat schema:EBook ;
    schema:contributor <> ; # Gary McGraw
    schema:copyrightYear "2002" ;
    schema:creator <> ; # John Viega
    schema:datePublished "2002" ;
    schema:description ""Building Secure Software cuts to the heart of computer security to help you get security right the first time. If you are serious about computer security, you need to read this book, which includes essential lessons for both security professionals who have come to realize that software is the problem, and software developers who intend to make their code behave. Written for anyone involved in software development and use--from managers to coders--this book is your first step toward building more secure software. Building Secure Software provides expert perspectives and techniques to help you ensure the security of essential software. If you consider threats and vulnerabilities early in the development cycle you can build security into your system. With this book you will learn how to determine an acceptable level of risk, develop security tests, and plug security holes before software is even shipped"--Resource description page."@en ;
    schema:exampleOfWork <> ;
    schema:inLanguage "en" ;
    schema:isPartOf <> ; # Addison-Wesley professional computing series.
    schema:isSimilarTo <> ;
    schema:name "Building secure software : how to avoid security problems the right way"@en ;
    schema:productID "607840440" ;
    schema:publication <> ;
    schema:publisher <> ; # Addison-Wesley
    schema:url <> ;
    schema:url <> ;
    schema:url <> ;
    schema:url <> ;
    schema:url <> ;
    schema:url <> ;
    schema:workExample <> ;
    schema:workExample <> ;
    wdrs:describedby <> ;

Related Entities

<> # Boston
    a schema:Place ;
    schema:name "Boston" ;

<> # Addison-Wesley
    a bgn:Agent ;
    schema:name "Addison-Wesley" ;

<> # Addison-Wesley professional computing series.
    a bgn:PublicationSeries ;
    schema:hasPart <> ; # Building secure software : how to avoid security problems the right way
    schema:name "Addison-Wesley professional computing series." ;
    schema:name "Addison-Wesley professional computing series" ;

<> # Computer software--Development
    a schema:Intangible ;
    schema:name "Computer software--Development"@en ;

<> # Gestão da segurança em sistemas computacionais
    a schema:Intangible ;
    schema:name "Gestão da segurança em sistemas computacionais"@en ;

<> # Segurança de computadores
    a schema:Intangible ;
    schema:name "Segurança de computadores"@en ;

<> # Segurança de software
    a schema:Intangible ;
    schema:name "Segurança de software"@en ;

<> # Computer software--Development
    a schema:Intangible ;
    schema:name "Computer software--Development"@en ;

<> # System design
    a schema:Intangible ;
    schema:name "System design"@en ;

<> # Computer security
    a schema:Intangible ;
    schema:name "Computer security"@en ;

<> # Computer software--Development
    a schema:Intangible ;
    schema:name "Computer software--Development"@en ;

<> # John Viega
    a schema:Person ;
    schema:familyName "Viega" ;
    schema:givenName "John" ;
    schema:name "John Viega" ;

<> # Gary McGraw
    a schema:Person ;
    schema:birthDate "1966" ;
    schema:familyName "McGraw" ;
    schema:givenName "Gary" ;
    schema:name "Gary McGraw" ;

    a schema:ProductModel ;
    schema:isbn "020172152X" ;
    schema:isbn "9780201721522" ;

    a schema:ProductModel ;
    schema:isbn "0672334097" ;
    schema:isbn "9780672334092" ;

    a schema:CreativeWork ;
    rdfs:label "Building secure software." ;
    schema:description "Print version:" ;
    schema:isSimilarTo <> ; # Building secure software : how to avoid security problems the right way

Content-negotiable representations

Close Window

Please sign in to WorldCat 

Don't have an account? You can easily create a free account.