*****19 Deadly Sins of Software Security. By Michael Howard, David LeBlanc, and John Viega; published by McGraw-Hill Osborne, www.mcgraw-hill.com (Web); 304 pages; $39.99.
If George Santayana were to recommend a security book, it would certainly be 19 Deadly Sins of Software Security. Santayana is the poet-philosopher widely known for saying, “Those who cannot remember the past are condemned to repeat it.” For far too long, software developers have been making the same mistakes in programming as if they were incapable of remembering their past errors.
Poorly written software lies behind nearly every computer security vulnerability. Amit Yoran, former director of the National Cyber Security Division of the U.S. Department of Homeland Security, is quoted as saying that “95 percent of software bugs are caused by the same 19 programming flaws.” These flaws are the so-called “deadly sins” of the title.
The book covers these 19 programming flaws, which include the most devastating types of coding and architectural errors, such as buffer overflows, format string problems, cross-site scripting, and insufficient encryption. Each flaw gets its own chapter, which features a brief introduction to the problem, sample code depicting each “sin,” ways to detect the problem during code review, a description of tools and techniques to test for the defect, and defensive measures that make it more difficult for someone to exploit the weakness.
None of the text is extraneous, as it economically addresses a wealth of the most popular platforms and languages. These include Windows, Linux, UNIX, C/C++, C#, Java, PERL, and more.
Software applications developers, irrespective of which platform or language they use to write code, should consider this book required reading. Were he a techie, Santayana might have said that those who have written insecure code in the past are condemned to continue to write insecure code in the future. Programmers need only read this book to help put an end to that vicious cycle.
Reviewer: Ben Rothke, CISSP (Certified Information Systems Professional), is a New York City-based senior security consultant with ThruPoint, Inc. He is a member of ASIS International.