***** Software Security: Building Security In. By Gary McGraw; published by Addison-Wesley Professional, www.awprofessional.com (Web); 448 pages; $49.99.
The root cause of many security vulnerabilities is poorly written software. Often, software applications are written without security in mind. The logical, yet elusive, solution is to ensure that software developers are trained in writing secure code.
Software Security: Building Security In is a valiant attempt to show software developers how to do just that. The book is the latest step in Gary McGraw’s software security series, whose previous titles include Building Secure Software and Exploiting Software.
In past decades, writing secure code was left to the military and banking industry. Today, with everything on networks, all sectors must get into the act.
Much of the problem is that organizations target their security elsewhere—specifically on networks—rather than on software. But so many malicious attacks are directed at software that it is foolish to leave this vulnerability exposed.
McGraw goes into detail not only about writing secure code but also about key related areas, which he terms “the seven touchpoints of software security.”
These points comprise code review, architectural risk analysis, penetration testing, risk-based security tests, abuse cases, security requirements, and security operations. A major portion of the book effectively discusses these “touchpoints,” making the work a recommended tool for inculcating software developers with a security mind-set.
Reviewer: Ben Rothke, CISSP (Certified Information Systems Security Professional), is a senior security consultant with INS.