Building Secure Software: How to Avoid Security Problems the Right Way

My biggest criticism of the book is it doesn't deal enough with Windows and when it does address Windows the authors are often wrong (as is pointed out in previous reviews). But I don't think the authors are Windows experts, so they can be somewhat forgiven.

I also want to offer rebuttals to some of the negative reviews. Several reviewers gave the book few stars because it didn't cover web applications. No matter what language you write you web app in, you still will need to be aware of the concepts in this book. Your web app is not secure if it contains exploitable buffer overflows or input vulnerabilities.

A couple reviewers also fault the book for not explaining how to setup a secure web server or securely configure Apache. These are not topics the book aims to address and have nothing to do with writing secure code.

Also read John Veiga's rebuttal if you have any doubts about the book.

Rating:
Summary: A great one-two punch with Hacking Exposed!
Review: I was especially excited to read _Building Secure Software_, and not only because I know Gary McGraw's work is top quality: I have read and written more than a few books on the topic of computer security myself, and I recognize the timeliness of this work on good software coding practices. One of the books I've written is _Hacking Exposed_, which talks about network- and system-level vulnerabilities, how to exploit them, and how to counteract such attacks. While HE focuses on tools, processes and techniques that exploit vulnerabilities in the real world, _Building Secure Software_ focuses on creating software that is much less susceptible to these sorts of attacks in the first place. They make a great one-two punch for those who want to take a proactive approach to security. Together with Hacking Exposed, Building Secure Software represents a comprehensive solution to today's security woes.

Rating:
Summary: Read and heed and you're build secure software
Review: If you're a code jockey or someone who expects the book to replace thinking don't buy this book. If you're an experienced architect or have a software engineering background you'll appreciate the magnificent work John Viega and Gary McGraw has done by showing the security risks in software development and giving realistic advice about how to deal with them.

Every chapter contained information that got me thinking about the way my group develops software and what we've been overlooking, and many of the suggestions in this book have been added to our process. I've personally been influenced deeply by this book and mave made it mandatory reading in our development group. For those who advise against the book I can only conclude that they either don't get it, or they don't have the experience and training to appreciate what the authors have written. That may account for why there is so much insecure software written today, because if this book is read and followed software would be greatly more secure. I want to congratulate the authors for a job well done. I highly recommend this book!

Rating:
Summary: Read and heed and you're build secure software
Review: If you're a code jockey or someone who expects the book to replace thinking don't buy this book. If you're an experienced architect or have a software engineering background you'll appreciate the magnificent work John Viega and Gary McGraw has done by showing the security risks in software development and giving realistic advice about how to deal with them.

Every chapter contained information that got me thinking about the way my group develops software and what we've been overlooking, and many of the suggestions in this book have been added to our process. I've personally been influenced deeply by this book and mave made it mandatory reading in our development group. For those who advise against the book I can only conclude that they either don't get it, or they don't have the experience and training to appreciate what the authors have written. That may account for why there is so much insecure software written today, because if this book is read and followed software would be greatly more secure. I want to congratulate the authors for a job well done. I highly recommend this book!

Rating:
Summary: This is a good book.
Review: Its long past time that a book like this was written. Too much software is written without any consideration for its security, or the environment that will be operating in. That has created a problem that is now at epidemic levels: vulnerable and insecure software. The endless cycle of patching each new vulnerability that is discovered just isn't working. What this book teaches can. This book does a good job of addressing the need for teaching software developers how to build more secure software, which is really what we all wish more software development shops would make a priority. This book should help.

So, if you are writing software or are managing people that are, you should buy this book for yourself and for anyone else that writes code for a living. Unless you want to get stuck in the downward spiral of endlessly patching your software because of yet another security vulnerability, get this book, and other books about how to write better software, and use them. Its time to start writing better code.

Rating:
Summary: Fantastic book.
Review: Its long past time that book like this was written! Koodos to Viega and McGraw for this desperately needed text on Software Security.

Too much software is written without any consideration for its security and that has created a problem that is now at epidemic levels: insecure software. The endless cycle of patching doesn't work, but what this book teaches does work. This book does a fantastic job of addressing the need for software developers to build secure software. A topic that has is well known in the security community, but has never been adequately addressed like it is in this book. Building Secure Software will help you to develop software that will stand the test of time.

So, if you are writing software or are managing people that are, you need to buy this book for yourself and for anyone else that writes code for a living. Unless you want to get stuck in the downward spiral of endlessly patching your software because of yet *another* security hole, get this book and use it.

This book should be on every developers, sysadmins and managers bookshelf.

Rating:
Summary: An Indictment for Applications Development
Review: Many transformations begin with an indictment. Two notable examples are Martin Luther's "95 Theses" criticizing the Catholic Church, which began the Reformation, and Ralph Nader's denunciation of the auto industry with "Unsafe at Any Speed." An indictment of the software industry and its indifference to writing secure software hasbeen published in "Building Secure Software: How to Avoid Security Problems the Right Way" by John Viega and Gary McGraw.

Twenty years into the client-server revolution, and a decade into the Internet revolution, it's a measure of inadequacy of secure coding that only now are the first books being written on how to secure software -- the very foundation of information systems.

Software developers who code without taking security into consideration are potentially as dangerous as a physician prescribing a drug without knowing its side effects. As a society, we should tolerate neither.

While security products such as firewalls, encryption devices, event monitoring and intrusion-detection systems are needed to secure networks; it must not be forgotten that behind every security problem is a common enemy -- insecurely written software.

Building secure software is not rocket science. Writing secure code doesn't mean turning every developer into a world-class cryptographer. It simply means training them in the fundamentals of how software works, including security. If corporate end users can betrained not to send inappropriate (sexist, racist, confidential, etc.) e-mail via corporate servers, then software developers can certainly be trained to write secure software programs.

The revolution needed in software development is to integrate security into software engineering. The current approach in software is to patch problems after they occur. In fact, 2003 saw the rise of many patch management companies; a sector that only came to be recently. Endless patching is a downward spiral that only serves to treat the symptoms, not the true problem, and only in a reactive manner. Had those same programmers been trained in writing secure code, much of the problems would have been obviated and billions of dollars saved in the interim.

It's all the rage to send development offshore in the name of saving money. If companies understood how much more money could be saved by building secure software from the get-go, rather than bolting security on as an afterthought; wouldn't they do the same?

It's frightening to think that in just a matter of years, everything but the food we eat will have an IP address attached to it. When the time comes that your family vacation commences with a flight on a pilot-less airplane, here's hoping the developers of the navigation and control systems knew the rudiments of writing secure software.

Rating:
Summary: Not what I expected
Review: The book has an interesting premise. The parts of the book sometimes work, mostly don't, and in the end add up to very little. I found many errors, and felt the authors could have spent more time explaining web related topics then were covered. All in all, a big disappointment.

Rating:
Summary: A mixed bag
Review: This book has a fair amount of worthwhile information,
but it could have been packed into 90 pages or so and everyone
would be better off (except the publisher and authors).
The verbose repetitive writing style is more appropriate
for a spoken than written presentation, but all the fluff
makes it a fast read.

Although this book claims a UNIX bias, the writers have
bent over backwards to give the book a commercial slant.
They devote a whole chapter to refuting a claim that nobody
is making, namely that open source guarantees security.

This book is a high level sugar-coated introduction to
security aware software design.

Rating:
Summary: McGraw/Viega
Review: This book is excellent! Are you getting tired of a constant flood of security holes in important software? This book, written by 2 of the industry's leading experts, is all about how to avoid making the mistakes that cause security holes. It's very timely and I highly recommend it to anyone who's coding Internet apps!

mjr.