Home :: Books :: Computers & Internet  

Arts & Photography
Audio CDs
Audiocassettes
Biographies & Memoirs
Business & Investing
Children's Books
Christianity
Comics & Graphic Novels
Computers & Internet
Cooking, Food & Wine
Entertainment
Gay & Lesbian
Health, Mind & Body
History
Home & Garden
Horror
Literature & Fiction
Mystery & Thrillers
Nonfiction
Outdoors & Nature
Parenting & Families
Professional & Technical
Reference
Religion & Spirituality
Romance
Science
Science Fiction & Fantasy
Sports
Teens
Travel
Women's Fiction
 
Programmer's Ultimate Security DeskRef

Programmer's Ultimate Security DeskRef

List Price: $49.95
Your Price: $32.97
Product Info Reviews

<< 1 >>

Rating: 1 stars
Summary: Terse and incomplete
Review: Don't look to this book to really teach you anything about secure programming. It's merely a limited command reference for a handful of languages (oddly including Lisp but excluding Java) with very brief notes on the security implications of each. It was very strange to flip through this book and find literally NO text or introductions anywhere; I really think a few pages should have been added to give some background on each language including any general guidance with regard to security. At least an introduction to language-independent secure programming concepts should have been included at the beginning--this book basically relies on the back outside cover to clue the reader in to what it's about and why it's important.

On top of the fact that a lot of content seems to be missing, I found many of the commands covered to be extraneous, having little to no significant security relevance. In some cases the advice is vague bordering on naive--a few places in the JavaScript section say things like "always use SSL" or "when in doubt, use SSL" which really isn't a very big-picture way to look at security and risk management. In several places common vulnerabilities are mentioned but not defined or explained--sidebars would have been appropriate.

Further lowering the book's value are its large print and extremely thin, rough, cheap-feeling pages (which seems to be typical of current Syngress releases), and lack of an index. Unless you're already familiar with secure programming practices and just need a pure reference to point out selected "harmful" commands in the covered languages, I don't think this book is worth buying. There's a lot more to secure programming than what this book provides and, in fact, it may mislead developers into thinking that secure programming is merely about proper use of certain unsafe functions and methods.

Rating: 4 stars
Summary: Very good with a couple of minor caveats...
Review: If you're a typical programmer, you may be unaware of the potential security risks of certain statements in your language of choice. The new book Programmer's Ultimate Security DeskRef by James C. Foster (Syngress) can help you in that area.

Chapter List: ASP; C; C++; C#; ColdFusion; JavaScript; JScript; LISP; Perl; PHP; Python; VBA; VBScript

For as far as this book goes, it does a nice job. Each chapter for a language lists the language, and how it's used (like an example program line). There's a summary of what it does, along with a short description of how it should be used. You then get into the security aspect with a section on risk (how it might be used or exploited by an attacker), impact of the risk, and a list of additional resources where you can find more information on the risk issue. Finally, if applicable, there's a cross-reference to any other language statements that might have the same issue.

The information that's contained in the book is good, to be sure. If you use any of these languages in your normal coding efforts, you'll likely discover hidden risks in your program that you didn't know existed. I would have liked to see two other features in the book, however. The first thing I would have liked is to see a more concrete example of the potential exploit. Some of the risk assessments are general in nature, and you might have a hard time trying to bridge the gap between general caution and actual usage. And second, it seems like there could have been some additional languages added to the mix. Visual Basic isn't included (although it could be argued that VBA is close enough). Java seems to be an obvious exclusion, and it would have been much more valuable to me with that language included. And if you included ASP, you could have just as easily included JSP along with it.

Even with those omission or caveats, it's still a valuable addition to a programmer's bookshelf.

Rating: 4 stars
Summary: why no Java?
Review: This book takes a neat approach to computer security issues. The authors consider a set of languages, like C, C++ and C#. For each, they provide a list of functions and explain how these might be compromised by an attacker writing code that calls them. Often, the attacker might tweak the input arguments in such a way as to have a buffer overflow. Or, she might call a function with perfectly ok arguments. But she could use the answer to deduce important information. For example, in C, the realpath function could return data that identifies the operating system and even user and security information.

The only question I have is the omission of anything on Java. The chapters on JavaScript and JScript don't count, by the way. The book has a chapter on Lisp functions. Yet Lisp is used far, far less than Java. There appears to be no explanation in the text for this omission. Now, I'm a Java programmer. I would really want to know which of its classes and methods are weak. If none are, that would be great. But the authors never explain, either way.


<< 1 >>

© 2004, ReviewFocus or its affiliates