Book Review - Secure Coding: Principles & Practices

Networking/Security Forums -> News // Columns // Articles

Author: alt.don PostPosted: Thu Dec 25, 2003 7:10 pm    Post subject: Book Review - Secure Coding: Principles & Practices
Secure Coding: Principles & Practices

Author(s): Mark G. Graff & Kenneth R. van Wyk
Publisher: O’Reilly
Book Specifications: Soft-Cover, 202 pages
Category: Programming
User Level: Intermediate/Advanced
Suggested Publisher Price: $29.95 USA/ $46.95 CAN/ £19.85 Net UK (inc of VAT)
ISBN: 0-596-00242-4 Secure Coding: Principles & Practices Secure Coding: Principles & Practices

Info from Back: "Attacks on computer systems and networks occur today at an alarming rate. Worms, malevolent mail, and distributed denial of service attacks undermine systems around the globe—from banks to major e-commerce sites to critical infrastructure computers. Despite their many manifestations and targets, nearly all attacks have one fundamental cause: the code underlying these computers and networks is not secure.”


Absolutely everything we do on the web today has one thing in common. The tools we use to navigate, and interact with the web have all been written in some programming language. Noted by authors on the back of this wonderful book is that this code is usually at fault for all the exploits we are seeing in today’s networked environment. It is through poor coding practices that fundamentally flawed code is introduced to users. Followed not long afterwards usually by exploits leveraging such mistakes as unchecked buffers, and other common coding mistakes.

What this book aims to do is emulate the software development process, and the methodologies used when developing new programs. Through each step of this process the authors give examples of how to code properly, and of the considerations one should factor in at each stage of development. This book is definitely aimed at the developer, and any other coder wishing to learn more about writing and deploying secure code. It is an excellent choice as well for the novice coder who wishes to program properly from the start before developing ingrained, bad habits.

Content & Overview

The authors have taken a logical approach to this book in so much as that it models itself after the actual development process itself. As all developers have come to realize there is a logical way to thinking out and then writing a program with various steps and factors in between. It is these steps and factors that are covered showing potential pitfalls, and offering advice on how to avoid them. One of the factors affecting poorly coded programs are market forces, which are brought to bear on the programmer. It is not unheard of that a company will rush a product out to market even though it is not fully debugged. This aspect is covered in chapter one of this book. All steps of the development cycle are covered over six chapters as follows;

Chapter I. No Straight Thing
Chapter II. Architecture
Chapter III. Design
Chapter IV. Implementation
Chapter V. Operations
Chapter VI. Automation and Testing

Style and Detail

Though the book itself is short weighing in at 202 pages it makes very good use of the coding expertise that the authors have accumulated over the decades. Each of the above noted chapters has examples of the bad as well as examples of how is should be done. These are based on lessons learnt the hard way by the authors themselves. Some specific code snippets are shown as well to visually demonstrate the concepts being shown. There is not an abundance of screen captures or other pictures in this book, as the main intent here it to pass along a methodology. The greatest effort is expended trying to relate these concepts vice having eye candy as befits the topic.


Learning how to program alone is a daunting task. Becoming a programmer who can code securely may seem impossible also. A lot of difficult topics and or concepts can be distilled into some simple words though. This books strength’s is that it does just that through mistakes the authors themselves have made, and offers expert guidance based on their many years of experience. It is impossible to show every facet of secure coding, however the authors offer a template to follow which will aid one in doing so. It is a timely read in light of the never ending stream of vulnerabilities out there today. I wish to reiterate though that this book is aimed at the seasoned programmer, however I believe it would serve as an excellent guide as well to the novice coder.

This book gets an SFDC 9/10 from me

Keywords for this post: Secure Coding: Principles & Practices

This review is copyright 2003 by the author and Security-Forums Dot Com, and may not be reproduced in any form in any media without the express permission of the author, or Security-Forums Dot Com.

Last edited by alt.don on Thu Dec 25, 2003 10:03 pm; edited 4 times in total

Networking/Security Forums -> News // Columns // Articles

output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group