Building Secure Software: How to Avoid Security Problems the Right Way
Authors: John Viega & Gary McGraw
Available for download is chapter 1 entitled “Introduction to Software Security”.
Why secure software?
Well, another fine day in the office, the sun is shining outside, work is kinda slow. You’re sitting comfortably in your chair, browsing the web in search for the latest model of the So-And-So portable DVD/MP3 player when suddenly all hell brakes loose! The phone starts ringing madly, all lines at once. Something has happened. You pick up the phone just to hear the voice filled with panic and rage “Somebody has hacked its way into the credit card database and stolen all our customers info!”. Damn, and the day started so nicely. Time for damage control, but it’s too late, you try to patch and fix the hole, track down the thief with the help of all extensive logs you’ve so cleverly set but the customers trust is gone. Your company’s e-business record plummets like a flock of birds from the sky. All that expensive firewall equipment, all those cheeky consultants poking around the network you tried so hard to set up, not to mention that multifigure amount of money invested into ‘safe’ software, for nothing. Because nothing could prevent the little bugger from exploiting a simple buffer overflow in the v5.0 of the VerySecureTrusted Database(c) by STTIH Inc. (that’s So Trustworthy That It Hurts, for all you out there). Sounds familiar? Sure, these things happen on a daily basis. Why? Unsafely designed software. That is actually the root of all evil around these days. There is no encryption, authentication or any other possible security precaution step you can take in advance if you don’t look at the base of the problem. Software written and designed in a unsafe manner. Now, creating software can be a hard and a demanding task, and it would be wrong and unfair just to point fingers at any guilty party for any software related incident. No. What can be done instead, I hear you asking? Well, for starters, the following book might give you some clues and answers.
The book with the answers
Building Secure Software is written by two distinguished authors, namely John Viega and Gary McGraw. J. Viega is the CTO of Secure Software Solutions, and a noted expert in that same field. G. McGraw is Cigital’s Vice President of Corporate Technology and an author of over sixty technical publications. They have provided for us a book filled with information regarding creating secure software, covering a fairly large array of topics, coupled with code examples. It is a hard-cover book, printed on recycled paper, that comes from the Addison Wesley series for professional computing. There, enough non-content specific info, lets get to the gory details to see what’s it made of…
The book itself is nicely organized into 16 chapters and one appendix. You can clearly see the authors intention to create a book with two distinctive parts, one in charge of bringing the reader up to speed with security, some security issues and integrating it into the product, from a more theoretical point of view. This part of the book is focused on the development of the software and clearly points the right directions to follow, including making the right tradeoffs between secure and usable software, and all benefits and drawbacks. It also discusses some issues regarding open source and closed source software as well as their positive and negative sides. Anybody into programming or at least curios about security will find this part very useful, and filled with valuable information. Not only programmers, but also the managers and the end users will find materials very worth reading in it. It even introduces guiding principles for software security, nicely divided into 10 guidelines, covered in-depth.
The second part of the book is for more technically inclined readers, meaning programmers as such, as it includes many examples along with source code. It dwells deep into the implementation level of many techniques discussed in theory earlier. Buffer overflows and race conditions are covered with great care, along with solutions for avoiding them in the implementation of the software. You should probably know that buffer overflows are the cause of more than 50% of all security problems around these days. With this fact presented you will certainly appreciate this issue covered in depth. Not that it’s the only topic covered, you’ll also find chapters about cryptography, trust relationships, databases, and a nice appendix with all the cryptography basis to get you started.
All the code examples mentioned in the book can be found at the book’s website – buildingsecuresoftware.com. Most of the code is in C, but there are some examples in perl and other languages. Also, the code is mostly leaned towards Unix and unix-like OS’s.
Combined together, these two parts create whole, solid as a rock, guide to creating secure software. It will bring you up to speed with various security issues, and problems that come up when designing software, and try to provide solutions or clues.
Again, I just have to write an opinion, don’t I?
As I stated earlier in the review, the biggest problem around these days is unsecure and unsafe software. It’s not the malicious user, attacker, cracker hacker, script kiddie or however you want to name him or her. No, the blame is on programs that are written in a manner that allows them to be exploited and abused. Security and usability of the software have to be designed from scratch, supervised by skilled personnel, the software security experts, as the authors call them. The usual approach of patching and fixing the software on-the fly may solve some problems but sometimes it creates others. That’s why it is neccessary to change the way of how computer software is designed, developed and implemented.
This is where this book comes into the spotlight. It will serve you as a perfect guide to developing and designing software that is secure. The authors manage with great deal of success to explain how to do things right from the very beginning of development, all the way through the end. They help you focus on the right developing plans, helping you to decide what to protect and from whom. If you want to learn about developing software, this book is the first thing you’ll require. Also, it is mainly biased towards developing for Unix and Windows environments but the general principles and ideas are more than applicable to any system out there.
You’ll find this book very practical and useful, and I can only suggest reading it and most of all, implementing the knowledge inside it. If you do, it could be a dawn of the very new era in software developing, an era of secure and almost bug-free software. To paraphrase an old saying, ‘Bad software is the root of all evil…’ 🙂
A great book, and a mandatory reading material. More than two thumbs up!
Last, and definitely the least, if you want to judge a book by its covers, than look no further than this one. Truly a great cover artwork, simple and effective.