Thursday, April 06, 2006

Book Review: 19 Deadly Sins of Software Security

Another review rejected by Slashdot, so I'm posting it here.


According to Amit Yoran, former director of the National Cyber Security Division, “95% of software bugs are caused by the same 19 programming flaws.” 19 Deadly Sins of Software Programming by Michael Howard, David LeBlanc, and John Viega lays out these sins in a well-written book, complete with patterns of detecting the sins during code reviews, examples of real-world problems caused by these sins, and redemption steps for fixing and avoiding these same sins.

What it covers

Yoran’s numbers may or may not be right, but this book’ excellent format and great content make it a terrific addition to a developer’s bookshelf. Each chapter is dedicated to a concise coverage of one sin. A partial list of sins covered by this book includes buffer overflows, weak password protection, improper file access, race conditions, and poor usability. Yes, poor usability is indeed a sin. As the authors quote from the Microsoft Security Response Center, “Security only works if the secure way also happens to be the easy way.”

Each sin has an overview and explanation of the sin, a list of languages and/or platforms vulnerable to the sin, sample code defects, and measures one can take for additional defense. Real-world examples of sins are given (My morning would have been just fine without having to read about Paris Hilton’s cell phone hijacking in the password chapter), plus comprehensive lists of other resources to look at when dealing with the sin.

What I find particularly useful are the sections on typical patterns to look for when searching out sinful code, methods of testing to identify the sin, and suggestions for items to look at during code reviews.

Many languages and platforms are covered in this book. There are snippets and discussion of C/C++, C#, Java, Perl, Python, Visual Basic, and PHP. Windows, Mac, and Unix operating systems are discussed at various points, as are Apache and IIS.

What it doesn't cover

The book’s concise, cookbook-like format is a great strength, but it’s also a weakness if you’re expecting details on exactly how to solve a particular issue. The book expects you to be deeply familiar with the technology and methodology being discussed for any sin, so don’t expect this book to be one-stop-shopping for immediately improving your security skills.

I also found that some examples weren’t explained quite well enough. The Sinful ASP.NET Forms section in Sin 7’s Cross-Site Scripting is one example of where additional information would have been a great help.

That said, each sin has a great list of additional resources, plus there’s generally enough detail to point readers to additional, specific information for actual implementation. Developers with a bit of initiative will move on to these references to flesh out the details for their specific implementation.

Who it's for

Tech leads and mid-level developers should all find this book exceedingly useful and educational. If your company/group/entity has technical staff dedicated to security issues, then they’ll be happy to get a copy of this book as well.

Who it's not for

Folks expecting this book to be an end-all solution for implementation-specific answers will be disappointed – but only if they don’t follow up on the resources lists. Folks looking for a detailed tutorial on security matters may also be disappointed.

I’d say this book, by itself, isn’t really helpful for entry-level developers, simply because the material’s fairly deep. However, along that line the book could be an excellent guide for in-house training and mentoring sessions to bring those basic developers up to speed on these critical issues.


Structurally, the book’s very well put together. A very good Table of Contents coupled with an excellent, comprehensive index makes it easy to quickly find specifics on an issue you’re researching. Two appendices add great value as well. Appendix A maps all the sins to the Open Web Application Security Project’s Top 10 vulnerabilities. Appendix B is a great summary of the do’s and don’ts for each sin.

Additionally, the Introduction’s “What You Should Read” section breaks out the minimum one should read depending on their scenario. Everyone should read the sins on error handling, secure data storage, and information leakage; C/C++ developers should read on buffer overflows, format string issues, and integer overflows; and so forth.

19 Deadly Sins really is an important book to add to your shelf. It’s clear, it’s concise, and its format makes it a great reference for quickly finding pertinent information about the most troubling security bugs in software.

No comments:

Subscribe (RSS)

The Leadership Journey