Advance Praise for Building Secure Software
“John and Gary offer a refreshing perspective on computer security. Do it right the first time and you won’t have to fix it later. A radical concept in today’s shovelware world! In an industry where major software vendors confuse beta testing with product release, this book is a voice of sanity. A must-read!”
—Marcus J. Ranum, Chief Technology Officer,
NFR Security, Inc. and author of Web Security Sourcebook
“System developers: Defend thy systems by studying this book, and cyberspace will be a better place.”
—Fred Schneider, Professor of Computer Science,
Cornell University and author of Trust in Cyberspace
“Time and time again security problems that we encounter come from errors in the software. The more complex the system, the harder and more expensive it is to find the problem. Following the principles laid out in Building Secure Software will become more and more important as we aim to conduct secure and reliable transactions and continue to move from the world of physical identification to the world of digital identification. This book is well written and belongs on the shelf of anybody concerned with the development of secure software.”
—Terry Stanley, Vice President, Chip Card Security,
MasterCard International
“Others try to close the door after the intruder has gotten in, but Viega and McGraw begin where all discussions on computer security should start: how to build security into the system up front. In straightforward language, they tell us how to address basic security priorities.”
—Charlie Babcock, Interactive Week
“Application security problems are one of the most significant categories of security vulnerabilities hampering e-commerce today. This book tackles complex application security problems—such as buffer overflows, race conditions, and implementing cryptography—in a manner that is straightforward and easy to understand. This is a must-have book for any application developer or security professional.”
—Paul Raines, Global Head of Information Risk Management,
Barclays Capital and Columnist, Software Magazine
“Viega and McGraw have finally written the book that the technical community has been clamoring for. This is a refreshing view of how to build secure systems from two of the world’s leading experts. Their risk management approach to security is a central theme throughout the book. Whether it’s avoiding buffer overflows in your code, or understanding component integration and interaction, this book offers readers a comprehensive, hype-free guide. The authors demonstrate that understanding and managing risks is an important component to any systems project. This well written book is a must read for anyone interested in designing, building, or managing systems.”
—Aviel D. Rubin, Ph.D., Principal Researcher, AT&T Labs
and author of White-Hat Security Arsenal
and Web Security Sourcebook
“About Time!”
—Michael Howard, Secure Windows Initiative,
Microsoft Windows XP Team
“For information security, doing it right seems to have become a lost art. This book recaptures the knowledge, wisdom, principles, and discipline necessary for developing secure systems, and also inspires similar efforts for reliability and good software engineering practice.”
—Peter G. Neumann, author of Computer Related Risks
and Moderator of RISKS digest
“John Viega and Gary McGraw have put together a tremendously useful handbook for anyone who is designing or implementing software and cares about security. In addition to explaining the concepts behind writing secure software, they’ve included lots of specific information on how to build software that can’t be subverted by attackers, including extensive explanations of buffer overruns, the plague of most software. Great pointers to useful tools (freeware and otherwise) add to the practical aspects of the book. A must-read for anyone writing software for the Internet.”
—Jeremy Epstein, Director, Product Security & Performance,
webMethods
“Security is very simple: Only run perfect software. Perfection being infeasible, one must seek practical alternatives, or face chronic security vulnerabilities. Viega and McGraw provide a superb compendium of alternatives to perfection for the practical software developer.”
—Crispin Cowan, Ph.D., Research Assistant Professor/Oregon
Graduate Institute, Co-founder/Chief Scientist, WireX
“While the rest of the world seems to deal with symptoms, few have been able to go after the cause of most security problems: the design and development cycles. People are taught insecure coding styles in most major colleges. Many people have taken their understanding of writing software for personal single user systems and thrust their designs into networked interdependent environments. This is dangerous. These frameworks quickly undermine the nation’s critical infrastructure as well as most commercial organizations, and place the individual citizen at risk. Currently most people need to be broken of their bad habits and re-taught. It is my sincere hope that books like this one will provide the attention and focus that this area deserves. After all, this area is where the cure can be embodied. Users will not always play nice with the system. Malicious attackers seldom do. Writing secure code to withstand hostile environments is the core solution.”
—mudge, Chief Scientist and EVP of R&D, @stake
“Programming is hard. Programmers are expensive. Good programmers are rare and expensive. We need all the help, all the tools, and all the discipline we can muster to make the job as easy and cheap as possible. We are not there yet, but this book should help.”
—Bill Cheswick, Author of Firewalls and Internet Security
“It’s not bad.”
—Peter Gutmann, Auckland, New Zealand
From the Foreword of Building Secure Software:
“Building Secure Software is a critical tool in the understanding of secure software. Viega and McGraw have done an excellent job of laying out both the theory and practice of secure software design. Their book is useful, practical, understandable, and comprehensive. The fact that you have this book in your hands is a step in the right direction. Read it, learn from it. And then put its lessons into practice.”
—Bruce Schneier, Chief Technology Officer, Counterpane
Internet Security and Author of Applied Cryptography
and Secrets and Lies