|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: Inspecting Code for Security
From: Yvan Boily (yboily
seccuris.com)
Date: Thu Sep 23 2004 - 13:13:17 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I disagree that it is UNIX-centric; I would say that it lacks a bias with
the exception being that most examples are presented in UNIX applications
simply because a UNIX programming environment lends itself to simple
examples.
The vast majority of the code examples in the buffer overflow chapter is
cross platform or POSIX compliant. If anything the section on access
controls really illustrates a unix-centric view, but even then, the examples
used are a discussion of Access Controls and effective use as opposed to
"this is how to implement access controls". The authors make use of the
best platform available to illustrate the concept as effectively as
possible.
The book itself is an excellent discussion of security from a technical
perspective and rather than focusing on the specific examples of how to
achieve security. This is in keeping with the idea that you cannot achieve
"perfect security", but rather that security is an emergent property of
well-designed systems. You cannot address security within an application
without first investigating the underlying design and implementation flaws
which result in failures of security within an application.
In contrast, Writing Secure Code (Second Edition) {which is also on my
bookshelf} is a narrow view of security focusing briefly on security in
general and then diving into platform and language specific examples of
security. A more appropriate title for this book would have been "Writing
Secure Code for Windows". It is an excellent resource which I refer to
frequently when developing recommendations and solutions for Windows
applications, however given that I am also required to audit code written in
C, C++, C#, PHP, Visual Basic, and Java, recommending it as a general
technical resource for someone who may have the same requirements is not
realistic.
Both books are excellent, and I would recommend either one, but only to the
correct audience; I recommend Building Secure Software to someone who wants
to learn about secure application design and implementation; I recommend
Writing Secure Code for people who want specific documentation on how to
address common security issues when writing software for the Windows
platform.
If someone wants a lightweight introduction to secure programming I
recommend "Secure Coding: Principles & Practices", and someone who wants to
learn how to really pick apart a system and look for vulnerabilities I
recommend "The Shellcoder's Handbook".
It really is a case of recommending the correct tool for the job, and in my
opinion Building Secure Software is far more valuable reference than Writing
Secure Code when performing code audits.
Yvan Boily
Here is complete info on the books I mentioned, each of them is a decent
read, and I have arranged them in my perceived order of complexity and depth
ranging from least complex to most complex.
"Secure Coding: Principles & Practices" - Mark G. Graff & Kenneth R. van Wyk
http://www.oreilly.com/catalog/securecdng/
"Writing Secure Code (Second Edition)" - Michael Howard and David LeBlanc
http://www.microsoft.com/mspress/books/5957.asp
"Building Secure Software" - John Viega and Gary McGraw
http://www.buildingsecuresoftware.com/
"The Shellcoder's Handbook" - Jack Koziol , David Litchfield , Dave Aitel ,
Chris Anley , Sinan "noir" Eren , Neel Mehta , Riley Hassell
http://www.wiley.com/WileyCDA/WileyTitle/productCd-0764544683.html
> -----Original Message-----
> From: Aleksander P. Czarnowski [mailto:alekcavet.com.pl]
> Sent: Thursday, September 23, 2004 11:39 AM
> To: Yvan Boily
> Cc: secprogsecurityfocus.com
> Subject: RE: Inspecting Code for Security
>
> > -----Original Message-----
> > From: Yvan Boily [mailto:yboilyseccuris.com] Pick up John
> Viega and
> > Gary Mcgraw's Building Secure Software..
> While this is great book it is very unix-centric which might
> be an important drawback in case on application based on
> Microsoft technologies (on the other hand many MS
> technologies related issues had been addressed in Writing
> Secure Code). You can see it best in chapters that describe
> exploitation of buffer overflow. Nevertheless together with
> Secure Coding this is great book.
> Just my 2 cents,
> Best Regards,
> Aleksander Czarnowski
> AVET INS
>
>
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]