Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
RE: Microsoft Writing Secure Code
From: Yvan G.J. Boily (yboilyseccuris.com)
Date: Thu Dec 09 2004 - 09:46:56 CST
I have a copy of Writing Secure Code, 2nd Edition which I picked up when the answer to a question regarding Microsoft's RNG for the
base crypto service provider taken from the book. For someone familiar with the basic tenets of secure programming will not find
much new in here until you hit the examples and explanations of how to interact with the security functionality of the operating
system. It also includes a discussion of how some aspects of security are implemented within the .NET framework which is fairly
important to many Windows-centric developers. Overall I found the book to be a useful resource, and I would recommend it *if you
are a windows oriented developer*.
If you are just interested in the secure programming aspect as opposed to the Microsoft Windows focus of this book then I would
recommend "Building Secure Software" by John Viega and Gary McGraw; I found it to have more informative material and better
explanations of the topics. This book includes exampled of how to accomplish secure implementations of a selected set of scenarios,
but more importantly, it addresses the root cause of security issues, which is the lack of awareness.
If you are looking for a lightweight introduction to the topic before moving to more technical materials, "Secure Coding -
Principles & Practices" by Mark Graff and Kenneth van Wyk is a fairly reasonable read.
> -----Original Message-----
> From: Rui Covelo [mailto:rui.covelogmail.com]
> Sent: Thursday, December 09, 2004 3:58 AM
> To: secprogsecurityfocus.com
> Subject: Microsoft Writing Secure Code
> I was looking for some opinions about the book "Writing Secure Code"
> from Microsoft press. The book is already "old" but I only got to read
> it now... well.... some of it. I searched the mailing list archive for
> "microsoft writing secure code" but didn't find anything related so I
> guess it hasn't been discussed before or I don't know how to search
> the mailing list archive correctly. If that's the case, please forgive
> I was wondering if any of you have read it and what you think about
> it. Do you find it useful or plain microsoft propaganda (like I read
> somewhere else)?