[ Pobierz całość w formacie PDF ]
REVIEWS FOR 24 DEADLY SINS OF SOFTWARE SECURITY
“We are still paying for the security sins of the past and we are doomed to failure if we don’t
learn from our history of poorly written software. From some of the most respected authors in
the industry, this hard-hitting book is a must-read for any software developer or security
zealot. Repeat after me–‘Thou shall not commit these sins!’”
—George Kurtz,
co-author of all six editions of
Hacking Exposed
and senior vice-president and general manager,
Risk and Compliance Business Unit, McAfee Security
“This little gem of a book provides advice on how to avoid 24 serious problems in your
programs—and how to check to see if they are present in others. Their presentation is simple,
straightforward, and thorough. They explain why these are sins and what can be done about
them. This is an essential book for every programmer, regardless of the language they use.
It will be a welcome addition to my bookshelf, and to my teaching material. Well done!”
—Matt Bishop,
Department of Computer Science, University of California at Davis
“The authors have demonstrated once again why they’re the ‘who’s who’ of software security.
The
24 Deadly Sins of Software Security
is a tour de force for developers, security pros, project
managers, and anyone who is a stakeholder in the development of quality, reliable, and
thoughtfully-secured code. The book graphically illustrates the most common and dangerous
mistakes in multiple languages (C++, C#, Java, Ruby, Python, Perl, PHP, and more) and
numerous known-good practices for mitigating these vulnerabilities and ‘redeeming’ past
sins. Its practical prose walks readers through spotting patterns that are predictive of sinful
code (from high-level application functions to code-level string searches), software testing
approaches, and harnesses for refining out vulnerable elements, and real-world examples
of attacks that have been implemented in the wild. The advice and recommendations are
similarly down-to-earth and written from the perspective of seasoned practitioners who have
produced hardened—and usable—software for consumption by a wide range of audiences,
from consumers to open source communities to large-scale commercial enterprises.
Get this Bible of software security today, and go and sin no more!”
—Joel Scambray,
CEO of Consciere and co-author of the
Hacking Exposed
series
This page intentionally left blank
24
DEADLY
SINS
OF
SOFTWARE
SECURITY
Programming Flaws and
How to Fix Them
Michael Howard, David LeBlanc, and John Viega
New York Chicago San Francisco Lisbon
London Madrid Mexico City Milan New Delhi
San Juan Seoul Singapore Sydney Toronto
Copyright © 2010 by The McGraw-Hill Companies. All rights reserved. Except as permitted under the United States Copyright Act of
1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval sys-
tem, without the prior written permission of the publisher.
ISBN: 978-0-07-162676-7
MHID: 0-07-162676-X
The material in this eBook also appears in the print version of this title: ISBN: 978-0-07-162675-0, MHID: 0-07-162675-1
All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trademarked
name, we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of infringement of the trade-
mark. Where such designations appear in this book, they have been printed with initial caps.
McGraw-Hill eBooks are available at special quantity discounts to use as premiums and sales promotions, or for use in corporate
training programs. To contact a representative please e-mail us at bulksales@mcgraw-hill.com.
Information has been obtained by McGraw-Hill from sources believed to be reliable. However, because of the possibility of human or
mechanical error by our sources, McGraw-Hill, or others, McGraw-Hill does not guarantee the accuracy, adequacy, or completeness of
any information and is not responsible for any errors or omissions or the results obtained from the use of such information.
TERMS OF USE
This is a copyrighted work and The McGraw-Hill Companies, Inc. (“McGraw-Hill”) and its licensors reserve all rights in and to the work.
Use of this work is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one
copy of the work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon,
transmit, distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill’s prior consent. You may use
the work for your own noncommercial and personal use; any other use of the work is strictly prohibited. Your right to use the work may
be terminated if you fail to comply with these terms.
THE WORK IS PROVIDED “AS IS.” McGRAW-HILL AND ITS LICENSORS MAKE NO GUARANTEES OR WARRANTIES AS
TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK,
INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR OTHERWISE,
AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. McGraw-Hill and its licensors do not
warrant or guarantee that the functions contained in the work will meet your requirements or that its operation will be uninterrupted or
error free. Neither McGraw-Hill nor its licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless
of cause, in the work or for any damages resulting therefrom. McGraw-Hill has no responsibility for the content of any information
accessed through the work. Under no circumstances shall McGraw-Hill and/or its licensors be liable for any indirect, incidental, special,
punitive, consequential or similar damages that result from the use of or inability to use the work, even if any of them has been advised
of the possibility of such damages. This limitation of liability shall apply to any claim or cause whatsoever whether such claim or cause
arises in contract, tort or otherwise.
[ Pobierz całość w formacie PDF ]