Books: "Innocent Code" and "19 Deadly Sins"
I’m going to review Innocent Code (IC) and The 19 Deadly Sins of Software Security (19DS) in the same review because I think they’re very similar in important ways. There have been probably close to a dozen books now on writing code with good security properties. Many of the early ones had to lay out entire concepts which are now almost mainstream. Why code is insecure, how to build processes around secure code, what an exploit is, etc, etc. This made those books long, and sometimes uneven in their quality. They were also long. They were long enough that they were read only by security enthusiasts (or people who worked at Microsoft, who were required to have a copy of LeBlanc and Howard’s Writing Secure Code.)
Both IC and 19DS are shorter. Stacked together, I think they’re smaller than many of the earlier tomes. They’re both designed for programmers to read. Both are focused on patterns of exploitable flaws. IC is focused on web programming. How to do authentication, how to process requests, how to write error messages. 19DS is broader. I have nits and arguments with the technical details of each. But for a broad audience of programmers who haven’t read the earlier works, either or both of these books will be not only highly educational and eye opening, they’re short and thus likely to be read.
Those organizations which haven’t yet set up their secure coding practices could do far worse than buying both of these as holiday gifts for their developers.
Innocent Code : A Security Wake-Up Call for Web Programmers, by Sverre H. Huseby, and “The 19 Deadly Sins of Software Security by David LeBlanc, Michael Howard and John Viega.