Editorial Review:
The First Expert Guide to Static Analysis for Software Security! Creating secure code requires more than just good intentions. Programmers need to know that their code will be safe in an almost infinite number of scenarios and configurations. Static source code analysis gives users the ability to review their work with a fine-toothed comb and uncover the kinds of errors that lead directly to security vulnerabilities. Now, there’s a complete guide to static analysis: how it works, how to integrate it into the software development processes, and how to make the most of it during security code review. Static analysis experts Brian Chess and Jacob West look at the most common types of security defects that occur today. They illustrate main points using Java and C code examples taken from real-world security incidents, showing how coding errors are exploited, how they could have been prevented, and how static analysis can rapidly uncover similar mistakes. This book is for everyone concerned with building more secure software: developers, security engineers, analysts, and testers. Coverage includes: Why conventional bug-catching often misses security problems How static analysis can help programmers get security right The critical attributes and algorithms that make or break a static analysis tool 36 techniques for making static analysis more effective on your code More than 70 types of serious security vulnerabilities, with specific solutions Example vulnerabilities from Firefox, OpenSSH, MySpace, eTrade, Apache httpd, and many more Techniques for handling untrusted input Eliminating buffer overflows: tactical and strategic approaches Avoiding errors specific to Web applications, Web services, and Ajax Security-aware logging, debugging, and error/exception handling Creating, maintaining, and sharing secrets and confidential information Detailed tutorials that walk you through the static analysis process “We designed Java so that it could be analyzed statically. This book shows you how to apply advanced static analysis techniques to create more secure, more reliable software.” –Bill Joy, Co-founder of Sun Microsystems, co-inventor of the Java programming language “'Secure Programming with Static Analysis' is a great primer on static analysis for security-minded developers and security practitioners. Well-written, easy to read, tells you what you need to know.” –David Wagner, Associate Professor, University of California Berkeley “Software developers are the first and best line of defense for the security of their code. This book gives them the security development knowledge and the tools they need in order to eliminate vulnerabilities before they move into the final products that can be exploited.” –Howard A. Schmidt, Former White House Cyber Security Advisor BRIAN CHESS is Founder and Chief Scientist of Fortify Software, where his research focuses on practical methods for creating secure systems. He holds a Ph.D. in Computer Engineering from University of California Santa Cruz, where he studied the application of static analysis to finding security-related code defects. JACOB WEST manages Fortify Software’s Security Research Group, which is responsible for building security knowledge into Fortify’s products. He brings expertise in numerous programming languages, frameworks, and styles together with deep knowledge about how real-world systems fail. CD contains a working demonstration version of Fortify Software’s Source Code Analysis (SCA) product; extensive Java and C code samples; and the tutorial chapters from the book in PDF format. Part I: Software Security and Static Analysis 1 1 The Software Security Problem 3 2 Introduction to Static Analysis 21 3 Static Analysis as Part of the Code Review Process 47 4 Static Analysis Internals 71 Part II: Pervasive Problems 115 5 Handling Input 117 6 Buffer Overflow 175 7 Bride of Buffer Overflow 235 8 Errors and Exceptions 265 Part III: Features and Flavors 295 9 Web Applications 297 10 XML and Web Services 349 11 Privacy and Secrets 379 12 Privileged Programs 421 Part IV: Static Analysis in Practice 457 13 Source Code Analysis Exercises for Java 459 14 Source Code Analysis Exercises for C 503 Epilogue 541 References 545 Index 559
Cached date: AWS Called=true
You may also be interested in these products:
These categories may also be of interest to you:
Customer Reviews
Average Customer Rating: 
50% of developers  2008-06-28
First. Full disclosure. I am an ex-employee of Fortify Software. Second. I was a reviewer of this book. That said... I'd say the target audience for this book is 50% of developers and all the tire-kickers who don't think static analysis is possible (let alone accurate).
Why only 50% of developers? This is based upon one of my own heuristics when putting together (or working in large) development teams. i.e. 50% of the developers in the world shouldn't even be writing code, and, the world would be safer place if they weren't. Unfortunately they are. And, they need tools. And, one of those tools should be a static analysis tool focused on software security. I've only scanned a few hundred million lines of code at Fortune 500 companies over the past 5 years. And, the vast majority of that code proves to me that 50% of developers couldn't even write (compilation error free) a `Hello World' from scratch let alone find all of the cross-site scripting or buffer overflows in their own production code.
The tire-kickers are the other 50% of developers (architects, lead developers, etc). They need to try; findbugs, FxCop, splint, and the tool on the accompanying CD of this book. Some will be too smart to use a tool like the one in the accompanying CD. They won't see the value in giving their developers a tool that simply checks for the obvious. They have the policies in place that completely eliminate the possibility of the other developers `introducing vulnerabilities' into the code base and/or `checking in code that breaks the the build'. Wow! ... Other tire-kickers are not so smart. (Again, full disclosure. I'd fit into that category.) The only question that I would hope to answer from reading this book is; If I give a tool as described in this book to my dumbest developer... will they be able to produce better code. I know the answer. YOU have to read this book.
Disappointing and Lacks details  2008-02-17
If you are an architect who really serious about building security to your large-scale applications, then this book would offer only a hello world to security. All you find is a full-blownup security chapter "Part 1 and 2" for Standalone application applications beyond that nothing but google-able content. The worst is Part III discusses on web apps, XML web services security, privacy and privileged programs - poorly written and highly repetitive content. To the most disappointment, there is no chapter to show how to put-to-gether all these stuff in a real world enterprise application. I also noticed the book if has the same Java examples from the Java site. The chapter on Web services security is a joke, shows the authors lack of understanding on Web services security fundamentals. After browsing all the pages, I don't found anything that shows how to incorporate them in a working security architecture. The book also trying to promote a product, maybe this book is relevant for those use the author suggested products.
making more robust code  2007-07-29
Chess and West describe methods of building security into your coding projects. As an integral part of the development process. There are tools out there which perform the static analysis described in the text. These are far removed from the early tools, which the book correctly describes as glorified grep. (That is, they were merely fancy parsers.)
The tools are not definitive, as you are cautioned. Often, their greatest virtue can be to point out source code that should be subject to manual scrutiny. In a large code base, of hundreds of thousands of lines, this can be invaluable assistance.
A quick comparative summary of various bug and security tools is also provided in Chapter 2. Specifically, figure 2.2 is a nice qualitative summary of these tools.
Various chapters of the book deal with problems also covered elsewhere. Like finding buffer overflows. Especially with string logic. While the Web also is now a source of weaknesses in web applications that are weak in input and output validation. You have to carefully filter anything that you solicit as user input on a web page.
If your code must be secure, read this book 2007-07-11
Every software developer who has to write secure code should read this book. This book will tell you how to use static analysis tools to help you build more secure software. It's a great primer for software developers who are new to static analysis and for security practitioners who want to learn how recent advances in the field can improve their software.
I reviewed an pre-release version. It's good stuff. It's well-written, easy to read, and tells you what you need to know without getting bogged down in the details. Brian Chess and Jacob West have a great deal of experience in this area and they do a good job of conveying pragmatic information you can apply in practice to improve your software.
Glad to see this is out! 2007-07-06
I was an early technical reviewer of the manuscript and I'm thrilled to see that the book is finally in print so other people can get their hands on it.
Brian and Jacob live and breathe this stuff, and it shows. If you're a developer or manager of developers and you're coding software that may eventually be run over the internet (that's pretty much 100% of it, right?) you should read this book!
|
