BUY THIS BOOK
Add to Cart

Print Book $69.99


Add to Cart

PDF $55.99

Safari Books Online

What is this?

Add to UK Cart

Print Book £35.50

What is this?

Looking to Reprint or License this content?

Envelope Tell a friend
Secure Programming Cookbook for C and C++ Recipes for Cryptography, Authentication, Input Validation & More

By John Viega, Matt Messier
First Edition  July 2003 
Pages: 790
ISBN 10: 0-596-00394-3 | ISBN 13: 9780596003944
starstarstarstarstar (Average of 6 Customer Reviews)

Buy 2 Get 1 Free Free ShippingGuarantee

Book description

Secure Programming Cookbook for C and C++ is an important new resource for developers serious about writing secure code for Unix® (including Linux®) and Windows® environments. This essential code companion covers a wide range of topics, including safe initialization, access control, input validation, symmetric and public key cryptography, cryptographic hashes and MACs, authentication and key exchange, PKI, random numbers, and anti-tampering.
Full Description

Password sniffing, spoofing, buffer overflows, and denial of service: these are only a few of the attacks on today's computer systems and networks. At the root of this epidemic is poorly written, poorly tested, and insecure code that puts everyone at risk. Clearly, today's developers need help figuring out how to write code that attackers won't be able to exploit. But writing such code is surprisingly difficult. Secure Programming Cookbook for C and C++ is an important new resource for developers serious about writing secure code. It contains a wealth of solutions to problems faced by those who care about the security of their applications. It covers a wide range of topics, including safe initialization, access control, input validation, symmetric and public key cryptography, cryptographic hashes and MACs, authentication and key exchange, PKI, random numbers, and anti-tampering. The rich set of code samples provided in the book's more than 200 recipes will help programmers secure the C and C++ programs they write for both Unix® (including Linux®) and Windows® environments. Readers will learn:
  • How to avoid common programming errors, such as buffer overflows, race conditions, and format string problems
  • How to properly SSL-enable applications
  • How to create secure channels for client-server communication without SSL
  • How to integrate Public Key Infrastructure (PKI) into applications
  • Best practices for using cryptography properly
  • Techniques and strategies for properly validating input to programs
  • How to launch programs securely
  • How to use file access mechanisms properly
  • Techniques for protecting applications from reverse engineering
The book's web site supplements the book by providing a place to post new recipes, including those written in additional languages like Perl, Java, and Python. Monthly prizes will reward the best recipes submitted by readers. Secure Programming Cookbook for C and C++ is destined to become an essential part of any developer's library, a code companion developers will turn to again and again as they seek to protect their systems from attackers and reduce the risks they face in today's dangerous world.

Browse within this book

Cover | Table of Contents | Colophon


Featured customer reviews

Write a Review


Packed with useful information,  January 07 2007
Rating: StarStarStarStarStar
Submitted by mdh   [Respond | View]

Some years later, this is still one of the best books I've ever purchased, along with the first revision of the Camel Book which got me well on my way to competently pumping out decent Perl code, this book really helped me get a footing with regard to writing competent encryption code using OpenSSL. Most common tasks you'll need to perform using SSL are covered, and that's only about 1/3 of the book's content. It also delves rather deeply into lower level cryptographic development as well as other security solutions for C programmers.
It goes beyond just programming, too. In terms and code examples that a competent C programmer can understand, it makes clear just what the myriad acronyms you'll run into while working with encryption code, how they function, how they interact to create code that provides a given amount of security and trust, and most importantly how to implement them in a way that your needs are met.

If you are a C programmer, you should read and have this book around. If you write code that deals with user input, authentication, cryptographic, or network communications, it's practically a must.

I'm hoping for a second edition some time. Some coverage of code auditing tools might be interesting, that field has developed a lot over the past years since this book was released. OpenSSL has progressed a bunch, too, and some more in-depth specifics (such as web functionality, maybe even coverage of common GUI toolkits like GTK, Qt, etc) would be just wonderful, as well.
C is far from dead. I've been using C for the past 11 years, and it's still the language I use more than any other.



Good and hard core,  September 22 2006
Rating: StarStarStarStarStar
Submitted by Anonymous Reader   [Respond | View]

Although the code examples are written in C, if you are a serious programmer in C/C++ or Java, the recipes in this book offer very valuable information now how to write not only secure programs, but good programs. I have seen many run-of-the-mill programs that are written without the least security concept (How many time have you encountered a program that needs to write to a system folder for no apparent reason, thus requiring the end-user to have unnecssary elevated rights on the system folder?)


good but hard-core,  May 13 2004
Submitted by aFuqua   [Respond | View]

Now this is a hard-core book. If you are not sure that you need it, you probably don't. But if there is something it the table of contents that you've got to know, and you've got to get it right, then this would be a good book to have. I agree with the other reviewer who said that Chapter 12 on Anti-Tampering was a really enjoyable read, though a futile task.

Read all reviews


good but hard-core,  May 12 2004
Rating: StarStarStarStarStar
Submitted by aFuqua   [Respond | View]

Now this is a hard-core book. If you are not sure that you need it, you probably don't. But if there is something it the table of contents that you've got to know, and you've got to get it right, then this would be a good book to have. I agree with the other reviewer who said that Chapter 12 on Anti-Tampering was a really enjoyable read, though a futile task.


good but hard-core,  May 12 2004
Rating: StarStarStarStarStar
Submitted by aFuqua   [Respond | View]

Now this is a hard-core book. If you are not sure that you need it, you probably don't. But if there is something it the table of contents that you've got to know, and you've got to get it right, then this would be a good book to have. I agree with the other reviewer who said that Chapter 12 on Anti-Tampering was a really enjoyable read, though a futile task.


Secure Programming Cookbook for C and C++ Review,  December 08 2003
Rating: StarStarStarStarStar
Submitted by AzynchriX   [Respond | View]

Pretty good.


Secure Programming Cookbook for C and C++ Review,  August 04 2003
Rating: StarStarStarStarStar
Submitted by netmask   [Respond | View]



I hadn't anticipated the heavy amount of crypto related chapters in this book. I honestly had only read about the input validation, avoiding overflows, and access control portions. It turns out it covers those areas plus a wide range of crypto related code. It goes over the fundamentals of Symmetric Crypto in great detail, from simple base64 encoding to parallelizing Encryption and decryption in arbitrary modes. All of the crypto related portions of this book are very clear. I highly recommend this book if you are doing any kind of crypto, whether it's simply encrypting a password, a file, or setting up a socket based secure communication tunnel.

The Networking chapter is a very good reference section for creating SSL clients and servers, as well as using kerberos or securing your connections to your database. There is almost 80 pages of information related to generating random numbers and data from using /dev/random to gathering entropy from Mouse Evens on Win32.

The one chapter I didn't expect to see here that was quite good was Chapter 12, Anti-Tampering. This chapter goes over obfuscating your code, detecting binary modifications, disguising boolean values, etc. It even shows you how to detect SoftICE and other debuggers, which can be useful for attempting to block people from cracking your commercial software. Although, I believe all attempts end up being rather futile when someone is determined enough.

This book really is a must for anyone who is programming. If not just for the basics of protecting yourself from overflows and validating input and environment variables, than definitely for the extremely well written sections on crypto. This book has earned a permanent spot next to K&R and UNP on my desk.

Media reviews "This is a book that's long overdue and makes for an interesting and deeply technical read on a topic that we should all care more about. Yes, it's limited to C and C++ readers, but with the majority of key applications being written in these languages that's where the biggest benefit can be had--give the sample chapter [http://www.oreilly.com/catalog/secureprgckbk/chapter/ch11.pdf] a read, and you'll soon be on your way to the book store to buy the rest of it."
Linux Format Top Stuff Award
Rating: 10/10
--Paul Hudson, "Linux Format," December 2003

"This book is jam packed with excellent examples and discussion of ways to prevent programs from doing bad, and most of the time unexpected or unplanned, things. The diligent C or C++ programmer should add this as yet another volume on the bookshelf tool chest that is next to their desk. Smart programmers will realize that having this book will only help them in the long run...As with any good resource hopefully sections that are not of interest now will become useful in the future. May the pages of your book become tattered from years of good use and good luck in your secure programming endeavors."
--Dan Weeks, San Francisco OpenBSD Users Group, September 2003
http://www.sfobug.org/reviews/SecureProgrammingCookbook.html

"This book is a great resource for quick look-up of readily available solutions...I've written a Master's thesis on this topic (although my actual topic was way more narrow than the scope of this book) and still found a lot of great information...Yeah, everyone and his brother knows how to implement a symmetric encryption algorithm, but how do you actually do it without compromising the system and introducing new possible loopholes? The cookbook answers questions like that, and, as mentioned above, provides detailed overview of programming strategies for the two most popular platforms. Taking the cookbook concept further, this book teaches you how to make a basic ham-and-cheese sandwich as well as fine cuisine. Too often the code measures for basic security and preventing buffer overflows are summarized in higher-level concepts, thus allowing the developers to make errors even with the most trivial applications. If you're a professional programmer and do not get tired by looking at sometimes profuse code examples, this book would probably be a good read from the beginning to the end." Rating: 8/10
--Alex Moskalyuk, Slashdot.org, October 2003
http://slashdot.org/article.pl?sid=03/09/30/1644222

Read all reviews

See larger cover