July 1, 2003
Avoid Costly Security Flaws with O'Reilly's "Secure Coding: Principles and Practices "
Sebastopol, CA--Rarely a week goes by without an announcement of a new
attack on computer systems. Viruses, worms, denials of service, and
password sniffers are attacking all types of systems--from banks to
e-commerce sites to seemingly impregnable government and military
computers--at an alarming rate.
But, according to Kenneth R. van Wyk, coauthor of the new book, Secure
Coding: Principles and Practices (O'Reilly, US $29.95), "there are
really very few classes of errors being made." Despite their many
manifestations and targets, nearly all attacks have one fundamental
cause: the code underlying these computers and networks is not secure.
"Secure software doesn't happen by accident," says van Wyk. "The vast
majority of security flaws being announced today are entirely
Writing secure code isn't easy, and there are no quick fixes to bad
code. According to Mark G. Graff, coauthor of "Secure Coding:
Principles and Practices," to build code that repels attack, software
developers must "understand where vulnerabilities come from and
counteract those tendencies with time-proven practices."
"Good programmers write good code, bad programmers write bad code, but
all programmers seem to write insecure code," says Marcus J. Ranum,
principal author of the DEC SEAL firewall, TIS Gauntlet firewall, and
Network Flight Recorder Intrusion Detection System. "Kudos to Mark and
Ken for their explanation of the reasons it's so hard to write good
secure code and what to do about it!"
"Secure Coding: Principles and Practices" makes the case that
developers must be vigilant throughout the entire code lifecycle:
Architecture: during this stage, applying security principles such as
"least privilege" will help limit even the impact of successful
attempts to subvert software.
Design: during this stage, designers must determine how programs will
behave when confronted with fatally flawed input data. The book also
offers advice about performing security retrofitting when you don't
have the source code--ways of protecting software from being exploited
even if bugs can't be fixed.
Implementation: during this stage, programmers must sanitize all
program input (the character streams representing a programs' entire
interface with its environment--not just the command lines and
environment variables that are the focus of most security analysis).
Testing: during this stage, programs must be checked using both static
code checkers and runtime testing methods--for example, the fault
injection systems now available to check for the presence of such flaws
as buffer overflow.
Operations: during this stage, patch updates must be installed in a
timely fashion. In early 2003, sites that had diligently applied
Microsoft SQL Server updates were spared the impact of the Slammer worm
that did serious damage to thousands of systems.
Trial and error can be a time consuming, costly, and embarrassing
lesson when it comes to secure code. van Wyk and Graff have managed to
pack decades of experience in secure coding into a concise and engaging
book. "We have grey hairs, and we earned 'em learning the lessons we
teach in the book," laughs Graff.
Jeremy Allison, the coauthor of Samba calls "Secure Coding": "A
wonderful book...I wish it had been available when I was writing parts
of Samba. I might not have had the last two security embarrassments to
my name." Stephen E. Hansen, Information Security officer for Google,
Inc., agrees: "I wish I had this book years ago as it has taken me
years to figure these things out for myself."
Secure Coding: Principles & Practices
By Mark G. Graff, Kenneth R. van Wyk
ISBN 0-596-00242-4, 224 pages, $29.95 US, $46.95 CA, 20.95 UK
O'Reilly Media spreads the knowledge of innovators through its books, online services, magazines, and conferences. Since 1978, O'Reilly Media has been a chronicler and catalyst of cutting-edge development, homing in on the technology trends that really matter and spurring their adoption by amplifying "faint signals" from the alpha geeks who are creating the future. An active participant in the technology community, the company has a long history of advocacy, meme-making, and evangelism.
Return to: O'Reilly Press Room
Recent Press Releases
Press Release Archive »
Media Relations - North America
Media Relations - Germany
Media Relations - Japan
Media Relations - United Kingdom
Media Relations - Conferences