Press Release: July 24, 2003
"Secure Programming Cookbook for C and C++": Security Begins with Well-Written Code
Sebastopol, CA--Over the next three years, private organizations and government agencies will spend an estimated $21 billion on network security to fight off password sniffing, spoofing, buffer overflows, denials of service, viruses, worms, and other attacks. Despite this tremendous effort, experts including John Viega, coauthor of the Secure Programming Cookbook for C and C++ (O'Reilly, US $49.95), assert that many security problems boil down to one fundamental cause: poorly written, poorly tested, and insecure code underlying applications that run the very systems everyone is trying so hard to secure.
That's not something system administrators can fix at the network level, Viega explains, but depends on programmers to write code that attackers cannot exploit. "Writing secure code is difficult, even for experts," he points out. "Unfortunately, programmers generally hold a world view that they write correct code all the time, and only occasionally do mistakes occur. In reality, mistakes are commonplace in nearly everyone's code." He points to a recent NIST study that estimates the computer industry in the United States alone spends $60 billion a year patching and customizing poorly written software.
Viega is one of the pioneers in the field of software security who wrote the first publicly available tool to help programmers find and fix security vulnerabilities in their own code. His new book, co-written by Matt Messier, takes the same practical approach to fortifying code. Rather than recite principals and guidelines, "Secure Programming Cookbook for C and C++" is a nuts-and-bolts reference that teaches by example, focusing on two of the most widely used programming languages available.
"There are already several other books out there on the topic of writing secure software," Viega explains. "Many of them are quite good, but they universally focus on the fundamentals, not code. None of them show you how to do such things as SSL-enable your applications properly, which can be surprisingly difficult."
The book shows how to eliminate common problems by providing code solutions that programmers can insert directly into their applications, along with explanations of why and how the code samples work. Viega and Messier cover a wide range of security topics, including cryptography (both symmetric and public key), random numbers, safe initialization, input validation, networking, authentication, access control, email, and anti-tampering. Altogether, there are more than 200 recipes to help programmers secure the C and C++ programs they write for both Unix (including Linux) and Windows environments.
Viega assumes that programmers who pick up "Secure Programming Cookbook for C and C++" already understand security basics, but that "strangely enough, programmers make the same mistakes over and over again," he says. "Most security problems have been seen before. It's rare to actually see a new one. We give people the tools they haven't had before, so they have a fighting chance."
For almost 40 years, O’Reilly Media has provided technology and business training, knowledge, and insight to help companies succeed. Our unique network of experts and innovators share their knowledge and expertise through the company’s Safari training and learning platform and at O’Reilly conferences. As a SaaS learning platform, Safari delivers highly topical and comprehensive technology and business learning solutions to millions of users across enterprise, consumer, and university channels. For more information visit oreilly.com.
Return to: O'Reilly Press Room