REVIEW - Secure Coding - Principles and Practices


Secure Coding

Principles and Practices


Mark Graff, Kenneth R. Van Wyk



O'Reilly (2003)




Francis Glassborow


August 2003



Clearly the subject of this book is going to become increasingly important as time goes by. I am sitting here working on one computer with a second one beside me so that I can try things out and a third one hiding under my desk acting as the household's gateway to the Internet. Downstairs my wife is using her machine to look some information up. She does not have to ask me to switch on the Internet gateway; it sits their 24/7 supplying whichever of us wants access. If I want some details about a book I just use my web-browser to go out and find it. But while we are free to go out onto the Internet others have ways of getting in. Of course I have firewalls, intruder detection and virus protection software in place but like the locks on by doors and the burglar alarm that is switched on when we are out all the protection just makes things harder for the miscreant it does not provide 100% protection.

The first line of defence is that the software that runs my machines and lets me do the things I want should not be easily perverted. Ten years ago most of us just had to ensure that the software and data we loaded into our machines was OK. This is no longer the case. Quite apart from the damage that can be done to my own data there is the way that my equipment can be subverted as a tool to do damage elsewhere.

What I am saying is that security has become a major issue for all of us. A programmer who does not take the issues seriously is at best incompetent and at worst criminally stupid. We have to start taking responsibility for our work. It is not enough to try to write bug free software, if we write software that is going to run on a networked machine we have to do so in ways that make it hard to exploit. Just because neither the software nor the hardware will be used as a direct part of a high integrity system is not an excuse.

The very least you can do is to spend some time studying the principles and practices of producing secure code. This book is one of the ways that you can do this. It is not a complete solution but it is a start. The authors are well aware that the problem is far more than just a technical one. Of course companies are reluctant to spend the resources to improve their software security but that is at least in part because they do not understand the issues. Then there is the mindset of programmers who simply do not believe that their work could so easily be subverted or that anyone would be interested in doing so.

While this book is primarily aimed at the software developer, it is short enough that it should also be read by managers and clients. The managers so that they are willing to spend what is necessary to address issues of software security and the clients so that they start including realistic security requirements in their specifications. Can you imagine a builder leaving locks off the doors in a new house? Well why should our machines sit out there to be invaded by anyone with the wish to do so.

If you are involved in software development either as a producer or a consumer you need to take issues of security seriously. If you have a reasonable level of technical knowledge you should read books such as this one.Databases

Book cover image courtesy of Open Library.

Your Privacy

By clicking "Accept Non-Essential Cookies" you agree ACCU can store non-essential cookies on your device and disclose information in accordance with our Privacy Policy and Cookie Policy.

Current Setting: Non-Essential Cookies REJECTED

By clicking "Include Third Party Content" you agree ACCU can forward your IP address to third-party sites (such as YouTube) to enhance the information presented on this site, and that third-party sites may store cookies on your device.

Current Setting: Third Party Content EXCLUDED

Settings can be changed at any time from the Cookie Policy page.