ACCU Home page ACCU Conference Page
Search Contact us ACCU at Flickr ACCU at GitHib ACCU at Google+ ACCU at Facebook ACCU at Linked-in ACCU at Twitter Skip Navigation

Search in Book Reviews

The ACCU passes on review copies of computer books to its members for them to review. The result is a large, high quality collection of book reviews by programmers, for programmers. Currently there are 1918 reviews in the database and more every month.
Search is a simple string search in either book title or book author. The full text search is a search of the text of the review.
    View all alphabetically
Secure Programming Cookbook for C and C++
John Viega and Matt Messier
Alan Lenton
advanced c++; cryptography
Appeared in:
It's a long time since I read a book that had me so enthusiastic after reading the first couple of chapters, only to be plunged into gloom later on in the book.

There are a number of serious problems with this book, although some may find it worth buying in spite of that. So what are the problems?

1. The level of understanding required to use different sections of the book varies wildly.

2. At least one of the techniques discussed is, in my opinion, highly dubious.

3. The inclusion of C++ in the title is a complete misnomer.

I'll look at these problems shortly, but first a little about the book.

The book is an attempt to provide practical advice and code on the security issues facing working programmers today. The first three chapters and the last chapter, together with parts of the networking chapter, provide an excellent look at these issues. They also provide some useful code. I suspect there won't be many C programmers who won't get something they hadn't previously considered out of these chapters.

It is obvious that the author's preference is for *nix type systems, but there is still plenty for Windows programmers. Topics covered in these chapters include initialisation, access control, input validation and error handling.

Chapters four to eleven are about cryptography and herein lies the first problem I mentioned above. There is absolutely no way that a programmer who didn't already have specialist knowledge of cryptography could make use of these chapters. At a minimum you would need to have read - and understood - something like Bruce Schneier's Applied Cryptography.

The authors are obviously really into cryptography. At one stage, in the chapter on random numbers (yes, a whole 75 page chapter on random numbers), the authors get so carried away that they discuss and develop code for statistically testing hardware random number generators!

At one level I don't really blame the authors, but what on earth were O'Reilly's editorial department thinking of to let through a book with such wildly different levels of experience needed? The weird thing is that the cryptography chapters would have made a good book in and of themselves. There's certainly enough material - over 500 pages of it.

Chapter 12 discusses anti-tamper techniques and it is here that, in my opinion, the authors stumble badly with a discussion of how to write self-modifying code. Apart from the appallingly bad programming practice that this represents, I would have thought it was just the sort of technique guaranteed to introduce bugs- including security bugs - into a program. Worse still, the technique is introduced as though it was a perfectly normal and acceptable technique, rather than something to only be used in extremis (if then).

Finally, there is the question of C++. The authors themselves concede that there is no use of C++ specific idioms, but argue that the C material is relevant. This is specious. The book does not provide C++ secure programming code, it provides C secure programming code and the title is at the very least misleading.

So, is it worth buying? Well that depends. If you are a C programmer with experience of cryptographic work, then you might well find this book useful. You should certainly consider it if you are looking for a crypto-programming cookbook. Otherwise, there simply isn't enough non-crypto material to justify the price. Either way, if you do consider buying it, make sure you go and look through it in a shop to see if it is what you need before buying.