19 Deadly Sins of Software SecurityProgramming Flaws and How to Fix Them

Michael Howard
David Leblanc
John Viega

McGraw-Hill / Osborne
2100 Powell Street, 10th Floor
Emeryville, California 94608
U.S.A.

To arrange bulk purchase discounts for sales promotions, premiums, or fund-raisers, please contact McGraw-Hill/ Osborne at the above address. For information on translations or book distributors outside the U.S.A., please see the International Contact Information page immediately following the index of this book.

19 Deadly Sins of Software Security

Copyright 2005 by The McGraw-Hill Companies. All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication.

1234567890 CUS CUS 0198765

ISBN 0-07-226085-8

Executive Editor
Jane K. Brownlow

Senior Project Editor
Jody McKenzie

Acquisitions Coordinator
Jennifer Housh

Technical Editors
David Wheeler
Alan Krassowski

Copy Editor
Lauren Kennedy

Proofreader
Susie Elkind

Indexer
Jack Lewis

Composition
Apollo Publishing Services

Cover Design
Patti Lee Series

Design
Dick Schwartz
Peter F. Hancik

This book was published with Corel Ventura Publisher.

Information has been obtained by McGraw-Hill/ Osborne from sources believed to be reliable. However, because of the possibility of human or mechanical error by our sources, McGraw-Hill/ Osborne, or others, McGraw-Hill/ Osborne does not guarantee the accuracy, adequacy, or completeness of any information and is not responsible for any errors or omissions or the results obtained from the use of such information.

For my incredible family. There is nothing that compares with coming home to hear a voice say, Whos home, kids ? and two small voices yell out DADDY!
Michael

For my father, who taught me the value of always learning new things and taking on new challenges.
David

For Mom. Shes responsible for my intellectual curiosity , and has always been there for me.
John

About the Authors

Michael Howard is a senior security program manager in the security engineering group at Microsoft Corp., and is coauthor of the award-winning Writing Secure Code . He is a coauthor of the Basic Training column in IEEE Security& Privacy Magazine and a coauthor of the National Cyber Security Partnership task forces Processes to Produce Secure Software document for the Department of Homeland Security. As an architect of Microsofts Security Development Lifecycle, Michael spends most of his time defining and enforcing security best practice and software development process improvements to deliver more secure software to normal humans .

David LeBlanc , Ph.D., is currently Chief Software Architect for Webroot Software. Prior to joining Webroot, he served as security architect for Microsofts Office division, was a founding member of the Trustworthy Computing initiative, and worked as a white-hat hacker in Microsofts network security group. David is also the coauthor of Writing Secure Code and Assessing Network Security, as well as numerous articles. On good days, hell be found riding the trails on his horse with his wife, Jennifer.

John Viega is the original author of the 19 deadly programming flaws that received press and media attention, and this book is based on his discoveries. He is the founder and CTO of Secure Software (www.securesoftware.com). He co- authored the first book on software security, Building Secure Software, and also co-authored Network Security and Cryptography with OpenSSL and the Secure Programming Cookbook . He is the primary author of the CLASP process for introducing security into the development lifecycle, and is responsible for several open source software security tools. John has been an adjunct professor of computer science at Virginia Tech and Senior Policy Researcher at the Cyberspace Policy Institute. John is also a well-known researcher in software security and cryptography, and works on standards for secure networking and software security.

About the Tech Editors

Alan Krassowski is a senior principal software security engineer at Symantec Corporation. He leads Symantecs Product Security team, whose mission includes helping Symantec product teams deliver secure technologies that reduce risk and build trust with customers. Over the past 20 years , Alan has worked on a wide variety of commercial software projects. Prior to joining Symantec, he has been a development director, software engineer, and consultant at many industry-leading companies including Microsoft, IBM, Tektronix, Step Technologies, Screenplay Systems, Quark, and Continental Insurance. He earned a B.S. degree in Computer Engineering at the Rochester Institute of Technology in New York.

David A. Wheeler has had many years of experience in improving software development practices for higher-risk systems, such as large and/or secure systems. He is coeditor/coauthor of the book Software Inspection: An Industry Best Practice , author of the books Ada 95: The Lovelace Tutorial and Secure Programming for Linux and Unix HOWTO , and the author of the IBM developerWorks Secure Programmer column series. He lives in Northern Virginia.

Similar products

• 

  24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them

• 

  Software Security: Building Security In

• 

  Code Complete: A Practical Handbook of Software Construction, Second Edition

Similar products