Advance Praise for Software Security

Advance Praise for Software Security

"I have been involved with trying to solve security problems for over twenty yearsstarting with individual desktop systems and transitioning to network security as that became the prevalent issue. I have been an entrepreneur, executive in the industry, and am now an investor and company builder, all focused on trying to solve these important issues. What I have learned over these twenty years is that we have done an okay job at slowing down the problem, but we are no closer to solving the problem than we were when we started.

"Our twenty years of investment has been spent being reactivetrying to 'keep the bad guys out.' The idea has been to build a wall around our companies so high and so thick that no one with nefarious intentions could get in. In today's world this just does not work. We live in a wall-less economy where companies need to allow freedom of communication in and out of their enterprises. Freedom of information access and freedom of application usage are central drivers for staying competitive. In other words, the battlefield has changed. Thus the weapons and tactics we use to secure our assets must change as well.

"The only way I see the security conundrum getting solved is by confronting the problem and not the symptoms of the problem. We need to design and build security in from the beginning. No application, no operating system, no piece of middleware should ever be released that has not already been designed for security and reviewed for security vulnerabilities. Only then will we start to fight these new battles with the correct weapons and tactics that afford us the chance to win.

"I believe so fervently in these concepts that I founded a company called Fortify Software to develop, market, and sell solutions to attack and solve these issues directly. We need to get proactive not reactive, and fix the problems at the root cause.

"Gary McGraw is the father of software security. Much of what we did at Fortify was based on Gary's research. His new book should be the bible by which your company puts software security into action. You cannot afford to wait much longer."

Ted Schlein Managing Partner Kleiner Perkins Caufield & Byers

"McGraw is leading the charge in software security. His advice is as straightforward as it is actionable. If your business relies on software (and whose doesn't), buy this book and post it up on the lunchroom wall. Transform the way you build software with the seven software security touchpoints. Then, finally, maybe I can get some sleep."

Avi Rubin Director of the NSF ACCURATE Center for Correct, Usable, Reliable, Auditable, and Transparent Elections Professor, Johns Hopkins University Coauthor of Firewalls and Internet Security

"I'm sick of software that's full of stupid security holes. If you're going to write software that I may someday run, you need to read and understand this book.

"Gary's book shows us what we already should know: It's better to build security in when you develop your software. And he shows us how, step-by-step."

Marcus J. Ranum Inventor of the firewall Chief Scientist, Tenable Security

"Gary McGraw's book shows how to combine development and testing to improve the quality of software. In doing so, he presents a framework that software developers, testers, and managers would do well to adopt. Dr. McGraw's knowledge and experience came through well in his earlier books, and this one continues his tradition of improving the state of the art of software security."

Matt Bishop Professor of computer science, UC Davis Author of Computer Security

"Methodologies for assurance and assessment are fundamental ingredients of all modern engineering practice. While the development of secure software is an engineering discipline, rigorous assurance and assessment methodologies have been missing. Gary McGraw's Software Security is a landmark contribution to this area. Readers who follow its principles will not only get things done, they will get them done right."

George Cybenko Dorothy and Walter Gramm Professor of Engineering Dartmouth College

"When it comes to software security, the devil is in the details. This book tackles the details."

Bruce Schneier CTO and founder, Counterpane Author of Beyond Fear and Secrets and Lies

"Most people don't think coherently about security. Let's face it, most people don't think about security at all most of the time, including software developers. So when something bad happens to them because a virus wipes out their disk drive they react, and like most first reactions, putting in firewalls and antivirus products is not the most appropriate solution.

"In this book, Gary McGraw thinks coherently about software security, and shows that robust and secure software needs forethought and planning. This should not be a surprise, but it often is. More importantly, though, Gary describes how to go about this. Now we just need to make lots of software developers read it."

Greg Rose Vice President of Product Security Qualcomm

"With his latest book, McGraw continues to offer an insider's view of the changing demands on companies that develop software. Software quality and security, and the perception thereof, are driven by the need to research and understand the business and define the technology solutions to support those needs. Beyond the traditional emphasis on improving software quality by focusing on the development methodology and process, McGraw takes a more holistic view by concentrating on how the software components come together around the operation of systems and services. If you have any dependency on software, you should read this book."

Ron Moritz Senior Vice President and Chief Security Strategist Computer Associates

"According to Moore's Law, the number of transistors that can be packed into each square millimeter of a chip doubles every eighteen months. As a result, microprocessors get faster. RAM chips get bigger. These exponential improvements in hardware are fueling corresponding increases in software complexity.

"With this boon comes a curse: unintended interactions and security flaws. For almost everyone working on data security problems today, myself included, our main challenge is finding cost-effective ways to deliver the most functionality with the minimum risk. Excessive paranoia can paralyze a company or development team. At the same time, disasters are common; my company's customers have lost billions of dollars as a direct result of preventable software defects. Achieving the right balance is not easy.

"Cryptography (my area of specialty) is often hailed as a possible savior. On first blush, this seems plausible: Modern encryption algorithms offer mathematical strength that far exceeds what any attacker can today (or possibly ever) muster. Unfortunately, this is mostly an illusioncryptographic systems are only as strong as the underlying implementations. My work designing SSL 3.0 highlights this fact all too well. Even though the protocol itself is believed to be solid, a 'lock' icon is hardly of much significance when displayed by a bug-riddled browser running on a spyware-infested computer talking to a compromised Web server. In other words, no matter what tools you use in building a system, your security will still be limited by your ability to build robust software.

"Clearly, some approaches do not work. The worst problems often arise when engineering techniques that work well for implementing features are misapplied to security. Traditional software development is an iterative cycle of writing code, then finding and correcting problems. The result is an evolutionary process that favors desirable functionality and removes the visible bugs. Unfortunately, most security flaws are invisible to conventional testing. As a result, many engineers' intuition will say that a system is sound when it is not.

"Ultimately, tackling the software security problem is easier said than done. You won't find any magic bullets (there aren't any), but this book provides one of the clearest strategies I've seen for coping with complexity."

Paul Kocher President and Chief Scientist Cryptography Research, Inc.

"Software security is a continual process, requiring first an understanding of the issues. To be effective, this understanding and knowledge must then be incorporated into the software development lifecycle including design, coding, testing, and deployment. Several years ago I helped build a security analysis tool for Windows NT, called NtSpectre. We built the tool to analyze the security configuration of servers designed for an online game played for money. The game idea remained simply an idea, but our tool developed a nice cult following, and my understanding of the layers of security and their complexity grew considerably. This experience left me with one main philosophical and practical approach to software development, and software security specificallytest, neither assume nor guess.

"This book puts software security in its place, integral to your software development process. Whether you're agile, extreme, rational, or perhaps teetering at the top of a waterfall, this book will guide you in building security into your methodology. Theory and abstractions aside, Dr. McGraw concretely describes actual, and scarily common, security vulnerabilities he has encountered in the field. He goes on to show that security issues are inherently related to gaps in the development process, and expertly guides you to improvements in that process."

Erik Hatcher Developer, eHatcher Solutions, Inc. Coauthor of Lucene in Action

"One of the most important ways we can solve information security problems for the long term is by making security part of the 'core DNA' of software development. McGraw's book tells you how to make the 'culture of security' part of your development lifecycle."

Howard A. Schmidt President and CEO, R & H Security Consulting LLC Former White House cyber security advisor