References And Further Reading

General References

Writing Secure Code, 2 ^nd Ed. by Michael Howard and David C. LeBlanc

ISBN: 0735617228

19 Deadly Sins of Software Security by Michael Howard, David LeBlanc, and John Viega

McGraw-Hill/Osborne Media, ISBN: 0072260858

Perl TAINT

http://aspn. activestate .com/ASPN/CodeDoc/Taint/Taint.html

Security Development Lifecycle (SDL) from Microsoft

http://msdn.microsoft.com/security/sdl

Windows Data Protection (covers DPAPI)

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/windataprotection-dpapi.asp

Java Cryptography Extension (JCE)

http://java.sun.com/j2se/1.4.2/docs/guide/security/

Java Authentication and Authorization Service (JAAS)

http://java.sun.com/products/jaas/

ASP.NET Authorization

http://msdn2.microsoft.com/en-us/library/wce3kxhd.aspx

Threat Modeling

Threat Modeling by Frank Swiderski and Window Snyder

ISBN: 0735619913

Microsoft's Threat Modeling page

http://msdn.microsoft.com/security/securecode/threatmodeling/default.aspx

"Threat Modeling Web Applications" on Microsoft.com

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/tmwa.asp

"Cheat Sheet: Web Application Security Frame," Microsoft's categorization system for common web application vulnerabilities

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/tmwacheatsheet.asp

Risk Quantification

"DREAD is Dead" by Dana Epp

http://silverstr.ufies.org/blog/archives/000875.html

Microsoft Security Response Center Security Bulletin Severity Rating System (Revised, November 2002)

http://www.microsoft.com/technet/security/bulletin/rating.mspx

"A Complete Guide to the Common Vulnerability Scoring System (CVSS)"

http://www.first.org/cvss/cvss-guide.html

Code Review

Writing Secure Code, 2 ^nd Ed. by Michael Howard, David C. LeBlanc

ISBN: 0735617228

"How To: Perform a Security Code Review for Managed Code" by Microsoft

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000027.asp

"Security Code Review Guidelines" by Adam Shostack (older, but still good)

http://www.homeport.org/~adam/review.html

Apache Struts Framework

http://struts.apache.org/

HTTP Response Splitting

http://www.watchfire.com/securityzone/library/whitepapers.aspx

Binary Analysis

Open Reverse Engineering Code

http://www.openrce.org

Ollydbg

http://www.ollydbg.de

Ollydbg Discussion Forum

http://community. reverse-engineering .net

IDA Pro

http://www.datarescue.com

Fuzz Testing

Spike Fuzzer

http://www.immunitysec.com/resources-freesoftware.shtml

Fuzz Testing of Application Reliability at University of Wisconsin Madison

http://www.cs.wisc.edu/~bart/fuzz/fuzz.html

"The Advantages of Block-Based Protocol Analysis for Security Testing" by David Aitel

http://www.immunitysec.com/downloads/advantages_of_block_based_analysis.pdf

The Shellcoder's Handbook: Discovering and Exploiting Security Holes by Koziol, et al

John Wiley & Sons, ISBN 0764544683

Exploiting Software: How to Break Code by Hoglund & McGraw

Addison-Wesley, ISBN 0201786958

How to Break Software Security: Effective Techniques for Security Testing by Whittaker & Thompson

Pearson Education, ISBN 0321194330

Security Test Tools

Mercury Interactive

http://www.mercury.com/us/products/quality-center/

SPIDynamics QA inspection

http://www.spidynamics.com/

Security Development Lifecycle (SDL)

Microsoft's SDL page

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/sdl.asp

"Improving Security Across the Software Development Lifecycle," task force report

http://www.itaa.org/software/docs/SDLCPaper.pdf

"Security Considerations in the Information System Development Life Cycle" by the National Institute of Standards and Technology

http://csrc.nist.gov/ publications /nistpubs/800-64/NIST-SP800-64.pdf