Foreword

Computer theory is based on the premise of deterministic machines. We commonly expect computers to behave in ways we have instructed them to. In reality, we rely on software to be a proxy for our intentions. Modern general-purpose computers and their software have become so complex that there are usually layers upon layers of software in between our mouse clicks and the result we expect to see. To harness the power of our computer platforms, were dependent on the correctness of all those layers that live in between our intentions and the bare metal.

Anywhere in those layers of software there can be bugs, where the software does not do what its authors intended, or at least not what the computers operator wants done. These bugs introduce a certain amount of non-determinism into our systems, often with significant security implications. These flaws manifest themselves from something as simple as a crasher that can be used in a denial of service attack, or a buffer overflow that lets bad guys run whatever code they want in place of that applications code.

As long as we have nondeterminism in our software systems due to bugs, our best concepts on how to protect our systems can only be considered best guesses. We can throw up firewalls, put in place OS-level technologies to try and thwart buffer overflows, and generally keep applying Band-Aids, but were not going to change the fundamental security paradigm this way. Only by improving the quality of our software and reducing the number of flaws canwehope to be successful in our security efforts.

Eliminating all security risks in our software is not a realistic goal in todays development environments. There are so many aspects of software development that can go wrong from a security standpoint that its more than a full-time job just to stay aware of everything, never mind master it all.

If were going to make progress in the fight against security flaws, we need to make it easier for development organizations to address security problems in their software, while respecting their real-world constraints. There are several great books on software security, including several from the authors of this book; but I think its important to cut through all the complexity, and provide development teams with a small set of critical concepts to keep in mind to improve their software with little effort. The idea is to address most of the common problems with a minimum level of effort rather than strive for a perfect and unrealistic investment in improved security.

While I was at the Department of Homeland Security, I asked John Viega to put together this list of 19 programming sins. The original list was an awareness tool, meant to expose the corporate world to the kinds of things that are most likely to be security flaws, but it wasnt prescriptive. This book is prescriptive. It provides the simple list of those security issues that are most important for development organizations to protect against, and also the information you need in order to avoid the problems in the first place. It also shows you how to find those problems, either with code review or through software testing. The techniques and methods are no- nonsense and to the point, and the authors provide simple checklists of dos and donts. The authors have done a tremendous job building a simple, stand-alone work that addresses the most common security problems plaguing our software today. I hope the software development community takes this book and uses it to get rid of a lot of the nondeterminism and security risks that linger in the software we all use every day.

Amit Yoran Former Director of the Department of Homeland Securitys National Cyber Security Division
Great Falls, Virginia
May 21, 2005

Acknowledgments

This book is an indirect byproduct of Amit Yorans vision. We thank him for doing what he could to raise awareness of software security while he was at the Department of Homeland Security (and since). We would like to acknowledge the following security professionals for their diligence reviewing draft chapters, and for their wisdom and often brutally honest comments: David Raphael, Mark Curphy, Rudolph Arauj, Alan Krassowski, David Wheeler, and Bill Hilf. Also, this book would not have been possible without the dogged persistence of the folks at McGraw-Hill. Abig thanks to J3: Jane Brownlow, Jennifer Housh, and Jody McKenzie.



19 Deadly Sins of Software Security. Programming Flaws and How to Fix Them
Writing Secure Code
ISBN: 71626751
EAN: 2147483647
Year: 2003
Pages: 239

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net