Annotated Bibliography | Writing Secure Code, Second Edition

Annotated Bibliography

Adams, Carlisle, and Steve Lloyd. Understanding the Public-Key Infrastructure. Indianapolis, IN: Macmillan Technical Publishing, 1999. A new and complete book on X.509 certificates and the public key infrastructure with X.509 (PKIX) standards. The authors consider this book the IETF standards written in English. This is much more complete than Jalal Feghhi s book, but it is a more difficult read. That said, if your work with certificates will take you beyond the basics, consider purchasing this book.

Amoroso, Edward G. Fundamentals of Computer Security Technology. Englewood Cliffs, NJ: Prentice Hall PTR, 1994. This is one of our favorite books. Amoroso has a knack for defining complex theory in a form that s useful and easy to understand. His coverage of threat trees is the best there is. He also explains some of the classic security models, such as the Bell-LaPadula disclosure, Biba integrity, and Clark-Wilson integrity models. The only drawback to this book is that it s somewhat dated.

Brown, Keith. Programming Windows Security. Reading, MA: Addison-Wesley, 2000. The best explanation of how the Windows security APIs work, in an understandable and chatty prose.

Christiansen, Tom, et al. Perl Cookbook. Sebastopol, CA: O Reilly & Associates, 1998. If I were stranded on a desert island and could take only one Perl book with me, this would be it. It covers all aspects of Perl and how to use Perl to build real solutions.

Feghhi, Jalal, and Peter Williams. Digital Certificates: Applied Internet Security. Reading, MA: Addison-Wesley, 1999. The concepts behind digital certificates are somewhat shrouded in mystery, and this book does a great job of lifting the veil of secrecy. Quite simply, it s the best book there is on X.509 certificates and public key infrastructure (PKI).

Ford, Warwick. Computer Communications Security: Principles, Standard Protocols, and Techniques. Englewood Cliffs, NJ: Prentice Hall PTR, 1994. Covers many aspects of communications security, including cryptography, authentication, authorization, integrity, and privacy, and has the best coverage of nonrepudiation outside academic papers. It also discusses the Open Systems Interconnection (OSI) security architecture in detail.

Garfinkel, Simson, and Gene Spafford. Practical UNIX & Internet Security. 2d ed. Sebastopol, CA: O Reilly & Associates, 1996. This is a huge book and a classic. It s also old! Although it focuses almost exclusively on security flaws and administrative issues in UNIX, its concepts can be applied to just about any operating system. It has a huge UNIX security checklist and gives a great rendering of the various Department of Defense security models as defined in the Rainbow Series of books.

. Web Security & Commerce. Sebastopol, CA: O Reilly and Associates, 1997. A thorough and very readable treatment of Web security with an understandable coverage of certificates and the use of cryptography.

Gollmann, Dieter. Computer Security. New York: Wiley, 1999. We consider this to be a more up-to-date and somewhat more pragmatic version of Amoroso s Fundamentals of Computer Security Technology. Gollmann covers security models left out by Amoroso, as well as Microsoft Windows NT, UNIX, and Web security in some detail.

Grimes, Richard. Professional DCOM Programming. Birmingham, U.K.: Wrox Press, 1997. This book delivers an understandable treatment of DCOM programming and does not leave out the security bits as so many others have done.

Howard, Michael, et al. Designing Secure Web-Based Applications for Microsoft Windows 2000. Redmond, WA: Microsoft Press, 2000. Great coverage of Web-based security specifics as well as end-to-end security requirements, and the only book that explains how delegation works in Windows 2000 and how applications can be designed and built in a secure manner.

Maguire, Steve. Writing Solid Code. Redmond, WA: Microsoft Press, 1993. Every developer should read this book. I have seen developers who already had years of experience and very strong coding habits learn new ways to write solid code. Developers who write solid code tend to introduce very few security bugs too many security bugs are just sloppy coding errors. If you haven t read this book yet, get it. If you have read it, read it again you ll probably learn something you missed the first time.

McClure, Stuart, and Joel Scambray. Hacking Exposed: Windows 2000. Berkeley, CA: Osborne/McGraw-Hill, 2001. While Hacking Exposed: Network Security Secrets and Solutions, Second Edition, has wide coverage of various operating systems, this book focuses exclusively on Windows 2000. If you administer a Windows 2000 network or want to understand what steps you should take to secure your Windows network, you should buy this book. If you are building applications that focus on Windows 2000, you should also buy this book because it will give you insight into where others have failed.

McClure, Stuart, Joel Scambray, and George Kurtz. Hacking Exposed: Network Security Secrets and Solutions. 2nd ed. Berkeley, CA: Osborne/McGraw-Hill, 2000. This book will make you realize how vulnerable you are to attack when you go on line, regardless of operating system! It covers security vulnerabilities in NetWare, UNIX, Windows 95, Windows 98, and Windows NT. Each vulnerability covered includes references to tools to use to perform such an attack. The book s clear purpose is to motivate administrators.

National Research Council. Trust in Cyberspace. Edited by Fred B. Schneider. Washington, D.C.: National Academy Press, 1999. This book is the result of a government security think tank assigned to analyze the U.S. telecommunications and security infrastructure and provide recommendations about making it more resilient to attack.

Online Law. Edited by Thomas J. Smedinghoff. Reading, MA: Addison-Wesley Developers Press, 1996. This book gives an insightful rundown of the legal aspects of digital certificates, the state of current law relating to their use, privacy, patents, online cash, liability, and more. This is a recommended read for anyone doing business on line or anyone considering using certificates as part of an electronic contract.

Ryan, Peter, and Steve Schneider. Modelling and Analysis of Security Protocols. London, England: Pearson Education Ltd, 2001. I love this book as it gives first-rate coverage of security protocols using formal methods. I ve long believed that formal methods can help describe security features and designs in a manner that can mitigate many security problems because the features are so well described. What makes this book different is that human beings can understand this, not just math-wonks.

Schneier, Bruce. Applied Cryptography: Protocols, Algorithms, and Source Code in C. 2d ed. New York: Wiley, 1996. Probably the best book there is on cryptography outside academia. Easy to read, complete, and very big, it s the one to buy if you want only one book on cryptography. It is however, very dated how about a third edition, Bruce :-)?

Security Protocols. Edited by Bruce Christianson, et al. Berlin: Springer, 1998. This is a wonderful set of research papers on many aspects of secure communications. It s not for the weak-hearted the material is complex and requires a good degree of cryptographic knowledge but it s well worth reading.

Shimomura, Tsutomu, and John Markoff. Takedown: The Pursuit and Capture of Kevin Mitnick, America s Most Wanted Computer Outlaw By the Man Who Did It. New York: Hyperion, 1996. This is the story of the infamous hacker Kevin Mitnick, and his attacks on various computer systems at The Well, Sun Microsystems, and others. It s a much slower read than Stoll s The Cuckoo s Egg but worth reading nonetheless.

Solomon, David A., and Mark Russinovich. Inside Microsoft Windows 2000. Redmond, WA: Microsoft Press, 2000. Previous versions of this book were titled Inside Windows NT. A fundamental understanding of the operating system you develop applications for will help you build software that takes the best advantage of the services that are available. When Windows NT first shipped in 1993, this book and the SDK documentation were all I (DCL) had to help me understand this new and fascinating operating system. If you d like to be a real hacker (an honorable title, as opposed to nit-wits running around with attack scripts they don t understand), strive to learn everything you can about the operating system you build your applications upon.

Stallings, William. Practical Cryptography for Data Internetworks. Los Alamitos, CA: IEEE Computer Society Press, 1996. This is a gem of a book. If I were stranded on a desert island and had to choose one book on cryptography, this would be it. Composed of a series of easy-to-read papers, some from academia and some from the press, the book covers a myriad of topics, including DES, IDEA, SkipJack, RC5, key management, digital signatures, authentication principles, SNMP, Internet security standards, and much more.

. Cryptography and Network Security: Principles and Practice. Englewood Cliffs, NJ: Prentice Hall, 1999. Stallings does a good job of covering both the theory and practice of cryptography, but this book s redeeming feature is the inclusion of security protocols such as S/MIME, SET, SSL/TLS, IPSec, PGP, and Kerberos. It might lack the cryptographic completeness of Applied Cryptography: Protocols, Algorithms, and Source Code in C but because of its excellent protocol coverage, this book is much more pragmatic.

Stevens, W. Richard. TCP/IP Illustrated, Volume 1: The Protocols. Addison-Wesley, 1994. Provides an in-depth understanding of how IP networks really function. One of a very few books that have earned a place on top of my cluttered desk because it is referenced so often that it never makes it to the shelves.

Stoll, Clifford. The Cuckoo s Egg. London: Pan Macmillan, 1991. Not a reference or technical book, this book tells the story of how Cliff Stoll became a security expert by default while trying to chase down hackers attacking his systems from across the globe. A hearty recommendation for this easy and exciting read.

Summers, Rita C. Secure Computing: Threats and Safeguards. New York: McGraw-Hill, 1997. A heavy read but very thorough, especially the sections about designing and building secure systems and analyzing security. Other aspects of the book include database security, encryption, and management.

Zwicky, Elizabeth, et al. Building Internet Firewalls. 2d ed. Sebastopol, CA: O Reilly & Associates, 2000. If you really want to understand building a secure network and how firewalls work, this is an essential reference. If you want to build a networked application, an understanding of firewalls should be a requirement. Although Windows networks are somewhat of a second language to the authors, don t let that stop you from having this on your bookshelf.