A.1 Books

Anderson, Ross. Security Engineering . New York, NY: John Wiley & Sons, 2001. ISBN 0-471-38922-6. A stunning achievement by a great engineer. Highly readable. Only a few chapters are directly relevant to secure coding, but we recommend the entire volume for its surprising insights.

Bentley, Jon. Programming Pearls, Second Edition . Reading, MA: Addison-Wesley Longman, 2000. ISBN 0-201-65788-0. Justifiably famous collection of sound programming practices and tips.

Brooks, Frederick P. The Mythical Man-Month: Essays on Software Engineering, Anniversary Edition . New York, NY: Addison-Wesley, 1995. ISBN 0201835959. Classic work on the practice and business of software development and the management of projects.

Garfinkel, Simson, Gene Spafford, and Alan Schwartz. Practical Unix & Internet Security, 3rd Edition . Sebastopol, CA: O'Reilly & Associates, Inc., 2003. ISBN 1-56592-323-4. Comprehensive, a true tour-de-force. Chapter 16, "Writing Secure SUID and Network Programs," was a lightning bolt when first published and remains indispensable today.

Gong, Li. Inside Java 2 Platform Security . Reading, MA: Addison Wesley Longman, 1999. ISBN 0-201-31000-7. Worth reading simply for Dr. Gong's description of the Java jail, of which he was the principal designer.

Howard, Michael. Designing Secure Web-Based Applications for Microsoft Windows 2000 . Redmond, Washington: Microsoft Press, 2000. ISBN 0-7356-0995-0. Excellent example of platform-specific advice.

Kernighan, Brian W., and P. J. Plauger. Elements of Programming Style . Computing McGraw-Hill, 1988. ISBN 0-07-034207-5. A quiet book with good examples of a sparse and sensible style not often seen today.

Kernighan, Brian W., and Dennis M. Ritchie. The C Programming Language 2nd Edition . Englewood Cliffs, NJ: Prentice-Hall, 1988. ISBN 0-13-110362-8. An indispensable guide to the language.

Maguire, Steve. Writing Solid Code: Microsoft's Techniques for Developing Bug-Free C Programs . Redmond, Washington: Microsoft Press, 1993. ISBN 1-55615-551-4. Every software engineer working in C should read this book.

McConnell, Steve. Code Complete: A Practical Handbook of Software Construction . Redmond, Washington: Microsoft Press, 1993. ISBN 1-55615-484-4. A true classic. We could have quoted it several more times. Please read this book.

McGraw, Gary, and Edward W. Felten. Securing Java: Getting Down to Business with Mobile Code, 2nd Edition . New York, NY: John Wiley & Sons, 1999. ISBN 047131952X. A thoughtful treatment of a technical subject. See the book's web site at http://www.securingjava.com.

Northcutt, Stephen and Judy Novak. Network Intrusion Detection, 3rd Edition . New York, NY: Que Publishing, 2002. ISBN 0735712654. A good introduction, well written with a great deal of technical detail.

Perrow, Charles. Normal Accidents . New York, NY: Princeton University Press, 1999. ISBN 0691004129. An entertaining yet analytical review of various large-scale twentieth-century accidents. Makes a useful distinction between "accidents" and "incidents," and explains Normal Accident Theory.

Reason, James. Human Error . New York: Cambridge University Press, 1990. ISBN 052131494. An analysis of the reasons people (and especially engineers ) make mistakes.

Sheinwold, Alfred. Five Weeks to Winning Bridge, Reissue Edition . New York, NY: Pocket Books, 1996. ISBN 0671687700. At the beginning of this book we quote Mr. Sheinwold about learning from the mistakes of others. He took his own advice. One can therefore learn quite a bit from his successes, too.

Viega, John and Gary McGraw. Building Secure Software . Indianapolis, IN: Pearson/Addison-Wesley, 2002. ISBN 020172152X. A good general guide about how to code secure software, and the pitfalls of haphazard coding and deployment.

Voas, Jeffrey and Gary McGraw. Software Fault Injection: Innoculating Programs Against Errors . New York, NY: John Wiley & Sons, 1997. ISBN 0-471-18381-4. The standard text on this increasingly popular technique for application testing.

Weinberg, Gerald. Psychology of Computer Programming, Silver Anniversary Edition . New York, NY: Dorset House, 1998. ISBN 0932633420. The first book to explore the implications of using human beings to write programs. Indispensable to thinking about the causes of software vulnerabilities.