The Design of Software (CLOSED)

A public forum for discussing the design of software, from the user interface to the code architecture. Now closed.

The "Design of Software" discussion group has been merged with the main Joel on Software discussion group.

The archives will remain online indefinitely.

Best book about writing secure code?

I am developing a web application. The application holds sensitive data, so it must be as secure as possible. Does anyone have a recommendation for a good book that covers this? I prefer a general book. The application is written in Python and will run on a Unix server. I am not interested in books about big commercial toolkits, but in books about programming techniques, pitfalls etc. I have Code Complete and The Pragmatic Programmer, I am looking for something more specific.
insecure programmer
Friday, October 22, 2004
I recommend  "Exploiting Software : How to Break Code".

Seemingly 90% of exploits these days are C buffer overflows, which you won't have to worry about if you're using Python.

    Flava Flav!
Flava Flav
Friday, October 22, 2004
Basically what Flava Flav has said is the case.  You're not going to have too many security problems with your application if you develop it well.  Your biggest problem, I would think, is an exploit on your webserver allowing crackers to access your data from outside of your application.
Almost Anonymous Send private email
Friday, October 22, 2004
I recommend you the book "Writing Secure Code", publiched by Microsoft Press:

Good luck!
Neven Zovko Send private email
Saturday, October 23, 2004
There are countless security issues to be concerned with that have nothing to do with what programming language you're using.

Think about authentication (pki versus username/password, intrusion detection and lockouts, session id hijacking), authorization (at the application, page, table, and row level), communications (man-in-the-middle, spoofing/masquerading), input (server-side validation, "hidden" doesn't mean secret, parsing malformed requests), output (don't expose your implementation)...just to start.

You might want to look for a book specifically on web application security. Good luck.

Saturday, October 23, 2004
Two good assets:

1. Applied Cryptography - While it's mostly overkill, the methods of analysis used for various attacks are a great foundation. 
2. Internet Security - Webservers have lots of similarity to traditional UNIX servers, and may fall to the same kinds of attacks.

Best of luck!

Lally Singh Send private email
Saturday, October 23, 2004
Thanks for your replies.
It is reassuring that my choice of programming language saves me a lot of potential trouble, but I am worried about exactly the things '' points out, and would be interested in a recommendation about a book that covers these topics. I did find a couple of good internet sites, but I much prefer reading a book.
Applied Cryptography sounds good too. Overkill is much better than 'underkill'.
I think I will find someone to do the server security (firewall, apache etc.), so that makes the topic a little less broad.
insecure programmer
Sunday, October 24, 2004
"There are countless security issues to be concerned with that have nothing to do with what programming language you're using."

[Anonymous] is right, and I want to add SQL injections, Cross Site Scripting and Form Spoofing to the list.

Though I do not know a book to recommend, I personally found this document quite interesting:

It deals with PHP, but the techniques explained should be the same in any web application.
Gerd Riesselmann
Sunday, October 24, 2004
Imre Send private email
Monday, October 25, 2004
It might also be a good idea to let a third part company certificate your product. There are specialist companys that will test you product and go through your code and verify that it is secure. This will not make you write better code, but it will give you the opportunity to correct the application (if they find anything) and also gives you a marketing tool, "MakeUpCompny Certified" or something like that.
Monday, October 25, 2004
I am biased here, but for web apps I think there are three rules for security...

Validate, Validate, and Validate. 

What the hacker is going to try to get your system in a state you didn't predict by sending invalid form data and funky formed HTTP requests.  Once your system is in a unpredicted state, you are vulnerable to attack.

You have to be prepared to reject requests that aren't properly formed.  Don't assume hackers will use your forms.  They will attempt to send HTTP requests directly to your server.

For instance if you have a script at http://foo/a and you want to process requests that pass a parameter called bar with values between 1 and 10, reject all other requests.

The first thing the hacker is going try is http://foo/a?bar=100000 hoping that your system will end up in a state you didn't predict, and he or she will be able to take advantage of this unpredicted state.  The best thing you can do is drop connection when you detect such a request.
Christopher Baus Send private email
Monday, October 25, 2004

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics
Powered by FogBugz