JonHoyle.com Mirror of MacCompanion
http://www.maccompanion.com/archives/march2006/Books/SoftwareSecurity.htm

 

Software Security: Building Security In

reviewed by Robert Pritchett

Author: Gary McGraw

http://www.cigital.com

Addison-Wesley Software Security Series

http://www.awprofessional.com

Booksite: http://www.swsec.com

http://www.awprofessional.com/title/0321356705  

Released: January 23, 2006.

Pages: 448

$50 USD, $67 CND, £35 GBP, 44€ EUR

ISBN: 0321356705

For software programmers interested in security.

Strengths: Pools the best from the White Hats side of security offering tools, techniques and sound principles for developing software with security up-front.

Weaknesses: You will need to get the other previous two books (Exploiting Software and Building Secure Software) in the series in order to take full advantage of this one.

References: http://www.swsec.com/resources/

 

Software Security: Building Security In by Gary McGraw lays down some interesting criteria for looking at software security. He builds on three areas of Risk Management, Touchpoints and Knowledge to attempt  how best to reduce the $45 billion expended in the worldwide network security business. Focus has been so far trying to treat the symptoms instead of going after the root cause – poorly created software. And the book isn’t just a thinly disguised advertising campaign for Cigital either. This is a “How-To” book.  Simply put - software security is not security software – and Gary McGraw shows why.

This is the next book in the Addison-Wesley Security Series following up on previous books we’ve reviewed here by Gary McGraw in macCompanion on Exploiting Software http://www.maccompanion.com/macc/archives/may2005/Books/ExploitingSoftware.htm and Building Secure Software http://www.maccompanion.com/macc/archives/may2005/Books/BuildingSecureSoftware.htm.

I personally find Gary McGraw incredibly articulate and he knows how to get the “build it in at the beginning” point across. I also noticed he tends to say when a spade a spade, especially when it comes to development software. He doesn’t have a whole lot of good to say about the C language either and gives plenty of  “for-instances”. I also enjoyed the thought processes that were behind the yin/yang whitehat-blackhat cover after the research I did last month on the Ubinary logo being used by Apple.

This book comes with both a great Forward by Dan Geer and an excellent Preface (summarizes each chapter in the book), along with three parts consisting of thirteen chapters (how apt, if you are not superstitious), and four appendices.  The appendices discuss source code analysis, ITS4 (http://www.cigital.com/its4/), a C and C++ source code security scanner, Smurfware Scanner as a hypothetical software architectural risk analysis engine and a short glossary. Compare these to the later apps that have been developed and discussed in this book.


The other 13 chapters cover the areas of vulnerability such as connectivity, extensibility and complexity (the Trinity of Trouble), definitions of what bugs, flaws and effects really are form a software standpoint (I love his definitions!), the three pillars of software security (applied risk management, security touchpoints and knowledge),  the risk management framework, seven touchpoints of software security (code, architectural risk analysis, penetration testing, risk-based security testing, abuse cases, security requirements, security operations and external analysis), enterprise-level programs and an annotated bibliography and references for digging deeper.

The book builds on the software security touchpoints  “best practices”  that has been adopted by various vested interests and shown as a diagram initially in the IEEE Security & Privacy magazine in 2004 tha tis both amplified and detailed here.

Security can’t be added on after-the-fact. It has to be “always on” from the first line of code or it will not be effective.

I like a quote that was included in the “Advanced Praise” section of the book. Paul Kocher wrote, …“Even though the protocol itself is believed to be solid, a ‘lock’ icon is hardly of much significance when displayed by a bug-riddled browser running on a spyware-infested computer talking to a compromised web server…”

Gary McGraw pools his past experiences into this Security Yin/Yang book and offers a fine focus on the finite features of the wide field so software security instead of painting us into a corner with just application security.  Treat the cause and not the symptom. There is a big mess to clean up and anyone worth their salt, can groom themselves into a software security position now. Read how.

 I would highly recommend this book and perhaps make it required reading for any programmers that want to make a living in the computer industry.  The solutions to software security are here. It is just a matter of taking the time to apply the carefully balanced principles discussed within the pages of this book.


















Contact Us | ©1996-2007 MPN LLC.

Who links to macCompanion.com?