Designing Secure Software consolidates more than twenty years of experience
into a concise, elegant guide to improving the security of technology products.
Written for a wide range of software professionals, it emphasizes building
security into software design early and involving the entire team
in the process.
The book begins with a discussion of core concepts, covering trust, threats,
mitigation, secure design patterns, and cryptography. The second part,
perhaps this book’s most unique and important contribution to the field,
covers the process of designing and reviewing a software design with security
considerations in mind. The final section details the most common coding flaws
that create vulnerabilities, making copious use of code snippets written in
C and Python to illustrate implementation vulnerabilities.
You’ll learn how to:
- Identify important assets, the attack surface, and the trust boundaries
in a system
- Evaluate the effectiveness of various threat mitigation candidates
- Work with well-known mitigations and secure design patterns
- Understand and prevent vulnerabilities like XSS and CSRF, memory flaws,
and more
- Use security testing to proactively identify vulnerabilities introduced
into code
- Review a software design for security flaws effectively and without judgment
“The writing in this book is very clear and easy reading,
and the examples used are both captivating and easy to understand.
Kohnfelder does a great job of making a point that is easy to understand,
and most of the chapters could stand alone for developers just working
in that one particular area.”
(read the full review)
Running the “Reflections on Trusting Trust” Compiler
Posted on October 25, 2023
| Loren Kohnfelder
In the Afterword of my book I mention Ken Thompson’s classic “Trusting Trust” paper showing how to embed a backdoor into an OS by compiling the compiler such that the modification is invisible in source code.
[Read More]
Japanese translation is on sale
Posted on August 15, 2023
| Loren Kohnfelder
8月18日、新刊『セキュアなソフトウェアの設計と開発』を発刊
The Japanese translation of my book goes on sale this week. This is particularly rewarding for me because I lived and worked there for about ten years and speak the language well enough to read the text (but nowhere near ability write at a publishable level of quality).
[Read More]
On the Signature Reblocking Problem in Public Key Cryptosystems
Posted on May 30, 2023
| Loren Kohnfelder
In Chapter 5 of the book I write about my good fortunate meeting two of the RSA algorithm inventors at MIT, and collaborating with them.
[Read More]
Bard likes my book
Posted on May 16, 2023
| Loren Kohnfelder
I was surprised that Bard has read my book, or at least claims to have. Here’s our conversation about it, word for word: it’s a good overview.
[Read More]
Polish translation is on sale
Posted on May 5, 2023
| Loren Kohnfelder
Wspaniale jest widzieć, że ukazało się polskie tłumaczenie mojej książki o bezpieczeństwie oprogramowania. (It’s great to see that the Polish translation of my book on software security is out.
[Read More]
Epigrams in the book
Posted on January 2, 2022
| Loren Kohnfelder
I like clever sayings and wise proverbs, the shorter the better, so I wanted to work a number of them into the book.
[Read More]
Book on sale tomorrow
Posted on December 21, 2021
| Loren Kohnfelder
Finally my software security book is available for general sale tomorrow (December 21, 2021). Recent events such as the Log4j vulnerability demonstrate that our work is far from over (and the latest Microsoft security update lists 35 CVE).
[Read More]