Book cover art

Designing Secure Software consolidates more than twenty years of experience into a concise, elegant guide to improving the security of technology products. Written for a wide range of software professionals, it emphasizes building security into software design early and involving the entire team in the process.

The book begins with a discussion of core concepts, covering trust, threats, mitigation, secure design patterns, and cryptography. The second part, perhaps this book’s most unique and important contribution to the field, covers the process of designing and reviewing a software design with security considerations in mind. The final section details the most common coding flaws that create vulnerabilities, making copious use of code snippets written in C and Python to illustrate implementation vulnerabilities.

You’ll learn how to:

  • Identify important assets, the attack surface, and the trust boundaries in a system
  • Evaluate the effectiveness of various threat mitigation candidates
  • Work with well-known mitigations and secure design patterns
  • Understand and prevent vulnerabilities like XSS and CSRF, memory flaws, and more
  • Use security testing to proactively identify vulnerabilities introduced into code
  • Review a software design for security flaws effectively and without judgment

Contents of this companion website

Coming Soon

Awaiting the release of any book requires patience, but this year amidst numerous supply chain challenges it’s particularly uncertain. The original October target date is almost here, but I can report that the publisher hopes to have copies of the print edition for sale in early November – about a month ahead of general release now set for December 2021. [Read More]

Complete Mediation in Sci-Fi

In the book Project Hail Mary by Andy Weir, there is a short scene (on page 339) that features a very clear example of failure to implement Complete Mediation (one of the secure design patterns described in Chapter 4 of my book). [Read More]

Complete book proof review

This week I reviewed the complete book PDF, checking that previous changes were successfully made by the compositor. With luck that should be make it final. [Read More]

Custom domain for this website

It’s time to point the domain name at this website. For reference, the docs I referenced for this are noted below. [Read More]

Index review

The penultimate review for the book is the index, and I just hit Save on it. Creating the index was a surprisingly interesting as well as challenging part of writing the book, and I’m very glad to have tackled it myself. [Read More]

Sales categories adjustment

When the book appeared in the Amazon marketplace I set up an author’s page and claimed the title. I expected some sort of verification, but they just granted me the book I asked for. [Read More]

Updating Hugo

Hugo has worked well for me building this static website overall. However, it remains generally somewhat mysterious and there have been some bumps. [Read More]