Designing Secure Software Blog

I like clever sayings and wise proverbs, the shorter the better, so I wanted to work a number of them into the book. There are 45 of them in there, and for the most part I think they are at least relevant if not insightful. However, I admit that a few were just so good I bent the rules to include them. I hope the add a little spice to the book, provide useful perspective, perhaps educate or even provide a chuckle to readers.

Finally my software security book is available for general sale tomorrow (December 21, 2021). Recent events such as the Log4j vulnerability demonstrate that our work is far from over (and the latest Microsoft security update lists 35 CVE).

With Log4j very much in the news, if I could update my new book by magic it would make a terrific real world example to write about because it ties together a number of topics in the book. This vulnerability stems from failure to sanitize untrusted inputs, enabling an injection attack that potentially can access arbitrary targets using authentication credentials held by the target server. All the attacker has to do is craft an attack string that manages to get logged somehow, and the widely used Apache Log4j 2 component executes whatever the attacker commands.

A wicked problem is one that is difficult to even clearly describe because of its diffuse and interconnected nature, and this is a useful lens to view software security. How are we doing overall at software security? How do you even define the standard to measure against?

At last, print copies of my book Designing Secure Software: A Guide for Developers are now in stock, but only from the publisher. (The general on-sale date is in December.)

While writing this book I curated a list of web references for sources of material or details beyond what made sense to incorporate in the text. The publisher’s house style did not allow for footnotes, so the References appendix became a list of URLs organized by chapter.

Spilled coffee beans, breaking the sound barrier, and software security

The Right Stuff is Tom Wolfe’s popular history of the US astronaut program, and it begins by recounting the early effort to break the sound barrier which involved such frequent crashes that there were weekly funerals for test pilots. What’s most striking about the account of this early period in what would become the space program is how the pilots gathering to bury their comrades would invariably talk themselves into believing that they would never have crashed — it was always the other guy who messed up and sadly paid the price.