I like clever sayings and wise proverbs, the shorter the better, so I wanted to work a number of them into the book. There are 45 of them in there, and for the most part I think they are at least relevant if not insightful. However, I admit that a few were just so good I bent the rules to include them. I hope the add a little spice to the book, provide useful perspective, perhaps educate or even provide a chuckle to readers.
[Read More]
Designing Secure Software consolidates more than twenty years of experience into a concise, elegant guide to improving the security of technology products. Written for a wide range of software professionals, it emphasizes building security into software design early and involving the entire team in the process.
The book begins with a discussion of core concepts, covering trust, threats, mitigation, secure design patterns, and cryptography. The second part, perhaps this book’s most unique and important contribution to the field, covers the process of designing and reviewing a software design with security considerations in mind. The final section details the most common coding flaws that create vulnerabilities, making copious use of code snippets written in C and Python to illustrate implementation vulnerabilities.
You’ll learn how to:
- Identify important assets, the attack surface, and the trust boundaries in a system
- Evaluate the effectiveness of various threat mitigation candidates
- Work with well-known mitigations and secure design patterns
- Understand and prevent vulnerabilities like XSS and CSRF, memory flaws, and more
- Use security testing to proactively identify vulnerabilities introduced into code
- Review a software design for security flaws effectively and without judgment
“The writing in this book is very clear and easy reading, and the examples used are both captivating and easy to understand. Kohnfelder does a great job of making a point that is easy to understand, and most of the chapters could stand alone for developers just working in that one particular area.” (read the full review)
Book on sale tomorrow
Finally my software security book is available for general sale tomorrow (December 21, 2021). Recent events such as the Log4j vulnerability demonstrate that our work is far from over (and the latest Microsoft security update lists 35 CVE).
[Read More]Learning from Log4j
With Log4j very much in the news, if I could update my new book by magic it would make a terrific real world example to write about because it ties together a number of topics in the book. This vulnerability stems from failure to sanitize untrusted inputs, enabling an injection attack that potentially can access arbitrary targets using authentication credentials held by the target server. All the attacker has to do is craft an attack string that manages to get logged somehow, and the widely used Apache Log4j 2 component executes whatever the attacker commands.
[Read More]Shipping
At last, print copies of my book Designing Secure Software: A Guide for Developers are now in stock, but only from the publisher. (The general on-sale date is in December.)
[Read More]References links checking
While writing this book I curated a list of web references for sources of material or details beyond what made sense to incorporate in the text. The publisher’s house style did not allow for footnotes, so the References appendix became a list of URLs organized by chapter.
[Read More]Vulnerabilities are Mistakes
Spilled coffee beans, breaking the sound barrier, and software security
The Right Stuff is Tom Wolfe’s popular history of the US astronaut program, and it begins by recounting the early effort to break the sound barrier which involved such frequent crashes that there were weekly funerals for test pilots. What’s most striking about the account of this early period in what would become the space program is how the pilots gathering to bury their comrades would invariably talk themselves into believing that they would never have crashed — it was always the other guy who messed up and sadly paid the price.
[Read More]Best Software Security Books of All Time
I was surprised to see that my book, “Designing Secure Software: A Guide for Developers”, made it to BookAuthority’s Best Software Security Books of All Time … especially since the first copies are still being printed and not yet shipping! (The e-book is available from the publisher at nostarch.com so it is getting out there in that form.) https://bookauthority.org/books/best-software-security-books?t=2u40nr&s=award&book=1718501927
[Read More]