Designing Secure Software consolidates more than twenty years of experience
into a concise, elegant guide to improving the security of technology products.
Written for a wide range of software professionals, it emphasizes building
security into software design early and involving the entire team
in the process.
The book begins with a discussion of core concepts, covering trust, threats,
mitigation, secure design patterns, and cryptography. The second part,
perhaps this book’s most unique and important contribution to the field,
covers the process of designing and reviewing a software design with security
considerations in mind. The final section details the most common coding flaws
that create vulnerabilities, making copious use of code snippets written in
C and Python to illustrate implementation vulnerabilities.
You’ll learn how to:
- Identify important assets, the attack surface, and the trust boundaries
in a system
- Evaluate the effectiveness of various threat mitigation candidates
- Work with well-known mitigations and secure design patterns
- Understand and prevent vulnerabilities like XSS and CSRF, memory flaws,
and more
- Use security testing to proactively identify vulnerabilities introduced
into code
- Review a software design for security flaws effectively and without judgment
“The writing in this book is very clear and easy reading,
and the examples used are both captivating and easy to understand.
Kohnfelder does a great job of making a point that is easy to understand,
and most of the chapters could stand alone for developers just working
in that one particular area.”
(read the full review)
Scope of the book
Posted on November 3, 2021
| Loren Kohnfelder
One big learning for me from writing a book on software security is realizing the importance of context to security. There was a constant challenge of discovering the right scope — what needs adding, and what can be cut to keep it concise.
[Read More]
Root causes
Posted on November 1, 2021
| Loren Kohnfelder
Each time a high-profile software security bug is reported, I wonder how this happened yet again. I don’t expect vulnerabilities to approach zero any time soon, but still I’d like to know how this keeps happening over and over, so we can do better.
[Read More]
Statement of Intention
Posted on October 27, 2021
| Loren Kohnfelder
I believe that we can do so much better at delivering more secure software, and my book explains how we could do that.
[Read More]
Announcement
Posted on October 25, 2021
| Loren Kohnfelder
I’m proud to announce my new software security book, Designing Secure Software: A Guide for Developers. I wanted to create something a little different: broadly readable rather than expert targeted, general approaches over specific details, all based on direct personal experience.
[Read More]
Coming Soon
Posted on October 13, 2021
| Loren Kohnfelder
Awaiting the release of any book requires patience, but this year amidst numerous supply chain challenges it’s particularly uncertain.
The original October target date is almost here, but I can report that the publisher hopes to have copies of the print edition for sale in early November – about a month ahead of general release now set for December 2021.
[Read More]
Complete Mediation in Sci-Fi
Posted on August 30, 2021
| Loren Kohnfelder
In the book Project Hail Mary by Andy Weir, there is a short scene (on page 339) that features a very clear example of failure to implement Complete Mediation (one of the secure design patterns described in Chapter 4 of my book).
[Read More]
Complete book proof review
Posted on August 26, 2021
| Loren Kohnfelder
This week I reviewed the complete book PDF, checking that previous changes were successfully made by the compositor. With luck that should be make it final.
[Read More]