20070722

Book Review - Secure Programming with Static Analysis

Link


I mentioned a couple of weeks ago Brian Chess and Jacob West's (of Fortify Software) new book Secure Programming with Static Analysis (Addison-Wesley Software Security Series). When I got home cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 day I mentioned it, I was giddy with excitement because I had just received my copy. I'm kinda' new to book reviews, so please bear with me.

The best and worst thing about this book is its scope. It's great because it covers static analysis from soup to nuts, including why an environment should adopt a static analysis program, how static analysis works, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 types of flaws that static analysis finds, how to correct flaws found by static analysis, and how to implement static analysis in your environment. However, that's also cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 major shortcoming with it. Because it's so broad, it gets very technical in some points, and if you hand cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 book to an executive type hoping cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y read chapters 1, 2 and 3, you'd better hope cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y don't thumb to chapter 4 by accident or else cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y'll quickly dismiss cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 book. Note to publisher - make chapters 1, 2, and 3 a removable pamphlet.

Jacob and Brian were fortunate enough to have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 foreward written by Gary McGraw, whom I have a great deal of respect for. However, his very first illustration is correct only up to a point:

By contrast, on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first day of software engineering class, budding developers are taught that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y can build anything that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y can dream of. They usually start with "hello world."
The point of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 paragraph (that engineering classes start with keeping people alive in mind, while development begins with features in mind) is spot-on and well taken. However, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re's a very large segment of people writing code today who did not study software engineering, but started as hobbyists who learned HTML, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n decided to pick up a PHP book - chock-full of really bad examples.

Part One of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 book is an overview of static analysis - why you should do it, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 different types of static analysis, and some really in-depth coverage of how static analyzers work - obviously cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y're experts on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 matter, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 coverage is very good, but will be mind-numbing to those who don't actually study software. They make very compelling arguments for not only including static analysis as part of your development lifecycle, but also including it early in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 lifecycle, and making sure that developers are performing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 analysis as well.

Part Two covers some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problems commonly uncovered by static analyzers. They have many examples of bad code, but thankfully, almost as many examples of specifically how to correct it (after all, I'm about solutions, not problems). They discuss input validation, buffer/integer overflow, and errors and exceptions. Brian and Jacob have some very good examples from open source software, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fixes that were put into place, as well as some really good recommendations for additional libraries to use that will help alleviate some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 common mistakes that lead to buffer overflows.

Part Three covers environments or types of applications that are currently being written and some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 specific types of flaws that come up in those applications. They cover web applications, XML/web services, privacy, and privileged programs. The book does a really good job of covering cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Struts Validator, but I see this section as needing a bit of work - while Struts is still probably cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most widely used MVC architecture, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Commons Validator can be used in webapps that are not Struts, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re's no mention that you can actually use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 validator outside of a Struts application, although using it within Struts makes it much simpler.

Part Four is Static Analysis in action. There are exercises to walk you through installing Fortify SCA (cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re's a demo edition included), performing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 analysis scan, analyzing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 results, and even writing your own rules. I've not walked through cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 examples, but anybody wishing to see what is involved will actually want to step through cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se processes.

I know that Brian and Jacob spent a great deal of time on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 book. They bring a wealth of knowledge to something that just doesn't get covered much in books, yet it's a critical part of any mature security or development program. Static analysis does not cover every vulnerability possible, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ones it does catch it catches earlier, and with greater depth, than ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r methods.

I certainly don't agree with Brian and Jacob on every one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir philosophies. I've had cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 pleasure of debating with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m on some of those philosophies, and I'm convinced I'm still right. Fortunately, those issues don't come through in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 book, and as a general reference for executives who need to be convinced of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 need of static analysis in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 lifecycle, to security practitioners who need to know how to write rules for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir system (of course, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re's a bent to Fortify SCA), to developers down in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 trenches who need to understand what cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir tool is telling cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m, this book excels.

Additionally, of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 technical books that I've read in first edition, this one is probably one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best. I've seen very few grammatical flaws or even awkward sentences, and only a handful of code flaws. The writing, you can thank cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 editors for. The code example excellence, you can thank Brian and Jacob for - and yes, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y still write code.

0 comments: