Reviews of Six Software Security Books
Amazon.com just posted my six new reviews on books about software security. The first is Software Security by Gary McGraw. This was my favorite of the six because it was the most logically organized. Here is a link to the five star review.
The second is Security Development Lifecycle by Microsoft's Michael Howard and Steve Lipner. I thought it was neat to read about Microsoft's software development practices with respect to security. Just don't expect the CD-ROM training videos to keep you awake. Here is a link to the four star review.
The third is Writing Secure Code, 2nd Ed by Microsoft's Michael Howard and David LeBlanc. This is probably the definitive book on writing secure code for Windows, although the terminology gives me pains. Here is a link to the four star review.
The fourth is 19 Deadly Sins of Software Security by Michael Howard, David LeBlanc, and John Viega. This book is a stripped down version of other secure coding books, but it has some cool insights on topics like SSL. Here is a link to the four star review.
The fifth is High-Assurance Design by Cliff Berg. Java and object-oriented developers will like the second half of this book; I preferred the first half. Here is a link to the four star review.
The last book is Security Patterns by Markus Schumacher, et al. This book presents a framework that we might see more of in the future. Here is a link to the four star review.
All six reviews share this common introduction, since I read and reviewed them as a set:
I read six books on software security recently, namely "Writing Secure Code, 2nd Ed" by Michael Howard and David LeBlanc; "19 Deadly Sins of Software Security" by Michael Howard, David LeBlanc, and John Viega; "Software Security" by Gary McGraw; "The Security Development Lifecycle" by Michael Howard and Steve Lipner; "High-Assurance Design" by Cliff Berg; and "Security Patterns" by Markus Schumacher, et al. Each book takes a different approach to the software security problem, although the first two focus on coding bugs and flaws; the second two examine development processes; and the last two discuss practices or patterns for improved design and implementation. My favorite of the six is Gary McGraw's, thanks to his clear thinking and logical analysis. The other five are still noteworthy books. All six will contribute to the production of more security software.
Sometime this month I plan to review a set of books about vulnerability discovery and writing exploits. You'll see those titles on my reading list.