Learn the essentials of developing secure software in accordance with the most current industry standards, in this comprehensive instructional guide. "Secure Software Development: A Programmer's Guide" leads readers through the tasks and activities that successful computer programmers navigate on a daily basis, from reading and analyzing requirements to choosing development tools, to guarding against software vulnerabilities and attacks. Additional coverage includes coding with built-in quality and security measures, and follow-up testing once a project is completed. With clear, straightforward examples and actual code snippets, readers can feel confident that they will gain the skills needed to develop software with all the critical components that ensure quality and security.
Review By: Scott McMaster 10/12/2009The ability to produce secure software is an essential capability for modern development teams. This book by Jason Grembi focuses on how to integrate a security mindset into all phases of the software lifecycle. Accordingly, after an introduction to the principles of secure software development, the book includes chapters on requirements, design, construction, testing, and maintenance. Much of this material is fairly general in nature and not nearly as focused on interesting security issues as I expected given the book's title.
The most useful and unique part of the book is a discussion of how to build and use an application guide. This living artifact aims to capture all of the knowledge needed by engineers working on a specific project, including tool and environment setup, coding conventions, testing strategies, and deployment instructions. All projects should consider adopting this approach.
Due to its focus on process, Secure Software Development is not the right resource for those in search of advice on specific security programming issues, such as how to avoid buffer overflows, SQL injection, and cross-site scripting attacks. When the author does attempt to provide examples using Java, readers might find the recommendations controversial and in contradiction with what other experts might suggest. For instance, one section recommends declaring all variables at the beginning of a routine, rather than immediately before they are used. And in the chapter on development tools, a demonstration of a heap management tool seems to misunderstand the nature of garbage collection.
The broad scope of the book will give readers a high-level overview of the entire development process, but as a consequence, some important security-related topics are not covered in enough detail to be useful to more advanced practitioners. A discussion comparing client- and server-side input data validation, for example, fails to mention that client-side validation in a Web browser is often easily bypassed by would-be hackers.
The book contains a large body of review questions and exercises at the end of each chapter. Many of these make use of supplementary course materials. Secure Software Development would be most useful to new developers with little exposure to either security issues or the software development process in general. More experienced professionals will benefit little from the coverage of the software lifecycle, which makes up a large portion of the book.