Skip to main content

Secure Coding

·2 mins
  • Cover Image
  • Secure coding: Principles and Practices
    By Mark G. Graff, Kenneth R. van Wyk
    Publisher: O'Reilly Media
    Released: June 2003
    Pages: 224

This slim volume contains a wealth of information that will be of interest not only to software developers, but to anyone responsible for the deployment and operation of computer systems. Indeed, if I had one complaint about the book it would be that the title is misleading: it is not so much about secure coding as the overall software development process, and relatively little is said about coding per se. But do not let this put you off, programmers will benefit from reading this book too.

The first chapter gives an overview of security vulnerabilities, covering different types of attack; how vulnerabilities arise; who might want to exploit them; and how we can defend our systems.

Further chapters cover different aspects of the software development process: architecture, design, implementation, and testing. Every chapter contains useful information and practical advice, and the authors draw on their extensive experience to back this up with examples and case studies.

They advocate a holistic approach to security: you cannot work around design errors at implementation time, and the best design and implementation can be laid waste by poor operations procedures. This theme permeates the book and is reinforced by the chapter on operations, which emphasises the importance of providing a secure environment for running a business application.

Most chapters also include sections on good practices and bad practices. I found that these conveyed information effectively, particularly where they drew attention to failings in my own organization.

The book is concise, with clear explanations of new concepts. Ideas are further clarified through the case studies, which add real-world interest to the book. To top it all, an appendix extending to 10 pages lists further resources.

In the prefix, the authors remark that they want the book "...to be read". They have certainly succeeded in producing a very readable volume, and I encourage my fellow software developers and systems administrators to go out and read it. As for myself, I shall be making time to follow up the resources - and putting some of these principles into practice on my own systems.