Book Review: Secure Coding

When clients are starting down the road to software security and ask me what book is the best starting place, I recommend "Secure Coding Principles and Practices" by Mark Graff and Ken vanWyk.

The hardest thing about software security is that in most organizations no one person or group really owns it. So you have this dichotomy where software people don't really have the requisite security knowledge, and security people don't really understand all the details of software development. It is difficult to navigate the terrain in between these domains, in a way that is specific enough to understandable and actionable, without overwhelming the reader from one background or the other. This is what makes Seucre Coding such a great starting point.

Chapter 1 hits a number of important software security issues, and most importantly for software developers, provides an intro to thinking about the software design from the attacker's point of view. The authors also hit an extremely important point on composition, quoting an expert bridge player saying "No one made any mistakes. Only the result was ridiculous." The fact that most OO and distributed systems are built on composition, is a major issue in security because security mechanisms and protocols are generally not composeable.

Chapters 2 and 3 examine security architecture and design, this is generally where the most egregious issues come into play. As with the majority of the book, there are actionable steps laid out to help you incorporate the secure coding principles the authors describe. And the authors detail a good balance of what to do and what not to do. Too many security books only address the latter.

Chapters 4,5, and 6 look at the remainder of the development lifecycle, defining practical ways to integrate security into software implementation, testing, and operations. What is most valuable in the author's approach is that a top down methodology is not required on the part of the enterprise to begin down the software security path. The authors do describe some top down techniques, but each and every phase described in the book contains numerous actions that enterprises can adopt with little to no cost. For example, the implementation chapter looks at peer reviews and checklists for secure coding, and the operations chapter looks at specific ways to implement security event logging, there is effectively a very low barrier to entry for organizations to deploy any number of the concepts described in this book.

This book does not contain the nth layer of every major security design decision you need to make, but it is a great place to begin the journey. Quoting Martin Fowler "comprehensiveness is the enemy of comprehensibility."