Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security CISSP-Discussion
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[CISSP-D] REVIEW: "Writing Secure Code", Michael Howard/David LeBlanc

from [Rob, grandpa of Ryan, Trevor, Devon & Hannah] Network Security [Permanent Link]
Subject: [CISSP-D] REVIEW: "Writing Secure Code", Michael Howard/David LeBlanc
Date: Fri, 27 Oct 2006 08:50:21 -0800 
BKWRSCCD.RVW   20060910

"Writing Secure Code", Michael Howard/David LeBlanc, 2002,
0-7356-1588-8, U$39.99/C$57.99
%A   Michael Howard
%A   David LeBlanc
%C   1 Microsoft Way, Redmond, WA   98052-6399
%D   2002
%G   0-7356-1588-8
%I   Microsoft Press
%O   U$39.99/C$57.99 800-MSPRESS fax: 206-936-7329
%O  http://www.amazon.com/exec/obidos/ASIN/0735615888/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/0735615888/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0735615888/robsladesin03-20
%O   Audience a Tech 2 Writing 1 (see revfaq.htm for explanation)
%P   477 p. + CD-ROM
%T   "Writing Secure Code"

The introduction states that the purpose of the book is to teach
application designers (and particularly .NET developers) to design,
write, and test application code in a secure manner.

Part one addresses the contemporary security situation.  Chapter one
reviews the need for secure systems.  The text is so supplemented by
notes, comments, text boxes, and sidebars that it becomes difficult to
follow at times.  However, ultimately it does have a lot of
interesting material that would be useful for those who have to make a
case for secure coding practices and processes.  Designing secure
systems, in chapter two, provides a solid list of secure strategy
principles along with details and discussion of them, although much of
this deliberation is restricted to "war stories" which are interesting
but not always useful.  The content makes the point that the mere
addition of security technologies does not always make for secure
applications, which point is not supported by the inclusion, in the
latter part of the material, of a huge list of security technologies.

Part two turns to secure coding techniques.  Chapter three details
that old standard and nemesis, the buffer overflow.  Unfortunately,
most of what is provided is limited to code demonstrating that various
types of buffer overflows exist, and some contentions in regard to
specific C language instructions that should not be used.  Code for
access control list use on Windows NT4 and 2000 is reviewed in chapter
four.  Code, but not design, for running with least privilege occupies
chapter five.  Chapter six is again concerned primarily with source
code for cryptographic operations, although limited to pseudorandom
number generation (paying insufficient attention to seed values), key
management, and miscellaneous topics.  Further functions involved with
encrypting confidential information are in chapter seven.  Chapter
eight turns to canonical representation, although the discussion is
narrowly confined to filenames and issues of traversal.

Part three concentrates on network-based application considerations
even though network connectivity and access has been given as the
reason to pay attention to secure coding in the first place.  Chapter
nine looks at the possibility of port hijacking, and the design of
applications in order to work cooperatively with firewalls.  Securing
the use of RPC (Remote Procedure Calls), ActiveX, and DCOM
(Distributed Common Object Model) is covered well in chapter ten, with
concepts as well as code and good explanations (although I know for a
fact that accessing dcomcnfg on XP is *not* as easy as the authors
want to make out).  Chapter eleven lists some denial of service (DoS)
attacks and generally suggests limiting the resources available to
applications.  Most of the advice on securing Web-based services, in
chapter twelve, boils down to advice not to trust the client, and
various examples of malformed input are described.

Part four contains special topics.  Chapter thirteen details .NET
functions and operations related to security, but also provides
valuable guidance in regard to appropriate (and inappropriate) use. 
Testing of secure applications gets a review of standard procedures,
in chapter fourteen, but the material does not provide an abstract
overview of assessment concepts that could be used to find all
possibilities of weakness.  Installation procedures, in chapter
fifteen, could have been useful, but is probably the most Windows
specific and least practical section of the entire work.  Chapter
sixteen is a bit of a grab bag, but contains worthwhile tips and
principles to follow (mostly in order to avoid common security
pitfalls).

Appendices are usually extraneous material, sometimes added merely to
pad out the page count of a book.  However, the essays included at the
end of this volume could be quite helpful.  There are the ten
immutable laws of security and the ten immutable laws of security
administration, which have become famous in their own right, and have
spread through the Internet, as well as a list of dumb excuses given
for not doing security properly.

Overall, the book contains much that can be of use for those who wish
to develop code that is secure and resistant against bugs and flaws
that may open the application to attack.  However, there is also a
good deal that is irrelevant and not helpful, and a number of issues
that could have useful have not been included (such as development
methodologies, design strategies, and testing issues).

copyright Robert M. Slade, 2006   BKWRSCCD.RVW   20060910


======================  (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca     slade@victoria.tc.ca     rslade@computercrime.org
Microsoft gambled that making their users fault-tolerant was a
better use of resources than making their software reliable.
                                                      - Paul Guertin
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm


 
Yahoo! Groups Links

<*> To visit your group on the web, go to:
    http://groups.yahoo.com/group/CISSP-Discuss/

<*> Your email settings:
    Individual Email | Traditional

<*> To change settings online go to:
    http://groups.yahoo.com/group/CISSP-Discuss/join
    (Yahoo! ID required)

<*> To change settings via email:
    mailto:CISSP-Discuss-digest@yahoogroups.com 
    mailto:CISSP-Discuss-fullfeatured@yahoogroups.com

<*> To unsubscribe from this group, send an email to:
    CISSP-Discuss-unsubscribe@yahoogroups.com

<*> Your use of Yahoo! Groups is subject to:
    http://docs.yahoo.com/info/terms/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [CISSP-D] REVIEW: "Writing Secure Code", Michael Howard/David LeBlanc, Rob, grandpa of Ryan, Trevor, Devon & Hannah <=
Previous by Date:  [CISSP-D] REVIEW: "Hacking for Dummies", Kevin Beaver, Rob, grandpa of Ryan, Trevor, Devon & Hannah
Next by Date:  RE: [CISSP-D] CISSP practise Questions, Rob R.
Previous by Thread:  [CISSP-D] REVIEW: "Hacking for Dummies", Kevin Beaver, Rob, grandpa of Ryan, Trevor, Devon & Hannah
Next by Thread:  [CISSP-D] REVIEW: "The Database Hacker's Handbook", David Litchfield/Chris Anley/John Heasman/Bill Grindlay, Rob, grandpa of Ryan, Trevor, Devon & Hannah
Indexes:  [Date] [Thread] [Top] [All Lists]