Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security SecProg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Inspecting Code for Security

from [Yvan Boily] Network Security [Permanent Link]
Subject: RE: Inspecting Code for Security
Date: Thu, 23 Sep 2004 13:13:17 -0500 
I disagree that it is UNIX-centric; I would say that it lacks a bias with
the exception being that most examples are presented in UNIX applications
simply because a UNIX programming environment lends itself to simple
examples.

The vast majority of the code examples in the buffer overflow chapter is
cross platform or POSIX compliant.  If anything the section on access
controls really illustrates a unix-centric view, but even then, the examples
used are a discussion of Access Controls and effective use as opposed to
"this is how to implement access controls".  The authors make use of the
best platform available to illustrate the concept as effectively as
possible.

The book itself is an excellent discussion of security from a technical
perspective and rather than focusing on the specific examples of how to
achieve security.  This is in keeping with the idea that you cannot achieve
"perfect security", but rather that security is an emergent property of
well-designed systems.  You cannot address security within an application
without first investigating the underlying design and implementation flaws
which result in failures of security within an application.  

In contrast, Writing Secure Code (Second Edition) {which is also on my
bookshelf} is a narrow view of security focusing briefly on security in
general and then diving into platform and language specific examples of
security.  A more appropriate title for this book would have been "Writing
Secure Code for Windows".  It is an excellent resource which I refer to
frequently when developing recommendations and solutions for Windows
applications, however given that I am also required to audit code written in
C, C++, C#, PHP, Visual Basic, and Java, recommending it as a general
technical resource for someone who may have the same requirements is not
realistic.  

Both books are excellent, and I would recommend either one, but only to the
correct audience; I recommend Building Secure Software to someone who wants
to learn about secure application design and implementation; I recommend
Writing Secure Code for people who want specific documentation on how to
address common security issues when writing software for the Windows
platform.  

If someone wants a lightweight introduction to secure programming I
recommend "Secure Coding: Principles & Practices", and someone who wants to
learn how to really pick apart a system and look for vulnerabilities I
recommend "The Shellcoder's Handbook".  

It really is a case of recommending the correct tool for the job, and in my
opinion Building Secure Software is far more valuable reference than Writing
Secure Code when performing code audits.

Yvan Boily 

Here is complete info on the books I mentioned, each of them is a decent
read, and I have arranged them in my perceived order of complexity and depth
ranging from least complex to most complex.

"Secure Coding: Principles & Practices" - Mark G. Graff & Kenneth R. van Wyk
http://www.oreilly.com/catalog/securecdng/

"Writing Secure Code (Second Edition)"  - Michael Howard and David LeBlanc
http://www.microsoft.com/mspress/books/5957.asp

"Building Secure Software" - John Viega and Gary McGraw
http://www.buildingsecuresoftware.com/

"The Shellcoder's Handbook" - Jack Koziol , David Litchfield , Dave Aitel ,
Chris Anley , Sinan "noir" Eren , Neel Mehta , Riley Hassell 
http://www.wiley.com/WileyCDA/WileyTitle/productCd-0764544683.html


-----Original Message-----
From: Aleksander P. Czarnowski [mailto:alekc@avet.com.pl] 
Sent: Thursday, September 23, 2004 11:39 AM
To: Yvan Boily
Cc: secprog@securityfocus.com
Subject: RE: Inspecting Code for Security


-----Original Message-----
From: Yvan Boily [mailto:yboily@seccuris.com] Pick up John 

Viega and 

Gary Mcgraw's Building Secure Software..

While this is great book it is very unix-centric which might 
be an important drawback in case on application based on 
Microsoft technologies (on the other hand many MS 
technologies related issues had been addressed in Writing 
Secure Code). You can see it best in chapters that describe 
exploitation of buffer overflow. Nevertheless together with 
Secure Coding this is great book.
Just my 2 cents,
Best Regards,
Aleksander Czarnowski
AVET INS
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  "Selling" a code-audit and politics, Richard Rager
Next by Date:  Charging customers on security, King Pang
Previous by Thread:  RE: Inspecting Code for Security, Aleksander P. Czarnowski
Next by Thread:  RE: Inspecting Code for Security, Yvan Boily
Indexes:  [Date] [Thread] [Top] [All Lists]