Saturday, October 24, 2009

Five New Sins in Howard Book and Some Myths

Michael Howard, application security guru at Microsoft and author of some landmark books on software security, has recently added five new sins with this two co-authors, David LeBlanc and John Viega, in the new edition, 24 Deadly Sins of Software Security, of his outstanding handbook.

There really are six new sins, but since one old sin was dropped from the 19 in the old volume, the new total is back up to 24.

What I like about this book is that rather than being a textbook, it's more like a catalog for developers of the most common and nasty security weaknesses in application sofware. Unlike Howard and LeBlanc's other reference on the subject, Writing Secure Code, another famous reference on the subject, a developer can pinpoint the exact issue of interest, zoom down to specific code examples and find remedies in the most common programming languages.

The new sins of the 24 are the following:
Sin # 2: Web-Server Related Vulnerabilities
Sin # 8: C++ Catastrophes
Sin # 9: Catching Exceptions
Sin #15: Not Updating Easily
Sin #16: Executing Code with Too Much Privilege
Sin #18: The Sins of Mobile Code

Co-author John Viega, another noted author in the software security field, also recently wrote, The Myths of Security, a fascinating non-technical book on the fallacies peddled by the software security vendors. He zeroes in on anti-virus software, a subject he has an intimate knowledge of as CTO of the SaaS Business Unit at McAfee.

This book is a real wake up call not only to the general public about the pitfalls of anti-virus and other security products for home users, but to the arrogance of some geeks who think they're invincible because they'd never click on a bad link.

Between my new found awareness of my software sins and my arrogance as a geek, I was both humbled and enlightened by these two fantastic books.


Post a Comment

<< Home