Encryption Books - Page 12

Managing Security with Snort and IDS Tools

Christopher Gerg

Amazon Price: $26.37 List Price: $39.95 Usually ships in 24 hours By: O'Reilly Media, Inc. Amazon Marketplace: 51 new & used starting at $1.47

Buy at Amazon.com

Browse similar items by category:
Subjects -> Computers & Internet -> Certification Central -> Exams -> Security+
Subjects -> Computers & Internet -> Networking -> Networks, Protocols & APIs -> General
Subjects -> Computers & Internet -> Networking -> Networks, Protocols & APIs -> General AAS

Customer Reviews:
Total reviews: 9 Average rating: 4.5 of 5

Editorial Review:

Intrusion detection is not for the faint at heart. But, if you are a network administrator chances are you're under increasing pressure to ensure that mission-critical systems are safe--in fact impenetrable--from malicious code, buffer overflows, stealth port scans, SMB probes, OS fingerprinting attempts, CGI attacks, and other network intruders. Designing a reliable way to detect intruders before they get in is a vital but daunting challenge. Because of this, a plethora of complex, sophisticated, and pricy software solutions are now available. In terms of raw power and features, SNORT, the most commonly used Open Source Intrusion Detection System, (IDS) has begun to eclipse many expensive proprietary IDSes. In terms of documentation or ease of use, however, SNORT can seem overwhelming. Which output plugin to use? How do you to email alerts to yourself? Most importantly, how do you sort through the immense amount of information Snort makes available to you? Many intrusion detection books are long on theory but short on specifics and practical examples. Not Managing Security with Snort and IDS Tools. This new book is a thorough, exceptionally practical guide to managing network security using Snort 2.1 (the latest release) and dozens of other high-quality open source other open source intrusion detection programs. Managing Security with Snort and IDS Tools covers reliable methods for detecting network intruders, from using simple packet sniffers to more sophisticated IDS (Intrusion Detection Systems) applications and the GUI interfaces for managing them. A comprehensive but concise guide for monitoring illegal entry attempts, this invaluable new book explains how to shut down and secure workstations, servers, firewalls, routers, sensors and other network devices. Step-by-step instructions are provided to quickly get up and running with Snort. Each chapter includes links for the programs discussed, and additional links at the end of the book give administrators access to numerous web sites for additional information and instructional material that will satisfy even the most serious security enthusiasts. Managing Security with Snort and IDS Tools maps out a proactive--and effective--approach to keeping your systems safe from attack.

Core Security Patterns: Best Practices and Strategies for J2EE(TM), Web Services, and Identity Management (Sun Core Series)

Christopher Steel, Ramesh Nagappan, Ray Lai

Amazon Price: $40.94 List Price: $64.99 Usually ships in 24 hours By: Prentice Hall PTR Amazon Marketplace: 68 new & used starting at $9.75

Buy at Amazon.com

Browse similar items by category:
Subjects -> Business & Investing -> Small Business & Entrepreneurship -> Entrepreneurship
Subjects -> Business & Investing -> Small Business & Entrepreneurship -> New Business Enterprises
Subjects -> Computers & Internet -> Certification Central -> Exams -> Security+

Customer Reviews:
Total reviews: 32 Average rating: 4.5 of 5

Editorial Review:

Praise for Core Security Patterns Java provides the application developer with essential security mechanisms and support in avoiding critical security bugs common in other languages. A language, however, can only go so far. The developer must understand the security requirements of the application and how to use the features Java provides in order to meet those requirements. Core Security Patterns addresses both aspects of security and will be a guide to developers everywhere in creating more secure applications. --Whitfield Diffie, inventor of Public-Key Cryptography A comprehensive book on Security Patterns, which are critical for secure programming. --Li Gong, former Chief Java Security Architect, Sun Microsystems, and coauthor of Inside Java 2 Platform Security As developers of existing applications, or future innovators that will drive the next generation of highly distributed applications, the patterns and best practices outlined in this book will be an important asset to your development efforts. --Joe Uniejewski, Chief Technology Officer and Senior Vice President, RSA Security, Inc.This book makes an important case for taking a proactive approach to security rather than relying on the reactive security approach common in the software industry. --Judy Lin, Executive Vice President, VeriSign, Inc. Core Security Patterns provides a comprehensive patterns-driven approach and methodology for effectively incorporating security into your applications. I recommend that every application developer keep a copy of this indispensable security reference by their side. --Bill Hamilton, author of ADO.NET Cookbook, ADO.NET in a Nutshell, and NUnit Pocket Reference As a trusted advisor, this book will serve as a Java developers security handbook, providing applied patterns and design strategies for securing Java applications. --Shaheen Nasirudheen, CISSP,Senior Technology Officer, JPMorgan Chase Like Core J2EE Patterns, this book delivers a proactive and patterns-driven approach for designing end-to-end security in your applications. Leveraging the authors strong security experience, they created a must-have book for any designer/developer looking to create secure applications.- -John Crupi, Distinguished Engineer, Sun Microsystems, coauthor of Core J2EE Patterns Core Security Patterns is the hands-on practitioners guide to building robust end-to-end security into J2EE enterprise applications, Web services, identity management, service provisioning, and personal identification solutions. Written by three leading Java security architects, the patterns-driven approach fully reflects todays best practices for security in large-scale, industrial-strength applications. The authors explain the fundamentals of Java application security from the ground up, then introduce a powerful, structured security methodology; a vendor-independent security framework; a detailed assessment checklist; and twenty-three proven security architectural patterns. They walk through several realistic scenarios, covering architecture and implementation and presenting detailed sample code.They demonstrate how to apply cryptographic techniques; obfuscate code; establish secure communication; secure J2ME applications; authenticate and authorize users; and fortify Web services, enabling single sign-on, effective identity management, and personal identification using Smart Cards and Biometrics. Core Security Patterns covers all of the following, and more: *What works and what doesnt: J2EE application-security best practices, and common pitfalls to avoid*Implementing key Java platform security features in real-world applications*Establishing Web Services security using XML Signature, XML Encryption, WS-Security, XKMS, and WS-I Basic security profile*Designing identity management and service provisioning systems using SAML, Liberty, XACML, and SPML*Designing secure personal identification solutions using Smart Cards and Biometrics*Security design methodology, patterns, best practices, reality checks, defensive strategies, and evaluation checklists*End-to-end security architecture case study: architecting, designing, and implementing an end-to-end security solution for large-scale applications

CCNA Security Exam Cram (Exam IINS 640-553) (Exam Cram)

Eric Stewart

Amazon Price: $26.39 List Price: $39.99 Usually ships in 24 hours By: Que Amazon Marketplace: 35 new & used starting at $18.85

Buy at Amazon.com

Browse similar items by category:
Subjects -> Business & Investing -> Industries & Professions -> E-commerce -> General
Subjects -> Business & Investing -> Industries & Professions -> E-commerce -> General AAS
Subjects -> Computers & Internet -> Certification Central -> Exams -> CCNA

Editorial Review:

 

In this book you’ll learn how to:

• Build a secure network using security controls
• Secure network perimeters
• Implement secure management and harden routers
• Implement network security policies using Cisco IOS firewalls
• Understand cryptographic services
• Deploy IPsec virtual private networks (VPNs)
• Secure networks with Cisco IOS® IPS
• Protect switch infrastructures
• Secure endpoint devices, storage area networks (SANs), and voice networks

 

WRITTEN BY A LEADING EXPERT:

Eric Stewart is a self-employed network security contractor who finds his home in Ottawa, Canada. Eric has more than 20 years of experience in the information technology field, the last 12 years focusing primarily on Cisco® routers, switches, VPN concentrators, and security appliances. The majority of Eric’s consulting work has been in the implementation of major security infrastructure initiatives and architectural reviews with the Canadian Federal Government. Eric is a certified Cisco instructor teaching Cisco CCNA, CCNP®, and CCSP® curriculum to students throughout North America and the world.

 

CD Features MeasureUp Practice Questions!

• This book includes a CD-ROM that features:
• Practice exams with complete coverage of CCNA® Security exam topics
• Detailed explanations of correct and incorrect answers
• Multiple exam modes
• Flash Card format
• An electronic copy of the book

 

informit.com/examcram

ISBN-13: 978-0-7897-3800-4

ISBN-10: 0-7897-3800-7

 

U.S. $39.99

CAN. $43.99

Net U.K. £25.99

 

Cryptography: Theory and Practice, Third Edition (Discrete Mathematics and Its Applications)

Douglas R. Stinson

Amazon Price: $55.96 List Price: $69.95 Usually ships in 24 hours By: Chapman & Hall/CRC Amazon Marketplace: 39 new & used starting at $25.00

Buy at Amazon.com

Browse similar items by category:
Subjects -> Computers & Internet -> Computer Science -> Software Engineering -> Information Systems
Subjects -> Computers & Internet -> Operating Systems -> General
Subjects -> Computers & Internet -> Operating Systems -> General AAS

Customer Reviews:
Total reviews: 14 Average rating: 3.5 of 5

Editorial Review:

THE LEGACY… First introduced in 1995, Cryptography: Theory and Practice garnered enormous praise and popularity, and soon became the standard textbook for cryptography courses around the world. The second edition was equally embraced, and enjoys status as a perennial bestseller. Now in its third edition, this authoritative text continues to provide a solid foundation for future breakthroughs in cryptography. WHY A THIRD EDITION? The art and science of cryptography has been evolving for thousands of years. Now, with unprecedented amounts of information circling the globe, we must be prepared to face new threats and employ new encryption schemes on an ongoing basis. This edition updates relevant chapters with the latest advances and includes seven additional chapters covering: · Pseudorandom bit generation in cryptography · Entity authentication, including schemes built from primitives and special purpose "zero-knowledge" schemes · Key establishment including key distribution and protocols for key agreement, both with a greater emphasis on security models and proofs · Public key infrastructure, including identity-based cryptography · Secret sharing schemes · Multicast security, including broadcast encryption and copyright protection THE RESULT… Providing mathematical background in a "just-in-time" fashion, informal descriptions of cryptosystems along with more precise pseudocode, and a host of numerical examples and exercises, Cryptography: Theory and Practice, Third Edition offers comprehensive, in-depth treatment of the methods and protocols that are vital to safeguarding the mind-boggling amount of information circulating around the world.

Understanding PKI: Concepts, Standards, and Deployment Considerations (2nd Edition) (Kaleidoscope)

Carlisle Adams, Steve Lloyd

Amazon Price: $40.85 List Price: $59.99 Usually ships in 24 hours By: Addison-Wesley Professional Amazon Marketplace: 44 new & used starting at $10.00

Buy at Amazon.com

Browse similar items by category:
Subjects -> Computers & Internet -> Business & Culture -> Privacy
Subjects -> Computers & Internet -> Networking -> Networks, Protocols & APIs -> General
Subjects -> Computers & Internet -> Networking -> Networks, Protocols & APIs -> General AAS

Customer Reviews:
Total reviews: 14 Average rating: 4.0 of 5

Has value for Technical Architects / Security Analysts 3 out of 5 stars.
6 of 6 people found this review helpful.

I think there's some merit to people expecting a more hands on approach in a book like this. But those expectations seems unrealistic. The book is not titled "Implementing PKI," it's called "Understanding PKI."

There is value in a concepts book. For experienced technical professional trying to get a grip on the terminologies and concepts of security and PKI, this book is succinct and touches all the major points.

For those looking for screenshots of people right clicking icons, there's a thousand other books like that! Most of those so called "technical books" are not that technical. It's nice to have a book that's not product specific for a change.

This book does what it intends to do well. There is a need for more technical books but this book is valuable in it's present form. I have given several copies to peers.

I hope this review helps you balance out your opinions before deciding for or against this book.

Editorial Review:

Covers a broad range of material related to PKIs, including certification, operational considerations and standardization efforts, as well as deployment issues and considerations.

Extrusion Detection: Security Monitoring for Internal Intrusions

Richard Bejtlich

Amazon Price: $34.64 List Price: $54.99 Usually ships in 24 hours By: Addison-Wesley Professional Amazon Marketplace: 47 new & used starting at $12.19

Buy at Amazon.com

Browse similar items by category:
Subjects -> Business & Investing -> Industries & Professions -> E-commerce -> General
Subjects -> Business & Investing -> Industries & Professions -> E-commerce -> General AAS
Subjects -> Computers & Internet -> Home Computing -> Internet -> General AAS

Customer Reviews:
Total reviews: 9 Average rating: 4.5 of 5

Editorial Review:

Overcome Your Fastest-Growing Security Problem: Internal, Client-Based Attacks Today's most devastating security attacks are launched from within the company, by intruders who have compromised your users' Web browsers, e-mail and chat clients, and other Internet-connected software. Hardening your network perimeter won't solve this problem. You must systematically protect client software and monitor the traffic it generates. Extrusion Detection is a comprehensive guide to preventing, detecting, and mitigating security breaches from the inside out. Top security consultant Richard Bejtlich offers clear, easy-to-understand explanations of today's client-based threats and effective, step-by-step solutions, demonstrated against real traffic and data. You will learn how to assess threats from internal clients, instrument networks to detect anomalies in outgoing traffic, architect networks to resist internal attacks, and respond effectively when attacks occur. Bejtlich's The Tao of Network Security Monitoring earned acclaim as the definitive guide to overcoming external threats.Now, in Extrusion Detection, he brings the same level of insight to defending against today's rapidly emerging internal threats. Whether you're an architect, analyst, engineer, administrator, or IT manager, you face a new generation of security risks. Get this book and protect yourself. Coverage includes *Architecting defensible networks with pervasive awareness: theory, techniques, and tools *Defending against malicious sites, Internet Explorer exploitations, bots, Trojans, worms, and more *Dissecting session and full-content data to reveal unauthorized activity *Implementing effective Layer 3 network access control *Responding to internal attacks, including step-by-step network forensics *Assessing your network's current ability to resist internal attacks *Setting reasonable corporate access policies *Detailed case studies, including the discovery of internal and IRC-based bot nets *Advanced extrusion detection: from data collection to host and vulnerability enumeration About the Web Site Get book updates and network security news at Richard Bejtlich's popular blog, taosecurity.blogspot.com, and his Web site, www.bejtlich.net.

Foundations of Cryptography Volume II Basic Applications

Oded Goldreich

Amazon Price: $70.40 List Price: $94.00 Usually ships in 24 hours By: Cambridge University Press Amazon Marketplace: 39 new & used starting at $9.94

Buy at Amazon.com

Browse similar items by category:
Subjects -> Computers & Internet -> Computer Science -> Software Engineering -> Information Systems
Subjects -> Computers & Internet -> Programming -> Algorithms -> Cryptography
Subjects -> Computers & Internet -> Software -> General

Customer Reviews:
Total reviews: 5 Average rating: 4.0 of 5

Great idea -- needs a good editor! 3 out of 5 stars.
19 of 24 people found this review helpful.

This book hits some extremes in good and bad. The good is easy: There are few (no?) other books that fill the niche of theoretical cryptography. There are some excellent lecture notes from Bellare and Goldwasser that are available on the web, but they don't go into the detailed motivation of topics that Goldreich does. The topics that Goldreich has chosen cover a lot of important areas, and he has done a great job of pulling out the best, most essential results to present.

However, the bad part is that the writing is simply horrible. There seems to be little planning and things simply don't flow at all. Here's a specific example, which is so bad as to almost be funny: There's a huge use of footnotes for side comments, mostly because of this "stream of consciousness" writing that doesn't work things in properly. The first footnote in chapter 4 says, believe it or not, "See Footnote 13". Huh? So I go digging through the later part of the chapter, looking desperately for this gem of knowledge that will be in footnote 13, and what is it? The definition of a graph! Now come on -- chapter 4 of a book, where we've been dealing with advanced topics in computer science, and they feel the need to define a graph!?!?! Through several levels of indirection in footnotes? Come on guys, what editor let that one through?

Oded is a great computer scientist, and a good guy, but please, PLEASE get a good editor for the other volumes, or maybe even a good writer to team up with!

Editorial Review:

Cryptography is concerned with the conceptualization, definition and construction of computing systems that address security concerns. The design of cryptographic systems must be based on firm foundations. Building on the basic tools presented in the first volume, this second volume of Foundations of Cryptography contains a rigorous and systematic treatment of three basic applications: Encryption, Signatures, and General Cryptographic Protocols. It is suitable for use in a graduate course on cryptography and as a reference book for experts. The author assumes basic familiarity with the design and analysis of algorithms; some knowledge of complexity theory and probability is also useful. Also available: Volume I: Basic Tools 0-521-79172-3 Hardback $75.00 C

Nokia Firewall, VPN, and IPSO Configuration Guide

Andrew Hay, Keli Hay, Peter Giannoulis

Amazon Price: $53.95 List Price: $59.95 Usually ships in 24 hours By: Syngress Amazon Marketplace: 7 new & used starting at $49.95

Buy at Amazon.com

Browse similar items by category:
Subjects -> Computers & Internet -> Business & Culture -> Privacy
Subjects -> Computers & Internet -> Computer Science -> General
Subjects -> Computers & Internet -> Computer Science -> General AAS

Editorial Review:

"While Nokia is perhaps most recognized for its leadership in the mobile phone market, they have successfully demonstrated their knowledge of the Internet security appliance market and its customers requirements."
--Chris Christiansen, Vice President, Internet Infrastructure and Security Software, IDC.

Syngress has a long history of publishing market-leading books for system administrators and security professionals on commercial security products, particularly Firewall and Virtual Private Network (VPN) appliances from Cisco, Check Point, Juniper, SonicWall, and Nokia (see related titles for sales histories). The Nokia Firewall, VPN, and IPSO Configuration Guide will be the only book on the market covering the all-new Nokia Firewall/VPN Appliance suite. Nokia Firewall/VPN appliances are designed to protect and extend the network perimeter.

According to IDC research, Nokia Firewall/VPN Appliances hold the #3 worldwide market-share position in this space behind Cisco and Juniper/NetScreen. IDC estimated the total Firewall/VPN market at $6 billion in 2007, and Nokia owns 6.6% of this market. Nokia's primary customers for security appliances are Mid-size to Large enterprises who need site-to-site connectivity and Mid-size to Large enterprises who need remote access connectivity through enterprise-deployed mobile devices. Nokia appliances for this market are priced form $1,000 for the simplest devices (Nokia IP60) up to $60,0000 for large enterprise- and service-provider class devices (like the Nokia IP2450 released in Q4 2007). While the feature set of such a broad product range obviously varies greatly, all of the appliances run on the same operating system: Nokia IPSO (IPSO refers to Ipsilon Networks, a company specializing in IP switching acquired by Nokia in 1997. The definition of the acronym has little to no meaning for customers.) As a result of this common operating system across the product line, The Nokia Firewall, VPN, and IPSO Configuration Guide will be an essential reference to users of any of these products. Users manage the Nokia IPSO (which is a Linux variant, specifically designed for these appliances) through a Web interface called Nokia Network Voyager or via a powerful Command Line Interface (CLI). Coverage within the book becomes increasingly complex relative to the product line.

The Nokia Firewall, VPN, and IPSO Configuration Guide and companion Web site will provide seasoned network administrators and security professionals with the in-depth coverage and step-by-step walkthroughs they require to properly secure their network perimeters and ensure safe connectivity for remote users. The book contains special chapters devoted to mastering the complex Nokia IPSO command line, as well as tips and tricks for taking advantage of the new "ease of use" features in the Nokia Network Voyager Web interface. In addition, the companion Web site offers downloadable video walkthroughs on various installation and troubleshooting tips from the authors.

* Only book on the market covering Nokia Firewall/VPN appliances, which hold 6.6% of a $6 billion market
* Companion website offers video walkthroughs on various installation and troubleshooting tips from the authors
* Special chapters detail mastering the complex Nokia IPSO command line, as well as tips and tricks for taking advantage of the new "ease of use" features in the Nokia Network Voyager Web interface

The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities

Mark Dowd, John McDonald, Justin Schuh

Amazon Price: $45.15 List Price: $54.99 Usually ships in 24 hours By: Addison-Wesley Professional Amazon Marketplace: 39 new & used starting at $38.00

Buy at Amazon.com

Browse similar items by category:
Subjects -> Computers & Internet -> Certification Central -> Exams -> Security+
Subjects -> Computers & Internet -> Computer Science -> Software Engineering -> Information Systems
Subjects -> Computers & Internet -> Networking -> Network Security

Customer Reviews:
Total reviews: 16 Average rating: 5.0 of 5

Editorial Review:

“There are a number of secure programming books on the market, but none that go as deep as this one. The depth and detail exceeds all books that I know about by an order of magnitude.”

—Halvar Flake, CEO and head of research, SABRE Security GmbH

 

The Definitive Insider’s Guide to Auditing Software Security

 

This is one of the most detailed, sophisticated, and useful guides to software security auditing ever written. The authors are leading security consultants and researchers who have personally uncovered vulnerabilities in applications ranging from sendmail to Microsoft Exchange, Check Point VPN to Internet Explorer. Drawing on their extraordinary experience, they introduce a start-to-finish methodology for “ripping apart” applications to reveal even the most subtle and well-hidden security flaws.

 

The Art of Software Security Assessment covers the full spectrum of software vulnerabilities in both UNIX/Linux and Windows environments. It demonstrates how to audit security in applications of all sizes and functions, including network and Web software. Moreover, it teaches using extensive examples of real code drawn from past flaws in many of the industry's highest-profile applications.

 

Coverage includes

 

• Code auditing: theory, practice, proven methodologies, and secrets of the trade

• Bridging the gap between secure software design and post-implementation review

• Performing architectural assessment: design review, threat modeling, and operational review

• Identifying vulnerabilities related to memory management, data types, and malformed data

• UNIX/Linux assessment: privileges, files, and processes

• Windows-specific issues, including objects and the filesystem

• Auditing interprocess communication, synchronization, and state

• Evaluating network software: IP stacks, firewalls, and common application protocols

• Auditing Web applications and technologies

 

This book is an unprecedented resource for everyone who must deliver secure software or assure the safety of existing software: consultants, security specialists, developers, QA staff, testers, and administrators alike.

 

Contents

ABOUT THE AUTHORS     xv

PREFACE     xvii

ACKNOWLEDGMENTS    xxi

I Introduction to Software Security Assessment

1 SOFTWARE VULNERABILITY FUNDAMENTALS    3

2 DESIGN REVIEW     25

3 OPERATIONAL REVIEW    67

4 APPLICATION REVIEW PROCESS    91

II Software Vulnerabilities

5 MEMORY CORRUPTION    167

6 C LANGUAGE ISSUES     203

7 PROGRAM BUILDING BLOCKS     297

8 STRINGS ANDMETACHARACTERS    387

9 UNIX I: PRIVILEGES AND FILES     459

10 UNIX II: PROCESSES     559

11 WINDOWS I: OBJECTS AND THE FILE SYSTEM     625

12 WINDOWS II: INTERPROCESS COMMUNICATION     685

13 SYNCHRONIZATION AND STATE    755

III Software Vulnerabilities in Practice

14 NETWORK PROTOCOLS    829

15 FIREWALLS    891

16 NETWORK APPLICATION PROTOCOLS    921

17 WEB APPLICATIONS    1007

18 WEB TECHNOLOGIES     1083

BIBLIOGRAPHY     1125

INDEX     1129

Secure Programming with Static Analysis (Addison-Wesley Software Security Series)

Brian Chess, Jacob West

Amazon Price: $42.57 List Price: $49.99 Usually ships in 24 hours By: Addison-Wesley Professional Amazon Marketplace: 48 new & used starting at $28.00

Buy at Amazon.com

Browse similar items by category:
Subjects -> Business & Investing -> Industries & Professions -> E-commerce -> General
Subjects -> Business & Investing -> Industries & Professions -> E-commerce -> General AAS
Subjects -> Computers & Internet -> Certification Central -> Exams -> Security+

Customer Reviews:
Total reviews: 10 Average rating: 4.5 of 5

Editorial Review:

The First Expert Guide to Static Analysis for Software Security!

 

Creating secure code requires more than just good intentions. Programmers need to know that their code will be safe in an almost infinite number of scenarios and configurations. Static source code analysis gives users the ability to review their work with a fine-toothed comb and uncover the kinds of errors that lead directly to security vulnerabilities. Now, there’s a complete guide to static analysis: how it works, how to integrate it into the software development processes, and how to make the most of it during security code review. Static analysis experts Brian Chess and Jacob West look at the most common types of security defects that occur today. They illustrate main points using Java and C code examples taken from real-world security incidents, showing how coding errors are exploited, how they could have been prevented, and how static analysis can rapidly uncover similar mistakes. This book is for everyone concerned with building more secure software: developers, security engineers, analysts, and testers.

 

Coverage includes:

 

  Why conventional bug-catching often misses security problems

  How static analysis can help programmers get security right

  The critical attributes and algorithms that make or break a static analysis tool

  36 techniques for making static analysis more effective on your code

  More than 70 types of serious security vulnerabilities, with specific solutions

  Example vulnerabilities from Firefox, OpenSSH, MySpace, eTrade, Apache httpd, and many more

  Techniques for handling untrusted input

  Eliminating buffer overflows: tactical and strategic approaches

  Avoiding errors specific to Web applications, Web services, and Ajax

  Security-aware logging, debugging, and error/exception handling

  Creating, maintaining, and sharing secrets and confidential information

  Detailed tutorials that walk you through the static analysis process

 

“We designed Java so that it could be analyzed statically. This book shows you how to apply advanced static analysis techniques to create more secure, more reliable software.”

–Bill Joy, Co-founder of Sun Microsystems, co-inventor of the Java programming language

 

“'Secure Programming with Static Analysis' is a great primer on static analysis for security-minded developers and security practitioners. Well-written, easy to read, tells you what you need to know.”

–David Wagner, Associate Professor, University of California Berkeley

 

“Software developers are the first and best line of defense for the security of their code. This book gives them the security development knowledge and the tools they need in order to eliminate vulnerabilities before they move into the final products that can be exploited.”

–Howard A. Schmidt, Former White House Cyber Security Advisor

 

BRIAN CHESS is Founder and Chief Scientist of Fortify Software, where his research focuses on practical methods for creating secure systems. He holds a Ph.D. in Computer Engineering from University of California Santa Cruz, where he studied the application of static analysis to finding security-related code defects.

 

JACOB WEST manages Fortify Software’s Security Research Group, which is responsible for building security knowledge into Fortify’s products. He brings expertise in numerous programming languages, frameworks, and styles together with deep knowledge about how real-world systems fail.

 

CD contains a working demonstration version of Fortify Software’s Source Code Analysis (SCA) product; extensive Java and C code samples; and the tutorial chapters from the book in PDF format.

 

 

Part I: Software Security and Static Analysis        1

1          The Software Security Problem          3

2          Introduction to Static Analysis 21

3          Static Analysis as Part of the Code Review Process    47

4          Static Analysis Internals          71

Part II: Pervasive Problems            115

5          Handling Input 117

6          Buffer Overflow           175

7          Bride of Buffer Overflow         235

8          Errors and Exceptions  265

Part III: Features and Flavors         295

9          Web Applications        297

10         XML and Web Services           349

11         Privacy and Secrets     379

12         Privileged Programs    421

Part IV: Static Analysis in Practice  457

13         Source Code Analysis Exercises for Java        459

14         Source Code Analysis Exercises for C 503

Epilogue          541

References      545

Index   559