"Software Security: Building Security In", Gary McGraw, 2006,
%A Gary McGraw swsec.com www.buildingsecurityin.com gem@...
%C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8
%I Addison-Wesley Publishing Co.
%O U$49.99/C$66.99 416-447-5101 800-822-6339 bkexpress@...
%O Audience a+ Tech 3 Writing 2 (see revfaq.htm for explanation)
%P 408 p. + CD-ROM
%T "Software Security: Building Security In"
The preface states that the audience for the book is comprised of
developers (particularly those interested in secure software),
security professionals (in places), managers (in places), and
academics (there are a couple of chapters that indicate where further
research might be useful). McGraw also introduces the major
components of the book. His "thee pillars" are not the usual
confidentiality, integrity and availability, but risk management,
"touchpoints," and knowledge. The touchpoints are code analysis, risk
analysis, penetration (vulnerability) testing, security tests, abuse
cases, security requirements, and security operations.
Part one outlines the basics of software security. Chapter one
informs us that problems exist in software, and notes the differences
betweens bugs (due to careless implementation) and flaws (due to poor
design). McGraw also suggests his three pillars as a means of
addressing the difficulty. Using an example software project, chapter
two takes us through a risk management framework in some detail.
Part two examines the touchpoints. Chapter three introduces them in a
diagram related to the steps in the software development process (they
are numbered, although in a seemingly random pattern which turns out
to be the suggested order of effectiveness). (The latter half of the
chapter seems to be more of a sermon on software security.) Source
code review tools (for finding bugs) are described in chapter four.
Chapter five starts off with traditional risk analysis definitions and
then extends the concept with details of the application of the
process to software design. (Sidebars on software tools for program
risk analysis, and other related items, are dropped in seemingly at
random. The information is valuable, but the reading flow is somewhat
disjointed.) Penetration testing of software sounds like a good idea,
but chapter six doesn't really define what the topic involves. (The
sidebar on tools is a case in point: the tools are listed and
recommended, but the descriptions don't say what they actually do.)
Risk-based security testing seems, by the end of chapter seven, to be
a special case of spanning tree analysis, but along the way a number
of the other touchpoints seem to overlap with it. "Abuse cases" is
the application of known common vulnerabilities and attacks
(perpetrated on systems similar to yours), and analysis of means of
protection while still in the design phase. Chapter eight provides a
handy list of such attacks (if you are building a Web application).
"Security operations," in chapter nine, appears to be a discussion of
how software developers and security professionals should relate to
each other. (Touchpoint six, "security requirements," is not
Part three covers additional topics. Chapter ten outlines advice for
a software security program in a large company. "Knowledge for
software security," in chapter eleven, is mostly an overview of
material already covered, but does include some additional tools.
Chapter twelve is a taxonomy of coding errors, which should be
valuable both for those working on analysis of their own program
security, and also researchers in the field.
One fairly consistent weakness is that the book seems to assume that
all software applications are network-based, and that all software
problems result from malicious attacks. While Web-based applications
are definitely of great importance, and also subject to a larger range
of difficulties, this does limit the application of some of the
material of the text in regard to standalone programs where the major
concern is integrity of data, prevention of errors, and reliability of
The writing and structure could use some work: in many situations it
is not easy to follow the thread of McGraw's argument. However, there
is no denying the value of having all these ideas about software
security brought together in one volume. There is a great deal of
useful and interesting material here, and, with commitment from the
reader, much that will be helpful in building more robust and reliable
copyright Robert M. Slade, 2006 BKSWSBSI.RVW 20060518
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... slade@... rslade@...
"Dictionary of Information Security" Syngress (forthcoming) 1597491152
When I consider how my days are spent, squatting like a toad in
this fetid little cell, waiting for that challenging moment every
half hour to say `CBL Toronto,' I'm engulfed in black clouds of
despair. - Allan McFee