Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "Software Security: Building Security In", Gary McGraw

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Ha
    BKSWSBSI.RVW 20060518 Software Security: Building Security In , Gary McGraw, 2006, 0-321-35670-5, U$49.99/C$66.99 %A Gary McGraw swsec.com
    Message 1 of 1 , Jun 12, 2006
    • 0 Attachment
      BKSWSBSI.RVW 20060518

      "Software Security: Building Security In", Gary McGraw, 2006,
      0-321-35670-5, U$49.99/C$66.99
      %A Gary McGraw swsec.com www.buildingsecurityin.com gem@...
      %C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8
      %D 2006
      %G 0-321-35670-5
      %I Addison-Wesley Publishing Co.
      %O U$49.99/C$66.99 416-447-5101 800-822-6339 bkexpress@...
      %O http://www.amazon.com/exec/obidos/ASIN/0321356705/robsladesinterne
      %O http://www.amazon.ca/exec/obidos/ASIN/0321356705/robsladesin03-20
      %O Audience a+ Tech 3 Writing 2 (see revfaq.htm for explanation)
      %P 408 p. + CD-ROM
      %T "Software Security: Building Security In"

      The preface states that the audience for the book is comprised of
      developers (particularly those interested in secure software),
      security professionals (in places), managers (in places), and
      academics (there are a couple of chapters that indicate where further
      research might be useful). McGraw also introduces the major
      components of the book. His "thee pillars" are not the usual
      confidentiality, integrity and availability, but risk management,
      "touchpoints," and knowledge. The touchpoints are code analysis, risk
      analysis, penetration (vulnerability) testing, security tests, abuse
      cases, security requirements, and security operations.

      Part one outlines the basics of software security. Chapter one
      informs us that problems exist in software, and notes the differences
      betweens bugs (due to careless implementation) and flaws (due to poor
      design). McGraw also suggests his three pillars as a means of
      addressing the difficulty. Using an example software project, chapter
      two takes us through a risk management framework in some detail.

      Part two examines the touchpoints. Chapter three introduces them in a
      diagram related to the steps in the software development process (they
      are numbered, although in a seemingly random pattern which turns out
      to be the suggested order of effectiveness). (The latter half of the
      chapter seems to be more of a sermon on software security.) Source
      code review tools (for finding bugs) are described in chapter four.
      Chapter five starts off with traditional risk analysis definitions and
      then extends the concept with details of the application of the
      process to software design. (Sidebars on software tools for program
      risk analysis, and other related items, are dropped in seemingly at
      random. The information is valuable, but the reading flow is somewhat
      disjointed.) Penetration testing of software sounds like a good idea,
      but chapter six doesn't really define what the topic involves. (The
      sidebar on tools is a case in point: the tools are listed and
      recommended, but the descriptions don't say what they actually do.)
      Risk-based security testing seems, by the end of chapter seven, to be
      a special case of spanning tree analysis, but along the way a number
      of the other touchpoints seem to overlap with it. "Abuse cases" is
      the application of known common vulnerabilities and attacks
      (perpetrated on systems similar to yours), and analysis of means of
      protection while still in the design phase. Chapter eight provides a
      handy list of such attacks (if you are building a Web application).
      "Security operations," in chapter nine, appears to be a discussion of
      how software developers and security professionals should relate to
      each other. (Touchpoint six, "security requirements," is not

      Part three covers additional topics. Chapter ten outlines advice for
      a software security program in a large company. "Knowledge for
      software security," in chapter eleven, is mostly an overview of
      material already covered, but does include some additional tools.
      Chapter twelve is a taxonomy of coding errors, which should be
      valuable both for those working on analysis of their own program
      security, and also researchers in the field.

      One fairly consistent weakness is that the book seems to assume that
      all software applications are network-based, and that all software
      problems result from malicious attacks. While Web-based applications
      are definitely of great importance, and also subject to a larger range
      of difficulties, this does limit the application of some of the
      material of the text in regard to standalone programs where the major
      concern is integrity of data, prevention of errors, and reliability of

      The writing and structure could use some work: in many situations it
      is not easy to follow the thread of McGraw's argument. However, there
      is no denying the value of having all these ideas about software
      security brought together in one volume. There is a great deal of
      useful and interesting material here, and, with commitment from the
      reader, much that will be helpful in building more robust and reliable

      copyright Robert M. Slade, 2006 BKSWSBSI.RVW 20060518

      ====================== (quote inserted randomly by Pegasus Mailer)
      rslade@... slade@... rslade@...
      "Dictionary of Information Security" Syngress (forthcoming) 1597491152
      When I consider how my days are spent, squatting like a toad in
      this fetid little cell, waiting for that challenging moment every
      half hour to say `CBL Toronto,' I'm engulfed in black clouds of
      despair. - Allan McFee
    Your message has been successfully submitted and would be delivered to recipients shortly.