Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "Secure Programming with Static Analysis", Brian Chess/Jacob West

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Han
    BKSCPWSA.RVW 20080219 Secure Programming with Static Analysis , Brian Chess/Jacob West, 2007, 978-0-321-42477-8, U$49.99/C$61.99 %A Brian Chess %A Jacob
    Message 1 of 1 , Jun 2, 2008
    View Source
    • 0 Attachment
      BKSCPWSA.RVW 20080219

      "Secure Programming with Static Analysis", Brian Chess/Jacob West,
      2007, 978-0-321-42477-8, U$49.99/C$61.99
      %A Brian Chess
      %A Jacob West
      %C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8
      %D 2007
      %G 978-0-321-42477-8 0-321-42477-8
      %I Addison-Wesley Publishing Co.
      %O U$49.99/C$61.99 416-447-5101 800-822-6339 bkexpress@...
      %O http://www.amazon.com/exec/obidos/ASIN/0321424778/robsladesinterne
      http://www.amazon.co.uk/exec/obidos/ASIN/0321424778/robsladesinte-21
      %O http://www.amazon.ca/exec/obidos/ASIN/0321424778/robsladesin03-20
      %O Audience a+ Tech 2 Writing 2 (see revfaq.htm for explanation)
      %P 587 p. + CD-ROM
      %T "Secure Programming with Static Analysis"

      Part one is an introduction to software security and static analysis.
      The authors define static analysis as any means of assessing the
      programming or code without executing the program. Chapter one states
      that defensive programming (coding in such as way as to deal with
      unexpected submissions) will protect against errors, but possibly not
      against a deliberate adversary, and that adding security features to
      an application will not necessarily make for a secure program. There
      is a general outline of various types of software problems, and the
      advantages of using static analysis early in the development process.
      Chapter two describes the different types of static analysis and their
      uses. How to use static analysis as part of overall code review is
      covered in chapter three. Chapter four details the internal
      structures and functions of static analysis.

      Part two examines software problems that have been all too common in
      our application environment. Chapter five looks at the right and
      wrong ways to handle input. The ubiquitous buffer overflow gets two
      chapters: six discusses string issues, while seven deals with integer
      (particularly counter and pointer) situations. Error and exception
      handling is detailed in chapter eight.

      Special application environments and requirements make up part three.
      The Web is handled, in a generic manner, in chapter nine. Chapter ten
      specializes in XML (eXtensible Markup Language) and Web services.
      Privacy, personally identifiable information, and pseudorandom number
      generation all get put into chapter eleven. The special issues of
      privileged programs and processes are noted in chapter twelve.

      Part four demonstrates static analysis in practice. This is a set of
      instructions for using the Fortify Code Analyzer and Audit Workbench
      programs, which are provided on the CD. Chapter thirteen is for Java,
      and fourteen for the C language. (Since the rest of the book has been
      detailed, helpful, and quite free of taint of bias, this final sales
      pitch seems acceptable.)

      Code review and analysis gets mentioned in other works on secure
      programming, but this guide goes into technicalities that can be of
      considerable use to the developer. Chess and West have also made a
      very solid case that static analysis is a more effective way to find
      highly significant faults, and correct them earlier in the process. I
      commend this both to developers, and to those in security who need to
      better manage a secure development process.

      copyright Robert M. Slade, 2008 BKSCPWSA.RVW 20080219


      ====================== (quote inserted randomly by Pegasus Mailer)
      rslade@... slade@... rslade@...
      By analogy, stealing cars and joyriding does not provide one with
      an education in mechanical Engineering, nor does pouring sugar in
      the gas tank. - Gene Spafford, on using crackers as security experts
      http://victoria.tc.ca/techrev/rms.htm
    Your message has been successfully submitted and would be delivered to recipients shortly.