REVIEW: "Secure Programming with Static Analysis", Brian Chess/Jacob West
- BKSCPWSA.RVW 20080219
"Secure Programming with Static Analysis", Brian Chess/Jacob West,
2007, 978-0-321-42477-8, U$49.99/C$61.99
%A Brian Chess
%A Jacob West
%C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8
%G 978-0-321-42477-8 0-321-42477-8
%I Addison-Wesley Publishing Co.
%O U$49.99/C$61.99 416-447-5101 800-822-6339 bkexpress@...
%O Audience a+ Tech 2 Writing 2 (see revfaq.htm for explanation)
%P 587 p. + CD-ROM
%T "Secure Programming with Static Analysis"
Part one is an introduction to software security and static analysis.
The authors define static analysis as any means of assessing the
programming or code without executing the program. Chapter one states
that defensive programming (coding in such as way as to deal with
unexpected submissions) will protect against errors, but possibly not
against a deliberate adversary, and that adding security features to
an application will not necessarily make for a secure program. There
is a general outline of various types of software problems, and the
advantages of using static analysis early in the development process.
Chapter two describes the different types of static analysis and their
uses. How to use static analysis as part of overall code review is
covered in chapter three. Chapter four details the internal
structures and functions of static analysis.
Part two examines software problems that have been all too common in
our application environment. Chapter five looks at the right and
wrong ways to handle input. The ubiquitous buffer overflow gets two
chapters: six discusses string issues, while seven deals with integer
(particularly counter and pointer) situations. Error and exception
handling is detailed in chapter eight.
Special application environments and requirements make up part three.
The Web is handled, in a generic manner, in chapter nine. Chapter ten
specializes in XML (eXtensible Markup Language) and Web services.
Privacy, personally identifiable information, and pseudorandom number
generation all get put into chapter eleven. The special issues of
privileged programs and processes are noted in chapter twelve.
Part four demonstrates static analysis in practice. This is a set of
instructions for using the Fortify Code Analyzer and Audit Workbench
programs, which are provided on the CD. Chapter thirteen is for Java,
and fourteen for the C language. (Since the rest of the book has been
detailed, helpful, and quite free of taint of bias, this final sales
pitch seems acceptable.)
Code review and analysis gets mentioned in other works on secure
programming, but this guide goes into technicalities that can be of
considerable use to the developer. Chess and West have also made a
very solid case that static analysis is a more effective way to find
highly significant faults, and correct them earlier in the process. I
commend this both to developers, and to those in security who need to
better manage a secure development process.
copyright Robert M. Slade, 2008 BKSCPWSA.RVW 20080219
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... slade@... rslade@...
By analogy, stealing cars and joyriding does not provide one with
an education in mechanical Engineering, nor does pouring sugar in
the gas tank. - Gene Spafford, on using crackers as security experts