A Review of “24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them”

One Minute Bottom Line

If you write code this book deserves a place on your bookshelf. It clearly demonstrates the sin, but shows how to find it and fix it (in several different languages C.C++ perl, php etc.).  It may not cover every possible sin, but as the authors say if you do everything in this book you are doing pretty well.

Review

I was thrilled to be able to read and review this book, since I had read most of the previous version “19 Deadly Sins of Software Security: Programming Flaws and How to Fix Them” while sitting in bookstores.

Each chapter covers a single code sin and follows a standard pattern:

• Overview of the sin – A general description of the design/programming error,     
• Common Weakness Enumeration Project (CWE ) references – related CWE entries,    
• Affected languages – Which languages are vulnerable to this type of defect,     
• The sin explained – code examples demonstrating the sin,     
• Spotting the sin pattern – How to identify code that may be guilty of this sin,     
• Spotting the sin during code review – suspect keywords, functions and procedures,     
• Testing techniques to find the sin – how to locate the sin as part of your testing regime,     
• Example sins - real world exploit code,     
• Redemption steps – how to rewrite your code to remove the sin,     
• Extra defensive measures – defense in depth protections,     
• Other Resources – a list of related books and articles,     
• Summary – a checklist of do’s and don’ts.

The book’s twenty-four chapters are divided into four sections: web application sins, implementation sins, cryptographic sins and networking sins. Web Application Sins covers SQL injection, cross site scripting (XSS), cross site request forgery (XSRF), magic cookies, hidden form fields and predictable URL’s. Implementation Sins explores buffer overruns, format string vulnerabilities, integer overflows, C++ catastrophes, exceptions, command injection, error handling, information leakage, race conditions, usability, updating your code, execution privileges, data storage and mobile code. Cryptographic Sins looks at weak password systems, insufficiently random numbers and improper use of cryptography. Networking Sins deals with network traffic protection, public key infrastructure (PKI) and Domain Name Service (DNS) Trust.

Several things really stood out to me in this book. Where multiple languages were vulnerable to a sin, the book included examples from each affected language. This made it easier to identify the sin and the methods needed to eliminate it (the reader could examine code samples they were familiar with and skip those they were not).

Where practical the author’s include automated testing methods to locate the sins. How many of us can say that we properly validated every user input, without missing a single one – especially during the final thrash to ship the code.   How nice would it be to have a library of tests to identify potential security sins?

The chapter’s organization means that each one can stand alone making this not only a useful reference tool, One that is easy to open and check a block of code with, but a great tool with which to mentor new developers.

The authors did an excellent job of describing what can be very complex and technical exploits in simple terms, and in using a wide variety of examples (without showing bias to anyone person or company). They are also to be commended for their humility in several chapters they admitted to having committed these sins themselves.

The few nitpicks I have are truly minor. I think a couple of the chapter titles are less than clear, Chapter 8 C++ Catastrophes and Chapter 18 – Mobile Code. The authors’ themselves acknowledge this by beginning the later by writing: “We realize that the title of this sin seems both broad and alarming.”  Secondly the page numbers are often difficult to read both because of the font chosen (small bowls) and their placement over an icon (reduced contrast).

Overall I think the authors have meet their key objectives they set themselves, and delivered a book which is short, “highly actionable and to the point” One that should become a well worn addition to every coder’s library.