BKSCPWSA.RVW 20080219 "Secure Programming with Static Analysis", Brian Chess/Jacob West, 2007, 978-0-321-42477-8, U$49.99/C$61.99 %A Brian Chess %A Jacob West %C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8 %D 2007 %G 978-0-321-42477-8 0-321-42477-8 %I Addison-Wesley Publishing Co. %O U$49.99/C$61.99 416-447-5101 800-822-6339 bkexpress@aw.com %O http://www.amazon.com/exec/obidos/ASIN/0321424778/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0321424778/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0321424778/robsladesin03-20 %O Audience a+ Tech 2 Writing 2 (see revfaq.htm for explanation) %P 587 p. + CD-ROM %T "Secure Programming with Static Analysis" Part one is an introduction to software security and static analysis. The authors define static analysis as any means of assessing the programming or code without executing the program. Chapter one states that defensive programming (coding in such as way as to deal with unexpected submissions) will protect against errors, but possibly not against a deliberate adversary, and that adding security features to an application will not necessarily make for a secure program. There is a general outline of various types of software problems, and the advantages of using static analysis early in the development process. Chapter two describes the different types of static analysis and their uses. How to use static analysis as part of overall code review is covered in chapter three. Chapter four details the internal structures and functions of static analysis. Part two examines software problems that have been all too common in our application environment. Chapter five looks at the right and wrong ways to handle input. The ubiquitous buffer overflow gets two chapters: six discusses string issues, while seven deals with integer (particularly counter and pointer) situations. Error and exception handling is detailed in chapter eight. Special application environments and requirements make up part three. The Web is handled, in a generic manner, in chapter nine. Chapter ten specializes in XML (eXtensible Markup Language) and Web services. Privacy, personally identifiable information, and pseudorandom number generation all get put into chapter eleven. The special issues of privileged programs and processes are noted in chapter twelve. Part four demonstrates static analysis in practice. This is a set of instructions for using the Fortify Code Analyzer and Audit Workbench programs, which are provided on the CD. Chapter thirteen is for Java, and fourteen for the C language. (Since the rest of the book has been detailed, helpful, and quite free of taint of bias, this final sales pitch seems acceptable.) Code review and analysis gets mentioned in other works on secure programming, but this guide goes into technicalities that can be of considerable use to the developer. Chess and West have also made a very solid case that static analysis is a more effective way to find highly significant faults, and correct them earlier in the process. I commend this both to developers, and to those in security who need to better manage a secure development process. copyright Robert M. Slade, 2008 BKSCPWSA.RVW 20080219