BKSWSBSI.RVW 20060518 "Software Security: Building Security In", Gary McGraw, 2006, 0-321-35670-5, U$49.99/C$66.99 %A Gary McGraw swsec.com www.buildingsecurityin.com gem@cigital.com %C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8 %D 2006 %G 0-321-35670-5 %I Addison-Wesley Publishing Co. %O U$49.99/C$66.99 416-447-5101 800-822-6339 bkexpress@aw.com %O http://www.amazon.com/exec/obidos/ASIN/0321356705/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0321356705/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0321356705/robsladesin03-20 %O Audience a+ Tech 3 Writing 2 (see revfaq.htm for explanation) %P 408 p. + CD-ROM %T "Software Security: Building Security In" The preface states that the audience for the book is comprised of developers (particularly those interested in secure software), security professionals (in places), managers (in places), and academics (there are a couple of chapters that indicate where further research might be useful). McGraw also introduces the major components of the book. His "thee pillars" are not the usual confidentiality, integrity and availability, but risk management, "touchpoints," and knowledge. The touchpoints are code analysis, risk analysis, penetration (vulnerability) testing, security tests, abuse cases, security requirements, and security operations. Part one outlines the basics of software security. Chapter one informs us that problems exist in software, and notes the differences betweens bugs (due to careless implementation) and flaws (due to poor design). McGraw also suggests his three pillars as a means of addressing the difficulty. Using an example software project, chapter two takes us through a risk management framework in some detail. Part two examines the touchpoints. Chapter three introduces them in a diagram related to the steps in the software development process (they are numbered, although in a seemingly random pattern which turns out to be the suggested order of effectiveness). (The latter half of the chapter seems to be more of a sermon on software security.) Source code review tools (for finding bugs) are described in chapter four. Chapter five starts off with traditional risk analysis definitions and then extends the concept with details of the application of the process to software design. (Sidebars on software tools for program risk analysis, and other related items, are dropped in seemingly at random. The information is valuable, but the reading flow is somewhat disjointed.) Penetration testing of software sounds like a good idea, but chapter six doesn't really define what the topic involves. (The sidebar on tools is a case in point: the tools are listed and recommended, but the descriptions don't say what they actually do.) Risk-based security testing seems, by the end of chapter seven, to be a special case of spanning tree analysis, but along the way a number of the other touchpoints seem to overlap with it. "Abuse cases" is the application of known common vulnerabilities and attacks (perpetrated on systems similar to yours), and analysis of means of protection while still in the design phase. Chapter eight provides a handy list of such attacks (if you are building a Web application). "Security operations," in chapter nine, appears to be a discussion of how software developers and security professionals should relate to each other. (Touchpoint six, "security requirements," is not covered.) Part three covers additional topics. Chapter ten outlines advice for a software security program in a large company. "Knowledge for software security," in chapter eleven, is mostly an overview of material already covered, but does include some additional tools. Chapter twelve is a taxonomy of coding errors, which should be valuable both for those working on analysis of their own program security, and also researchers in the field. One fairly consistent weakness is that the book seems to assume that all software applications are network-based, and that all software problems result from malicious attacks. While Web-based applications are definitely of great importance, and also subject to a larger range of difficulties, this does limit the application of some of the material of the text in regard to standalone programs where the major concern is integrity of data, prevention of errors, and reliability of operation. The writing and structure could use some work: in many situations it is not easy to follow the thread of McGraw's argument. However, there is no denying the value of having all these ideas about software security brought together in one volume. There is a great deal of useful and interesting material here, and, with commitment from the reader, much that will be helpful in building more robust and reliable software. copyright Robert M. Slade, 2006 BKSWSBSI.RVW 20060518