Secure Programming with Static Analysis

ISBN-10: 0321424778
ISBN-13: 9780321424778
Edition: 2008
List price: $59.99 Buy it from $30.44
eBook available
This item qualifies for FREE shipping

*A minimum purchase of $35 is required. Shipping is provided via FedEx SmartPost® and FedEx Express Saver®. Average delivery time is 1 – 5 business days, but is not guaranteed in that timeframe. Also allow 1 - 2 days for processing. Free shipping is eligible only in the continental United States and excludes Hawaii, Alaska and Puerto Rico. FedEx service marks used by permission."Marketplace" orders are not eligible for free or discounted shipping.

30 day, 100% satisfaction guarantee

If an item you ordered from TextbookRush does not meet your expectations due to an error on our part, simply fill out a return request and then return it by mail within 30 days of ordering it for a full refund of item cost.

Learn more about our returns policy

Description: The First Expert Guide to Static Analysis for Software Security! Creating secure code requires more than just good intentions. Programmers need to know that their code will be safe in an almost infinite number of scenarios and configurations. Static  More...

Used Starting from $38.49
New Starting from $63.04
eBooks Starting from $47.99
Buy
what's this?
Rush Rewards U
Members Receive:
coins
coins
You have reached 400 XP and carrot coins. That is the daily max!
You could win $10,000

Get an entry for every item you buy, rent, or sell.

Study Briefs

Limited time offer: Get the first one free! (?)

All the information you need in one place! Each Study Brief is a summary of one specific subject; facts, figures, and explanations to help you learn faster.

Add to cart
Study Briefs
Calculus 1 Online content $4.95 $1.99
Add to cart
Study Briefs
Algebra Online content $4.95 $1.99
Add to cart
Study Briefs
Introduction to Logic Online content $4.95 $1.99
Add to cart
Study Briefs
Business Math Formulas Online content $4.95 $1.99

Customers also bought

Loading
Loading
Loading
Loading
Loading
Loading
Loading
Loading
Loading
Loading

Book details

List price: $59.99
Copyright year: 2008
Publisher: Addison Wesley Professional
Publication date: 6/29/2007
Binding: Mixed Media
Pages: 624
Size: 7.00" wide x 9.00" long x 1.25" tall
Weight: 1.936
Language: English

The First Expert Guide to Static Analysis for Software Security! Creating secure code requires more than just good intentions. Programmers need to know that their code will be safe in an almost infinite number of scenarios and configurations. Static source code analysis gives users the ability to review their work with a fine-toothed comb and uncover the kinds of errors that lead directly to security vulnerabilities. Now, there''s a complete guide to static analysis: how it works, how to integrate it into the software development processes, and how to make the most of it during security code review. Static analysis experts Brian Chess and Jacob West look at the most common types of security defects that occur today. They illustrate main points using Java and C code examples taken from real-world security incidents, showing how coding errors are exploited, how they could have been prevented, and how static analysis can rapidly uncover similar mistakes. This book is for everyone concerned with building more secure software: developers, security engineers, analysts, and testers. Coverage includes: Why conventional bug-catching often misses security problems How static analysis can help programmers get security right The critical attributes and algorithms that make or break a static analysistool 36 techniques for making static analysis more effective on your code More than 70 types of serious security vulnerabilities, with specific solutions Example vulnerabilities from Firefox, OpenSSH, MySpace, eTrade, Apache httpd, and many more Techniques for handling untrusted input Eliminating buffer overflows: tactical and strategic approaches Avoiding errors specific to Web applications, Web services, and Ajax Security-aware logging, debugging, and error/exception handling Creating, maintaining, and sharing secrets and confidential information Detailed tutorials that walk you through the static analysis process "We designed Java so that it could be analyzed statically. This book shows you how to apply advanced static analysis techniques to create more secure, more reliable software." -Bill Joy, Co-founder of Sun Microsystems, co-inventor of the Java programming language "''Secure Programming with Static Analysis'' is a great primer on static analysis for security-minded developers andsecurity practitioners. Well-written, easy to read, tells you what you need to know." -David Wagner, Associate Professor, University of California Berkeley "Software developers are the first and best line of defense for the security of their code. This book gives them the security development knowledge and the tools they need in order to eliminate vulnerabilities before they move into the final products that can be exploited." -Howard A. Schmidt, Former White House Cyber Security Advisor BRIAN CHESS is Founder and Chief Scientist of Fortify Software, where his research focuses on practical methods for creating secure systems. He holds a Ph.D. in Computer Engineering from University of California Santa Cruz, where he studied the application of static analysis to finding security-related code defects. JACOB WEST manages Fortify Software''s Security Research Group, which is responsible for building security knowledge into Fortify''s products. He brings expertise in numerous programming languages, frameworks, and styles together with deep knowledge about how real-world systems fail. CD contains a working demonstration version of Fortify Software''s Source Code Analysis (SCA) product; extensive Java and C code samples; and the tutorial chapters from the book in PDF format. Part I: Software Security and Static Analysis 1 1 The Software Security Problem 3 2 Introduction to Static Analysis 21 3 Static Analysis as Part of the Code Review Process 47 4 Static Analysis Internals 71 Part II: Pervasive Problems 115 5 Handling Input 117 6 Buffer Overflow 175 7 Bride of Buffer Overflow 235 8 Errors and Exceptions 265 Part III: Features and Flavors 295 9 Web Applications 297 10 XML

Software Security and Static Analysis
The Software Security Problem
Defensive Programming Is Not Enough
Security Features != Secure Features
The Quality Fallacy
Static Analysis in the Big Picture
Classifying Vulnerabilities
The Seven Pernicious Kingdoms
Summary
Introduction to Static Analysis
Capabilities and Limitations of Static Analysis
Solving Problems with Static Analysis
Type Checking
Style Checking
Program Understanding
Program Verification and Property Checking
Bug Finding
Security Review
A Little Theory, a Little Reality
Success Criteria
Analyzing the Source vs. Analyzing Compiled Code
Summary
Static Analysis as Part of the Code Review Process
Performing a Code Review
The Review Cycle
Steer Clear of the Exploitability Trap
Adding Security Review to an Existing Development Process
Adoption Anxiety
Start Small, Ratchet Up
Static Analysis Metrics
Summary
Static Analysis Internals
Building a Model
Lexical Analysis
Parsing
Abstract Syntax
Semantic Analysis
Tracking Control Flow
Tracking Dataflow
Taint Propagation
Pointer Aliasing
Analysis Algorithms
Checking Assertions
Naive Local Analysis
Approaches to Local Analysis
Global Analysis
Research Tools
Rules
Rule Formats
Rules for Taint Propagation
Rules in Print
Reporting Results
Grouping and Sorting Results
Eliminating Unwanted Results
Explaining the Significance of the Results
Summary
Pervasive Problems
Handling Input
What to Validate
Validate All Input
Validate Input from All Sources
Establish Trust Boundaries
How to Validate
Use Strong Input Validation
Avoid Blacklisting
Don't Mistake Usability for Security
Reject Bad Data
Make Good Input Validation the Default
Check Input Length
Bound Numeric Input
Preventing Metacharacter Vulnerabilities
Use Parameterized Requests
Path Manipulation
Command Injection
Log Forging
Summary
Buffer Overflow
Introduction to Buffer Overflow
Exploiting Buffer Overflow Vulnerabilities
Buffer Allocation Strategies
Tracking Buffer Sizes
Strings
Inherently Dangerous Functions
Bounded String Operations
Common Pitfalls with Bounded Functions
Maintaining the Null Terminator
Character Sets, Representations, and Encodings
Format Strings
Better String Classes and Libraries
Summary
Bride of Buffer Overflow
Integers
Wrap-Around Errors
Truncation and Sign Extension
Conversion between Signed and Unsigned
Methods to Detect and Prevent Integer Overflow
Runtime Protection
Safer Programming Languages
Safer C Dialects
Dynamic Buffer Overflow Protections
Dynamic Protection Benchmark Results
Summary
Errors and Exceptions
Handling Errors with Return Codes
Checking Return Values in C
Checking Return Values in Java
Managing Exceptions
Catch Everything at the Top Level
The Vanishing Exception
Catch Only What You're Prepared to Consume
Keep Checked Exceptions in Check
Preventing Resource Leaks
C and C++
Java
Logging and Debugging
Centralize Logging
Keep Debugging Aids and Back-Door Access Code out of Production
Clean Out Backup Files
Do Not Tolerate Easter Eggs
Summary
Features and Flavors
Web Applications
Input and Output Validation for the Web
Expect That the Browser Has Been Subverted
Assume That the Browser Is an Open Book
Protect the Browser from Malicious Content
HTTP Considerations
Use POST, Not GET
Request Ordering
Error Handling
Request Provenance
Maintaining Session State
Use Strong Session Identifiers
Enforce a Session Idle Timeout and a Maximum Session Lifetime
Begin a New Session upon Authentication
Using the Struts Framework for Input Validation
Setting Up the Struts Validator
Use the Struts Validator for All Actions
Validate Every Parameter
Maintain the Validation Logic
Summary
XML and Web Services
Working with XML
Use a Standards-Compliant XML Parser
Turn on Validation
Be Cautious about External References
Keep Control of Document Queries
Using Web Services
Input Validation
WSDL Worries
Over Exposure
New Opportunities for Old Errors
JavaScript Hijacking: A New Frontier
Summary
Privacy and Secrets
Privacy and Regulation
Identifying Private Information
Handling Private Information
Outbound Passwords
Keep Passwords out of Source Code
Don't Store Clear-Text Passwords
Random Numbers
Generating Random Numbers in Java
Generating Random Numbers in C and C++
Cryptography
Choose a Good Algorithm
Don't Roll Your Own
Secrets in Memory
Minimize Time Spent Holding Secrets
Share Secrets Sparingly
Erase Secrets Securely
Prevent Unnecessary Duplication of Secrets
Summary
Privileged Programs
Implications of Privilege
Principle of Least Privilege
This Time We Mean It: Distrust Everything
Managing Privilege
Putting Least Privilege into Practice
Restrict Privilege on the Filesystem
Beware of Unexpected Events
Privilege Escalation Attacks
File Access Race Conditions
Insecure Temporary Files
Command Injection
Standard File Descriptors
Summary
Static Analysis in Practice
Source Code Analysis Exercises for Java
Installation
Begin with the End in Mind
Auditing Source Code Manually
Running Fortify SCA
Understanding Raw Analysis Results
Analyzing a Full Application
Tuning Results with Audit Workbench
Auditing One Issue
Performing a Complete Audit
Writing Custom Rules
Answers to Questions in Exercise 13.2
Source Code Analysis Exercises for C
Installation
Begin with the End in Mind
Auditing Source Code Manually
Running Fortify SCA
Understanding Raw Analysis Results
Analyzing a Full Application
Tuning Results with Audit Workbench
Auditing One Issue
Performing a Complete Audit
Writing Custom Rules
Answers to Questions in Exercise 14.2
Epilogue
References
Index

×
Free shipping on orders over $35*

*A minimum purchase of $35 is required. Shipping is provided via FedEx SmartPost® and FedEx Express Saver®. Average delivery time is 1 – 5 business days, but is not guaranteed in that timeframe. Also allow 1 - 2 days for processing. Free shipping is eligible only in the continental United States and excludes Hawaii, Alaska and Puerto Rico. FedEx service marks used by permission."Marketplace" orders are not eligible for free or discounted shipping.

Learn more about the TextbookRush Marketplace.

×