Foundations of Security What Every Programmer Needs to Know

ISBN-10: 1590597842

ISBN-13: 9781590597842

Edition: 2007

Authors: Neil Daswani, Christoph Kern, Anita Kesavan, Vinton G. Cerf

List price: $39.99 Buy it from $11.97
30 day, 100% satisfaction guarantee

If an item you ordered from TextbookRush does not meet your expectations due to an error on our part, simply fill out a return request and then return it by mail within 30 days of ordering it for a full refund of item cost.

Learn more about our returns policy


#8212 Vinton G. Cerf - a Founding Father of the Internet #8212 Dr. Dan Boneh, Associate Professor, Computer Science and Electrical Engineering, Stanford University Foundations of Security: What Every Programmer Needs to Knowteaches new and current software professionals state-of-the-art software security design principles, methodology, and concrete programming techniques they need to build secure software systems. Once you're enabled with the techniques covered in this book, you can start to alleviate some of the inherent vulnerabilities that make today's software so susceptible to attack. The book uses web servers and web applications as running examples throughout the book. For the past few years, the Internet has had a "wild, wild west" flavor to it. Credit card numbers are stolen in massive numbers. Commercial web sites have been shut down by Internet worms. Poor privacy practices come to light and cause great embarrassment to the corporations behind them. All these security-related issues contribute at least to a lack of trust and loss of goodwill. Often there is a monetary cost as well, as companies scramble to clean up the mess when they get spotlighted by poor security practices. It takes time to build trust with users, and trust is hard to win back. Security vulnerabilities get in the way of that trust.Foundations of Security: What Every Programmer Needs To Knowhelps you manage risk due to insecure code and build trust with users by showing how to write code to prevent, detect, and contain attacks. The lead author cofounded the Stanford Center for Professional Development Computer Security Certification. This book teaches you how to be more vigilant and develop a sixth sense for identifying and eliminating potential security vulnerabilities. You'll receive hands-on code examples for a deep and practical understanding of security. You'll learn enough about security to get the job done.
New Starting from $30.04
what's this?
Rush Rewards U
Members Receive:
You have reached 400 XP and carrot coins. That is the daily max!
Study Briefs

Limited time offer: Get the first one free! (?)

All the information you need in one place! Each Study Brief is a summary of one specific subject; facts, figures, and explanations to help you learn faster.

Add to cart
Study Briefs
Periodic Table Online content $4.95 $1.99
Add to cart
Study Briefs
SQL Online content $4.95 $1.99
Add to cart
Study Briefs
MS Excel® 2010 Online content $4.95 $1.99
Add to cart
Study Briefs
MS Word® 2010 Online content $4.95 $1.99
Customers also bought

Book details

List price: $39.99
Copyright year: 2007
Publisher: Apress L. P.
Publication date: 2/15/2007
Binding: Paperback
Pages: 292
Size: 7.00" wide x 9.00" long x 0.75" tall
Weight: 1.298
Language: English

Neil Daswani has served in a variety of research, development, teaching, and managerial roles at Stanford University, DoCoMo USA Labs, Yodlee, and Bellcore (now Telcordia Technologies). His areas of expertise include security, wireless data technology, and peer-to-peer systems. He has published extensively in these areas, frequently gives talks at industry and academic conferences, and has been granted several U.S. patents. He received a Ph.D. and a master's in computer science from Stanford University, and he currently works for Google. He earned a bachelor's in computer science with honors with distinction from Columbia University.

Christoph Kern is an information security engineer at Google and was previously a senior security architect at Yodlee, a provider of technology solutions to the financial services industry. He has extensive experience in performing security design reviews and code audits, designing and developing secure applications, and helping product managers and software engineers effectively mitigate security risks in their software products.

Anita Kesavan is a freelance writer and received her M.F.A. in creative writing from Sarah Lawrence College. She also holds a bachelor's in English from Illinois-Wesleyan University. She specializes in communicating complex technical ideas in simple, easy-to-understand language.

About the Authors
About the Technical Reviewer
Security Design Principles
Security Goals
Security Is Holistic
Physical Security
Technological Security
Policies and Procedures
Something You Know
Something You Have
Something You Are
Final Notes on Authentication
Access Control Lists (ACLs)
Access Control Models
The Bell-LaPadula Model
Message/Data Integrity
Concepts at Work
Secure Systems Design
Understanding Threats
Insider Threats
Click Fraud
Denial-of-Service (DoS)
Data Theft and Data Loss
Designing-In Security
Windows 98
The Internet
Turtle Shell Architectures
Convenience and Security
SimpleWebServer Code Example
Hypertext Transfer Protocol (HTTP)
Code Walkthrough
Security in Software Requirements
Specifying Error Handling Requirements
Sharing Requirements with Quality Assurance (QA)
Handling Internal Errors Securely
Including Validation and Fraud Checks
Writing Measurable Security Requirements
Security or Bust
Security by Obscurity
Flaws in the Approach
SimpleWebServer Obscurity
Things to Avoid
Open vs. Closed Source
A Game of Economics
"Good Enough" Security
Secure Design Principles
The Principle of Least Privilege
Prevent, Detect, Contain, and Recover
Don't Forget Containment and Recovery
Password Security Example
Securing the Weakest Link
Weak Passwords
Implementation Vulnerabilities
Fail-Safe Stance
SimpleWebServer Fail-Safe Example
Attempted Fix 1: Checking the File Length
Attempted Fix 2: Don't Store the File in Memory
Fix: Don't Store the File in Memory, and Impose a Download Limit
Secure by Default
Security Features Do Not Imply Security
Exercises for Part 1
Secure Programming Techniques
Worms and Other Malware
What Is a Worm?
An Abridged History of Worms
The Morris Worm: What It Did
The Morris Worm: What We Learned
The Creation of CERT
The Code Red Worm
The Nimda Worm
The Blaster and SQL Slammer Worms
More Malware
Buffer Overflows
Anatomy of a Buffer Overflow
A Small Example
A More Detailed Example
The safe_gets() Function
Safe String Libraries
Additional Approaches
Static Analysis Tools
Heap-Based Overflows
Other Memory Corruption Vulnerabilities
Format String Vulnerabilities
Integer Overflows
Client-State Manipulation
Pizza Delivery Web Site Example
Attack Scenario
Solution 1: Authoritative State Stays at Server
Solution 2: Signed State Sent to Client
Using HTTP POST Instead of GET
SQL Injection
Attack Scenario
Why Blacklisting Does Not Work
Whitelisting-Based Input Validation
Second Order SQL Injection
Prepared Statements and Bind Variables
Mitigating the Impact of SQL Injection Attacks
Password Security
A Strawman Proposal
Offline Dictionary Attacks
Online Dictionary Attacks
Additional Password Security Techniques
Strong Passwords
"Honeypot" Passwords
Password Filtering
Aging Passwords
Pronounceable Passwords
Limited Login Attempts
Artificial Delays
Last Login
Image Authentication
One-Time Passwords
Cross-Domain Security in Web Applications
Interaction Between Web Pages from Different Domains
HTML, JavaScript, and the Same-Origin Policy
Possible Interactions of Documents from Different Origins
HTTP Request Authentication
Lifetime of Cached Cookies and HTTP Authentication Credentials
Attack Patterns
Cross-Site Request Forgery (XSRF)
Cross-Site Script Inclusion (XSSI)
Cross-Site Scripting (XSS)
Preventing XSRF
Inspecting Referer Headers
Validation via User-Provided Secret
Validation via Action Token
Security Analysis of the Action Token Scheme
Preventing XSSI
Authentication via Action Token
Restriction to POST Requests
Preventing Resource Access for Cost Reasons
Preventing XSS
General Considerations
Simple Text
Tag Attributes (e.g., Form Field Value Attributes)
URL Attributes (href and src)
Style Attributes
Within Style Tags
In JavaScript Context
JavaScript-Valued Attributes
Redirects, Cookies, and Header Injection
Filters for "Safe" Subsets of HTML
Unspecified Charsets, Browser-Side Charset Guessing, and UTF-7 XSS Attacks
Non-HTML Documents and Internet Explorer Content-Type Sniffing
Mitigating the Impact of XSS Attacks
Exercises for Part 2
Introduction to Cryptography
Symmetric Key Cryptography
Introduction to Encryption
Substitution Ciphers
Notation and Terminology
Block Ciphers
Security by Obscurity: Recap
Encrypting More Data
AES Code Example
Stream Ciphers
One-Time Pad
What Is Steganography?
Steganography vs. Cryptography
Asymmetric Key Cryptography
Why Asymmetric Key Cryptography?
Elliptic Curve Cryptography (ECC)
Symmetric vs. Asymmetric Key Cryptography
Certificate Authorities
Identity-Based Encryption (IBE)
Authentication with Encryption
Key Management and Exchange
Types of Keys
Identity Keys
Conversation or Session Keys
Integrity Keys
Key Generation
Random Number Generation
The rand() function
Random Device Files
Random APIs
Key (Secret) Storage
Keys in Source Code
Storing the Key in a File on Disk
"Hard to Reach" Places
Storing Secrets in External Devices
Key Agreement and Exchange
Using Asymmetric Keys
Diffie-Hellman (DH)
MACs and Signatures
Secure Hash Functions
Message Authentication Codes (MACs)
Certificates and Certificate Authorities (CAs)
Signing and Verifying
Registration Authorities (RAs)
Web of Trust
Attacks Against Hash Functions
Mutual Authentication
Exercises for Part 3
Defense-in-Depth: The FLI Model
Protecting Against Failure
Protecting Against Lies
Protecting Against Infiltration
Other Techniques
Using an FLI-like Model
Source Code Listings
Free shipping on orders over $35*

*A minimum purchase of $35 is required. Shipping is provided via FedEx SmartPost® and FedEx Express Saver®. Average delivery time is 1 – 5 business days, but is not guaranteed in that timeframe. Also allow 1 - 2 days for processing. Free shipping is eligible only in the continental United States and excludes Hawaii, Alaska and Puerto Rico. FedEx service marks used by permission."Marketplace" orders are not eligible for free or discounted shipping.

Learn more about the TextbookRush Marketplace.