Book Review: Secure Coding : Principles and Practices


by Chris Douce

Secure Coding : Principles and Practices

by Mark Graff and Kenneth van Wyk
O'Reilly, 2003
ISBN 0-596-00242-4

As soon as I connect to this website, my computer begins to reboot, a colleague said to me, frustrated.

Ten minutes later, I figured out what was going on, thanks partly due to other people arriving in the office, asking an identical question. The year just gone by was a particularly difficult year for systems administrators due to the prevalence of a number of rather malicious internet worms. Several weeks later, reflecting on these frustrations, I discovered a book that was described in interesting terms.

On the back cover, it was written that, 'Secure Coding sheds light on the economic, psychological and practical reasons why security vulnerabilities are so ubiquitous today'. When received the book, I found a section entitled 'psychological factors'. The section introduction is tantalisingly concluded with the sentence, 'we've seen little in the way of careful thinking about the influence human psychology has on the frequency and nature of security vulnerabilities'. I tend to agree.

Chapters are divided up into parts of the ideal software development cycle. Following the introduction, it begins with architecture, goes on to design, operations and then automation and testing. Numerous case studies pepper these chapters, including a sprinkling of C code for those who are demanding the cryptic.

In the preface, it is stated that the book does not contain 'cookbook examples' of how to write code, instead exploring the issue of security at a higher level. Similarly, it does not cover details about particular platforms, analyses of exploit examples and issues surrounding the design of certain types of applications. Generality is considered to be key.

My favourite chapter is the chapter describing software architecture, specifically a 'security architecture'. It provides a list of things to think about, and then explains each one of them in turn. Whilst I have problems understanding the nebulous use of the word architecture, it seems to fit here - asking you to think about how things should go before going ahead and building.

This slim volume is well referenced. It contains references to our firm favourites, such as Gerald Weinberg's Psychology of Computer Programming, and that well respected favourite about mistakes, Human Error by James Reason. Another favourite that references many PPIG related papers, Code Complete by Steve McConnell, is also recommended reading.

Secure Coding reminds me of (and references) another related book that has been recently published, Writing Solid Code by Steve Maguire, published by Microsoft Press. This is another text that I hope to get around to reading, especially since this book is now considered to be 'required reading' on the Redmond campus.

Whilst the book's title makes an explicit reference to coding, it goes beyond what is normally considered to be coding. Many responsibilities in information technology are divided into artificial roles, such as software engineering and system administration, often for very pragmatic reasons. The authors feel that those who consider themselves as 'coders' should also have an appreciation of some of the topics found within system administration.

Computer programming is not merely about the somewhat simple act of coding. Secure Coding reminds the professional developer about what can go wrong. It reminds the developer to consider the environment in which software executes. It reminds the developer that his or her software may run in an environment that should be considered as hostile.

In one part of the book, the lesson is clear. No matter how well your programming may withstand certain types of programming attacks, all your hard work may be in vain if your system runs on an operating system or network that has not been configured correctly. A programmer or developer needs to know a little about what the systems administrator does and how he or she does it, and conversely a system administrator needs to know what kind of security is likely to be asked for by a programmer.

The advice is clear. Consider risk. Consider how your system generates and reports errors, consider whether an audit trail facility is needed. Consider technical issues and ensure you keep up to date with new releases. Consider thinking like an alien to break through the comprehension paradigm that the software developer has constructed.

Interestingly, Graff and van Wyk's book gives some attention to open source software, and describes a number of incredibly useful tools. If learning about these tools allows software developers and system administrators to effectively resolve a minor network vulnerability, this alone is likely to be worth the cover price.

The more one reads about computer security, the more one begins to feel afraid. We are in a world filled with software jails, buffer overflows, and at the mercy of third party libraries and operating systems comprising millions of lines of code. This distant fear may be similar to how one may feel whilst reading a book about real infectious agents.

Security is a topic that is only occasionally addressed by the psychology of programming community (from attending previous workshops). Security intersects many areas that we have an interest in, notably language design, software development methodology and models of program comprehension. Security is definitely something we need to think about.

Interest (and concerns) regarding software security will, in my view, continue to increase.

Have you read a book that you think that others may find interesting? If so, please do tell us about it. We're crying out for some reviews of psychology books! Send us your reviews and ideas.