Talk About Network

Google


Register and Login
Nick
Password
Register create new account Sign up is FREE and you can post replies, new topics, bookmark posts and more!
Recover lost password


Books > Reviews 2 > REVIEW: "Softwa...
Latest [ Topics | Posts ] Archive Post A New Topic Post a Reply
<< Topic < Post Post 1 of 1 Topic 230 of 253
 Post > Topic >>

REVIEW: "Software Security: Building Security In", Gary McGraw

by "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rMslade@[EMAIL PROTECTED] > Jun 12, 2006 at 11:54 AM

BKSWSBSI.RVW   20060518

"Software Security: Building Security In", Gary McGraw, 2006,
0-321-35670-5, U$49.99/C$66.99
%A   Gary McGraw swsec.com www.buildingsecurityin.com gem@[EMAIL PROTECTED]
   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario  M3C 2T8
%D   2006
%G   0-321-35670-5
%I   Addison-Wesley Publi****ng Co.
%O   U$49.99/C$66.99 416-447-5101 800-822-6339 bkexpress@[EMAIL PROTECTED]
  http://www.amazon.com/exec/obidos/ASIN/0321356705/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/0321356705/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0321356705/robsladesin03-20
%O   Audience a+ Tech 3 Writing 2 (see revfaq.htm for explanation)
%P   408 p. + CD-ROM
%T   "Software Security: Building Security In"

The preface states that the audience for the book is comprised of
developers (particularly those interested in secure software),
security professionals (in places), managers (in places), and
academics (there are a couple of chapters that indicate where further
research might be useful).  McGraw also introduces the major
components of the book.  His "thee pillars" are not the usual
confidentiality, integrity and availability, but risk management,
"touchpoints," and knowledge.  The touchpoints are code analysis, risk
analysis, penetration (vulnerability) testing, security tests, abuse
cases, security requirements, and security operations.

Part one outlines the basics of software security.  Chapter one
informs us that problems exist in software, and notes the differences
betweens bugs (due to careless implementation) and flaws (due to poor
design).  McGraw also suggests his three pillars as a means of
addressing the difficulty.  Using an example software project, chapter
two takes us through a risk management framework in some detail.

Part two examines the touchpoints.  Chapter three introduces them in a
diagram related to the steps in the software development process (they
are numbered, although in a seemingly random pattern which turns out
to be the suggested order of effectiveness).  (The latter half of the
chapter seems to be more of a sermon on software security.)  Source
code review tools (for finding bugs) are described in chapter four. 
Chapter five starts off with traditional risk analysis definitions and
then extends the concept with details of the application of the
process to software design.  (Sidebars on software tools for program
risk analysis, and other related items, are dropped in seemingly at
random.  The information is valuable, but the reading flow is somewhat
disjointed.)  Penetration testing of software sounds like a good idea,
but chapter six doesn't really define what the topic involves.  (The
sidebar on tools is a case in point: the tools are listed and
recommended, but the descriptions don't say what they actually do.) 
Risk-based security testing seems, by the end of chapter seven, to be
a special case of spanning tree analysis, but along the way a number
of the other touchpoints seem to overlap with it.  "Abuse cases" is
the application of known common vulnerabilities and attacks
(perpetrated on systems similar to yours), and analysis of means of
protection while still in the design phase.  Chapter eight provides a
handy list of such attacks (if you are building a Web application). 
"Security operations," in chapter nine, appears to be a discussion of
how software developers and security professionals should relate to
each other.  (Touchpoint six, "security requirements," is not
covered.)

Part three covers additional topics.  Chapter ten outlines advice for
a software security program in a large company.  "Knowledge for
software security," in chapter eleven, is mostly an overview of
material already covered, but does include some additional tools. 
Chapter twelve is a taxonomy of coding errors, which should be
valuable both for those working on analysis of their own program
security, and also researchers in the field.

One fairly consistent weakness is that the book seems to assume that
all software applications are network-based, and that all software
problems result from malicious attacks.  While Web-based applications
are definitely of great im****tance, and also subject to a larger range
of difficulties, this does limit the application of some of the
material of the text in regard to standalone programs where the major
concern is integrity of data, prevention of errors, and reliability of
operation.

The writing and structure could use some work: in many situations it
is not easy to follow the thread of McGraw's argument.  However, there
is no denying the value of having all these ideas about software
security brought together in one volume.  There is a great deal of
useful and interesting material here, and, with commitment from the
reader, much that will be helpful in building more robust and reliable
software.

copyright Robert M. Slade, 2006   BKSWSBSI.RVW   20060518


======================  (quote inserted randomly by Pegasus Mailer)
rslade@[EMAIL PROTECTED]
     slade@[EMAIL PROTECTED]
     rslade@[EMAIL PROTECTED]
"Dictionary of Information Security" Syngress (forthcoming) 1597491152
        You're just jealous because the voices only talk to me.
http://victoria.tc.ca/techrev/rms.htm




 1 Posts in Topic:
REVIEW: "Software Security: Building Security In", Gary McGraw
 "Rob, grandpa of Rya  2006-06-12 11:54:22 

Post A Reply:
  Go here to Signup

AddThis Feed Button


About - Advertising - Contact - Frequently Asked Questions - Privacy Policy - Terms of Use - Signup
Contact
tan12V112 Sun Sep 7 5:25:55 CDT 2008.