Secure Coding: Principles & Practices

Secure Coding Home \| O'Reilly.com \| Books \| Conferences \| O'Reilly Network

About the Book

  Table of Contents
  Sample Chapter
  Advance Praise
  Reviews
  Press Release
  Order
  FAQ
  Errata

About the Authors

  Bios of Mark and Ken
  Articles
  Op/Ed
  Thanks

Book Companion

  Additional Case Studies
  Checklists
  Software Tools
  Code Snippets
  Bibliography and Links
  Contributions
  Analysis of Topical
    Vulnerabilities

SC-L Mailing List

Contact Us

  Email Addresses
  URLs
  Phone Numbers
  Contact O'Reilly

Events Calendar

Conferences

Media Kit/Info

  Press Releases
  Link to Articles
  Link to Op/Eds

This site graciously hosted
by our friends at

8. Summary

Table of Contents | Previous Section | Next Section

8.1 Lessons learned

In the course of this survey we searched, examined, and analyzed information about secure coding from hundreds of sources. The following observations, some surprising, were gleaned from the survey.

The last 12 months has seen a significant increase in the body of available materials. Anecdotally, about one-third of the most useful information is eighteen months old or less. Since little has changed technically, it is safe to infer a substantial upsurge in world-wide interest in the subject.
The relatively small proportion of detailed secure coding techniques that apply only to one language or platform was surprising. Almost all of the rules apply quite broadly. The main exception relates to the buffer overflow problems endemic to C/C++.
There were more commercial analysis tools than expected.
Surprisingly few independent tools are available for checking programs for security holes. It is suspected that many more exist, but are closely held in the hacker/attacker and consulting communities.

8.2 Directions for further study

For more technical information on secure coding projects, and a view of ongoing work, check the following centers for vulnerability testing research.

CERIAS at Purdue, headed by Dr. Eugene Spafford. See http://www.cerias.purdue.edu/coast/projects/vuln_test.html
Computer Security Laboratory, headed by Dr. Matt Bishop. See http://seclab.cs.ucdavis.edu/projects/vulnerabilities/
OUSPG: Oulu University Secure Programming Group, headed by Dr. Marko Laakso. See http://www.ee.oulu.fi/research/ouspg/.

Table of Contents | Previous Section | Next Section