Secure Coding: Principles & Practices

Secure Coding Home \| O'Reilly.com \| Books \| Conferences \| O'Reilly Network

About the Book

  Table of Contents
  Sample Chapter
  Advance Praise
  Reviews
  Press Release
  Order
  FAQ
  Errata

About the Authors

  Bios of Mark and Ken
  Articles
  Op/Ed
  Thanks

Book Companion

  Additional Case Studies
  Checklists
  Software Tools
  Code Snippets
  Bibliography and Links
  Contributions
  Analysis of Topical
    Vulnerabilities

SC-L Mailing List

Contact Us

  Email Addresses
  URLs
  Phone Numbers
  Contact O'Reilly

Events Calendar

Conferences

Media Kit/Info

  Press Releases
  Link to Articles
  Link to Op/Eds

This site graciously hosted
by our friends at

9. Bibliography

Table of Contents | Previous Section | Next Section

[Advosys 2000] Advosys Consulting (formerly named Webber Technical Services). "Writing Secure Web Applications." See http://advosys.ca/tips/web-security.html

[Advosys 2001] Advosys Consulting (formerly named Webber Technical Services). 2001. "Preventing HTML form tampering." See http://advosys.ca/tips/form-tampering.html

[Aleph1 1996] Aleph1. November 8, 1996. "Smashing The Stack For Fun And Profit." Phrack Magazine. Issue 49, Article 14. See http://www.2600.net/phrack/p49-14.html

[Al-Herbish 1999] Al-Herbish, Thamer. 1999. Secure Unix Programming FAQ. See http://www.whitefang.com/sup/

[Anderson 2001] Anderson, Ross J. 2001. Security Engineering: A Guide To Building Dependable Distributed Systems. ISBN 0-471-38922-6. New York: John Wiley & Sons, Inc.

[Anonymous 1997] Anonymous. 1997. Maximum Security. ISBN 1-57521-268-4. Indianapolis, Indiana: Sams.net.

[Anonymous 1998] Anonymous. September 1998. Maximum Security: A Hacker's Guide to Protecting Your Internet Site and Network. Sams. Second Edition. ISBN: 0672313413.

[Arnold 1993] Arnold, Derek N. 1993. UNIX Security: A Practical Tutorial. ISBN 0-07-002560-6. New York: McGraw-Hill, Inc.

[Atkin 1996] Atkins, Derek, Paul Buis, Chris Hare, Robert Kelley, Carey Nachenberg, Anthony B. Nelson, Paul Phillips, Tim Ritchey, and William Steen. 1996. Internet Security Professional Reference. ISBN 1-56205-557-7. Indianapolis, Indiana: New Riders Publishing.

[AUSCERT 1996] Australian Computer Emergency Response Team (AUSCERT). 1996. A Lab Engineers Check List for Writing Secure Unix Code. ftp://ftp.auscert.org.au/pub/auscert/papers/secure_programming_checklist4

[Bellovin 1994] Bellovin, Steven M. December 1994. Shifting the Odds -- Writing (More) Secure Software. Murray Hill, NJ: AT&T Research. http://www.research.att.com/~smb/talks

[Bentley 2000] Bentley, Jon. 2000. Programming Pearls, Second Edition. ISBN 0-201-65788-0. Reading, Massachusetts: Addison-Wesley Longman, Inc.

[Bishop 1995] Bishop, Matt. 1995. "Race Conditions, Files, and Security Flaws; or the Tortoise and the Hare Redux."

[Bishop 1996a] Bishop, Matt. May 1996. "UNIX Security: Security in Programming." SANS '96. Washington DC (May 1996). http://olympus.cs.ucdavis.edu/~bishop/secprog.html

[Bishop 1996b] Bishop, Matt, and Michael Dilger. 1996. "Checking for Race Conditions in File Accesses."

[Bishop 1997a] Bishop, Matt. October 1997. "Writing Safe Privileged Programs." Network Security 1997 New Orleans, LA. http://olympus.cs.ucdavis.edu/~bishop/secprog.html

[Bishop 1997b] Bishop, Matt. 1997. "Vulnerabilities Analysis."

[Blakley 1999] Blakley, Bob. 1999. CORBA Security: An Introduction To Safe Computing With Objects. ISBN 0-201-32565-9. Reading, Massachusetts: Addison-Wesley Longman, Inc.

[Brown 2000] Brown, Keith. 2000. Programming Windows Security. ISBN 0-201-60442-6. Boston: Addison-Wesley.

[Cargill 1992] Cargill, Tom. 1992. C++ Programming Style. ISBN 0-201-56365-7. Reading, Massachusetts: Addison-Wesley Longman, Inc.

[CERT 1998] Computer Emergency Response Team (CERT) Coordination Center (CERT/CC). February 13, 1998. "Sanitizing User-Supplied Data in CGI Scripts." CERT Advisory CA-97.25.CGI_metachar. See http://www.cert.org/advisories/CA-97.25.CGI_metachar.html

[Chapman 2000] Chapman, Davis. 2000. Developing Secure Applications with Visual Basic. ISBN 0-672-31836-9. Indianapolis, Indiana: Sams.

[CMU 1998] Carnegie Mellon University (CMU). February 13, 1998 Version 1.4. "How To Remove Meta-characters From User-Supplied Data In CGI Scripts." See ftp://ftp.cert.org/pub/tech_tips/cgi_metacharacters

[Cowan 1999] Cowan, Crispin, Perry Wagle, Calton Pu, Steve Beattie, and Jonathan Walpole. "Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade." Proceedings of DARPA Information Survivability Conference and Expo (DISCEX). See http://schafercorp-ballston.com

[Cowan 1999] Cowan, Crispin, Steve Beattie, Ryab Finnin Day, Calton Pu, Perry Wagle, and Erik Walthinsen. "Protecting Systems from Stack Smashing Attacks with StackGuard." See http://www.immunix.org/documentation.html

[Curry 1992] Curry, David A. 1992. UNIX System Security: A Guide for Users and System Administrators. ISBN 0-201-56327-4. Reading, Massachusetts: Addison-Wesley Publishing Company.

[Dik 2000] Dik, Casper. 2000. "Safe Programming."

[Du 1997] Du, Wenliang. 1997. "Categorization of Software Errors That Led to Security Breaches."

[Evans Unknown] Evans, David. Unknown. "LCLint User's Guide."

[Farrow 1990] Farrow, Rik. 1990. UNIX System Security. ISBN 0-201-57030-0. Reading, Massachusetts: Addison-Wesley Publishing Company.

[Feghhi 1999] Feghhi, Jalil, Jalil Feghhi and Peter Williams. 1999. Digital Certificates: Applied Internet Security. ISBN 0-201-30980-7. Boston: Addison-Wesley.

[Galvin 1998a] Galvin, Peter. April 1998. "Designing Secure Software." Sunworld. http://www.sunworld.com/swol-04-1998/swol-04-security.html

[Galvin 1998b] Galvin, Peter. August 1998. "The Unix Secure Programming FAQ." Sunworld. http://www.sunworld.com/sunworldonline/swol-08-1998/swol-08-security.html

[Garfinkel 1996] Garfinkel, Simson and Gene Spafford. 1996. Practical UNIX & Internet Security, 2nd Edition. ISBN 1-56592-148-8. Sebastopol, CA: O'Reilly & Associates, Inc.

[Garfinkle 1997a] Garfinkle, Simson and Gene Spafford. 1997. Web Security & Commerce. ISBN 1-56592-269-7. Sebastopol, CA: O'Reilly & Associates, Inc.

[Garfinkle 1997b] Garfinkle, Simson. August 8, 1997. 21 Rules for Writing Secure CGI Programs. http://webreview.com/wr/pub/97/08/08/bookshelf

[Gong 1999] Gong, Li. June 1999. Inside Java 2 Platform Security. Reading, MA: Addison Wesley Longman, Inc. ISBN 0-201-31000-7.

[Govanus 2001] Govanus, Gary and Robert King. 2001. MSCE: Windows 2000 Network Security Design Exam Notes. ISBN 0-7821-2766-5. San Francisco: Sybex.

[Graham 1999] Graham, Jeff. May 4, 1999. "Security-Audit's Frequently Asked Questions (FAQ)." See http://lsap.org/faq.txt

[Gundavaram Unknown] Gundavaram, Shishir, and Tom Christiansen. Date Unknown. Perl CGI Programming FAQ. http://language.perl.com/CPAN/doc/FAQs/cgi/perl-cgi-faq.html

[Howard 2000] Howard, Michael. 2000. Designing Secure Web-Based Applications for Microsoft Windows 2000. ISBN 0-7356-0995-0. Redmond, Washington: Microsoft Press.

[Jaworski 2000] Jaworski, Jamie and Paul J. Perrone. 2000. Java Security Handbook. ISBN 0-672-31602-1. Indianapolis, Indiana: Sams.

[Jones 1987] Jones, Robin, and Ian Stewart. 1987. The Art of C Programming. ISBN 0-387-96392-8. New York: Springer-Verlag.

[Kernighan 1988] Kernighan, Brian W., and Dennis M. Ritchie. 1988. The C Programming Language. Second Edition. Englewood Cliffs, NJ: Prentice-Hall. ISBN 0-13-110362-8.

[Koenig 1989] Koenig, Andrew. 2989. C Traps and Pitfalls. ISBN 0-201-17928-8. Reading, Massachusetts: Addison-Wesley Publishing Company.

[Kuperman 1999] Kuperman, Benjamin A., and Eugene Spafford. 1999. "Generation of Application Level Audit Data via Library Interposition." CERIAS Tech Report TR-99-11.

[Krsul 98] Krsul, Ivan Eugene Spafford, and Mahesh Tripunitara. 1998. "An Analysis of Some Software Vulnerabilities."

[Maguire 1993] Maguire, Steve. 1993. Writing Solid Code: Microsoft's Techniques for Developing Bug-Free C Programs. ISBN 1-55615-551-4. Redmond, Washington: Microsoft Press.

[McClure 2001] McClure, Stuart, Joel Scambray, and George Kurtz. 1999. Hacking Exposed: Network Security Secrets and Solutions, Second Edition. Berkeley, CA: Osbourne/McGraw-Hill. ISBN 0-07-212748-1.

[McConnell 1993] McConnell, Steve. 1993. Code Complete: A Practical Handbook of Software Construction. ISBN 1-55615-484-4. Redmond, Washington: Microsoft Press.

[McGraw 1999] McGraw, Gary, and Edward W. Felten. January 25, 1999. Securing Java: Getting Down to Business with Mobile Code, 2nd Edition John Wiley & Sons. ISBN 047131952X. http://www.securingjava.com

[McGraw 2000a] McGraw, Gary and John Viega. March 1, 2000. "Make Your Software Behave: Learning the Basics of Buffer Overflows." See http://www-4.ibm.com/software/developer/library/overflows/index.html

[Mclean 2000] McLean, Ian. 2000. Windows 2000 Security. ISBN 1-57610-387-0. Scottsdale, Arizona: Coriolis.

[Merkow 1998] Merkow, Mark S., Jim Breihaupt, and Ken L. Wheeler. 1998. Building SET Applications for Secure Transactions. ISBN 0-471-28305-3. New York: John Wiley & Sons, Inc.

[Miller 1995] Miller, Barton P., David Koski, Cjin Pheow Lee, Vivekananda Maganty, Ravi Murthy, Ajitkumar Natarajan, and Jeff Steidl. 1995. Fuzz Revisited: A Re-examination of the Reliability of UNIX Utilities and Services. See ftp://grilled.cs.wisc.edu/technical_papers/fuzz-revisited.pdf

[Miller 1999] Miller, Todd C. and Theo de Raadt. "strlcpy and strlcat -- Consistent, Safe, String Copy and Concatenation." Proceedings of Usenix '99. See http://www.usenix.org/events/usenix99/millert

[Mudge 1995] Mudge. October 20, 1995. "How to write Buffer Overflows." l0pht advisories. See http://www.l0pht.com/advisories/bufero.html

[NCSA 1997a] NCSA Secure Programming Guidelines. See http://www.ncsa.uiuc.edu/General/Grid/ACES/security/programming

[NCSA 1997b] NCSA. 1997. "Writing Secure CGI Scripts." See http://hoohoo.ncsa.uiuc.edu/cgi/security.html

[NIST 1999] NIST. The Common Criteria for Information Technology Security Evaluation (CC). 1999. See http://csrc.nist.gov/cc/ccv20/ccv2list.htm

[Pattison 2000] Pattison, Ted. 2000. Programming Distributed Applications with COM+ and Microsoft Visual Basic. ISBN 0-7356-1010-X. Redmond, Washington: Microsoft Press.

[Phillips 1995] Phillips, Paul. September 3, 1995. Safe CGI Programming. See http://www.go2net.com/people/paulp/cgi-security/safe-cgi.txt

[Pistoia 1999] Pistoia, Marco, Duane F. Reller, Deepak Gupta, Milind Nagnur, and Ashok K. Ramani. 1999. Java2 Network Security, Second Edition. ISBN 0-13-015592-6. Upper Saddie River, New Jersey: Prentice Hall.

[Rabinowitz 1989] Rabinowitz, Henry and Chaim Schapp. 1989. Portable C. ISBN 0-13-685967-4. Englewood Cliffs, New Jersey: Prentice Hall.

[Rain Forest Puppy 1999] rain.forest.puppy. 1999. "Perl CGI problems." Phrack Magazine. Issue 55, Article 07. http://www.phrack.com/search.phtml?view&article=p55-7 or http://www.insecure.org/news/P55-07.txt

[Ranum 1997] Ranum, Marcus J. 1997. "Security for Software Developers." See http://pubweb.nfr.net/~mjr/pubs/pdf/security-for-developers.pdf

[Ranum 1998] Ranum, Marcus J. 1998. "Security-critical coding for programmers - a C and UNIX-centric full-day tutorial." See http://web.ranum.com/pubs/pdf/index.htm

[Reshef 2000] Reshef, Eran, Izhar Bar-Gad. "Web Application Security." See http://www.SanctumInc.com/pdf/Web_Application_Security_TISC.pdf

[Rijmen 2000] Rijmen, Vincent. "LinuxSecurity.com Speaks With AES Winner." See http://www.linuxsecurity.com/feature_stories/interview-aes-3.html

[Rochkind 1985]. Rochkind, Marc J. Advanced Unix Programming. Englewood Cliffs, NJ: Prentice-Hall, Inc. ISBN 0-13-011818-4.

[Seifried 1999] Seifried, Kurt. October 9, 1999. Linux Administrator's Security Guide. See http://www.securityportal.com/lasg

[Salzer 1975] Saltzer, J.H., and M.D. Schroeder, "The Protection of Information in Computer Systems," Proc. IEEE, Vol. 63, No. 9, Sept. 1975, pp. 1278-1308.

[Shostack 1999] Shostack, Adam. June 1, 1999. Security Code Review Guidelines. http://www.homeport.org/~adam/review.html

[Shrader 2000] Shrader, Theodore K., Bruce A. Rich, and Anthony J. Nadalin. 2000. Java and Internet Security. ISBN: 0-595-13500-5. San Jose: iUniverse.com, Inc.

[Sibert 1996] Sibert, W. Olin. Malicious Data and Computer Security. (NIST) NISSC '96. See http://www.fish.com/security/maldata.html

[Sitaker 1999] Sitaker, Kragen. Feb 26, 1999. How to Find Security Holes. http://www.dnaco.net/~kragen/security-holes.html

[SSE-CMM 1999] SSE-CMM Project. April 1999. System Security Engineering Capability Maturity Model (SSE CMM) Model Description Document. Version 2.0. See http://www.sse-cmm.org

[Stein 1999] Stein, Lincoln D. September 13, 1999. The World Wide Web Security FAQ. Version 2.0.1 http://www.w3.org/Security/Faq/www-security-faq.html

[Sun 2000] Sun Microsystems. 2000. "Secure Code Guidelines." See http://www.java.sun.com/security/seccodeguide.html

[Swanson 1996] Swanson, Marianne, and Barbara Guttman. September 1996. "Generally Accepted Principles and Practices for Securing Information Technology Systems." NIST Computer Security Special Publication (SP) 800-14. See http://csrc.nist.gov/publications/nistpubs/index.html

[Thomas 2000] Thomas, Stephen A. 2000. SSL and TLS Essentials: Securing The Web. ISBN 0-471-38354-6. New York: John Wiley & Sons, Inc.

[Unknown] SETUID(7) http://www.homeport.org/~adam/setuid.7.html

[Vacca 1996] Vacca, John. 1996. Internet Security Secrets. ISBN 1-56884-457-3. Foster City, California: IDG Books Worldwide, Inc.

[Van Biesbrouck 1996] Van Biesbrouck, Michael. April 19, 1996. See http://www.csclub.uwaterloo.ca/u/mlvanbie/cgisec

[Venema 1996] Venema, Wietse. 1996. Murphy's law and computer security. http://www.fish.com/security/murphy.html

[Vitek 1999] Vitek, Jan and Christian D. Jensen (ed.). 1999. Secure Internet Programming: Security Issues For Mobile And Distributed Objects. ISBN 3-540-66130-1. New York: Springer-Verlag.

[W3C 1997] W3C. 1997. "The World Wide Web Security FAQ." http://www.w3.org/Security/Faq/wwwsf5.html

[Wheeler 2001] Wheeler, David A. Secure Programming for Linux and UNIX HOWTO. 2001. Self-published. http://www.linuxdoc.org/HOWTO/Security-HOWTO.html

[Yoder 1998] Yoder, Joseph and Jeffrey Barcalow. 1998. Architectural Patterns for Enabling Application Security. PLoP '97. http://st-www.cs.uiuc.edu/~hanmer/PLoP-97/Proceedings/yoder.pdf

National Security Agency (NSA). September 2000. Information Assurance Technical Framework (IATF). See http://www.iatf.net

Table of Contents | Previous Section | Next Section