This site graciously hosted
by our friends at




Frequently Asked Questions

1) Why are there so few code examples in the book?

The main reason is, that's not the kind of book we thought was needed. There are several good coding cookbooks available today, many of which we cite in our bibliography. However, we intend this book to explore and explain concepts--to teach cooking, if you will, instead of displaying recipes. That meant we had to keep the book fairly small: having lots code examples would not only swell the book, but also break the narrative flow, making it less likely folks would read the book straight through. It's also true that putting in lots of code and product examples would make the book go out of date more quickly. So instead, we are using the web site to house the material that mutates quickly, using the book for insights and concepts that will remain true for many years

2) You talk an awful lot about blunders you have made during your career. Why should we take advice from somebody who has made so many mistakes?

We certainly do admit to several mistakes. We feature them, in fact. (You may have to look a little deeper to dig out the many successful projects we talk about; and there are quite a few more, of course, we can't talk about at all.) But when you consider that our careers, taken together, have spanned fifty years or so, we think our batting average is rather high. And it's our hope, as we say in the Preface, that you can learn from our mistakes, as we have, without having to make them all yourself.

3) I read the book and found it very eye-opening. What would you suggest I should do as my next steps towards producing more secure code?

Now that you are armed with the knowledge and better understanding of the thought process that goes into developing secure code, we strongly suggest that you start trying to put that to practice. By all means, go out and pick up one or more other texts, including "cookbooks" that provide examples of secure code in the language(s) that you work in the most. We believe that you'll find those examples easier to put to practical use now that you have a more solid foundation to put them on.

4) Amidst all the rave reviews, there have been a few bad ones. How can the same book be called a "masterpiece" by one person and dismissed as "superficial" by another?

Our book certainly does seem to stir up some powerful emotions. That caught us by surprise; but we won't speculate as to the reason. We certainly do take note of the fact, though, that some percentage of readers object to the high-level approach we took, and bemoan the lack of code samples and detailed technical advice. One reviewer argued that we should have written a 700-page book instead, in order to cover in detail all of the concepts that we discuss. Well, we don't agree; and we assert confidently that thousands of satisfied readers have found in "Secure Coding" the principles, concepts, insights, and lists critical to forming a clear understanding of what needs to be done (and not done) to develop secure software. Moreover, we believe that many of those readers (and many more potential readers) would have neither the time nor the inclination to pick up a 700-pager. So, we met our design goal, are grateful to our readers, and are happy with the outcome. Oh, by the way: we've been careful to provide and maintain a current list of links to lengthier and more detailed tomes!

Have a question about the book or topic?  Click here to email the authors.


Site Contents Copyright (C) 2002, 2003 Mark G. Graff and Kenneth R. van Wyk. All Rights Reserved.
webmaster@securecoding.org