This site graciously hosted
by our friends at




Advance Praise

From Academics

"This book presents the steps for writing, testing, and deploying good, robust, and security-enhanced code. It is a pleasure to read, with many case studies and examples, and thorough in its coverage. It discusses many problems and common errors, and how to avoid or handle them. It will be a welcome supplement to computer security, programming, and software engineering classes, as well as a useful guide for the practitioner. Well done!"

--- Matthew A. Bishop, Ph.D., Associate Professor, Computer security, cryptography, UC Davis

"It is no longer a luxury to engineer out buffer overflow -- it is a duty and responsibility... 'Secure Coding' lays down the gauntlet to the software industry. The tenets of solid code are clearly described and explained; it becomes a must-read for the entire industry, from policy makers down to the newest programmer. I plan to include it as required reading in my Information Security Management curriculum."

--- Julie J.C.H. Ryan, D.Sc., Assistant Professor, Engineering Management and Systems Engineering, Lead Professor for Information Security Management at GWU SEAS

"What a wonderful resource, either as an academic textbook or as an instrument of professional growth! This book is full of sound advice, insightful anecdotes, and delightful bits of history and philosophy. Above all, it presents the reader with directions on how to improve software quality and keep security flaws at bay. This book is a "must-read" for anyone whose coding might be used someday in a critical application: that is, everyone."

--- Dr. Gene H. Spafford, Director CERIAS, Purdue University

From Software Developers

"A *wonderful* book written by people who have been around for a long time :-). Mark and Ken concisely cover the thinking needed behind secure programming, and more importantly *designing* software with security in mind. Plus it's really entertaining to read. I wish it had been available when I was writing parts of Samba. I might not have had the last two security embarrassments to my name. READ this book, keep it handy when designing software and most importantly *remember* what it teaches."

--- Jeremy Allison, Co-Author, Samba

"This book goes beyond the usual discussions of software implementation bugs. It teaches the reader how to escape from the mental models that make developers blind for mistakes. The book is a gold mine with its examples of real-life blunders made during each stage of the system life cycle, from requirements, design, and implementation to deployment."

--- Dr. Wietse Venema, author of TCP Wrappers and Postfix

"If this book had existed when I was learning C in the early 1980's, then I might not now hold the record for `most CERT advisories due to a single author' and so I am impressed, and thankful, and grumpy. Anyone who wants a coding job at ISC in the future should be prepared to demonstrate that they have read and understood Secure Coding. Thanks guys."

--- Paul Vixie, president of Internet Software Consortium, publisher of BIND and operator of F.ROOT-SERVERS.NET

"...A delightful read filled with useful questions and checklists that achieves a wonderful balance between enjoyable illustrative stories and rubber-hits-the-road techniques for approaching the processes of security... I will definitely give copies of this book to project managers struggling to operate effectively in today's rapid development environment."

--- Michael Shaff, QuickTime software developer, SmallHands.com

From Corporate Executives

"Could anything possibly be more timely? This is a first class look at what it takes to produce much more secure and robust software than has been the common case in the past. I wish I had had it at hand when working on the details of the TCP/IP protocols!"

--- Dr. Vinton G. Cerf, Senior Vice President of Internet Architecture and Technology for MCI, co-designer of the TCP/IP protocol

"Anyone with a sincere desire to develop secure systems must read this book. ...It is hard to do security right. All too often, efforts to develop secure systems end with systems that are inefficient and difficult to use, or result in security that is weak or nonexistent. This book will help you do it right."

--- Joseph A. D'Angelo, Chief Information Officer, Counterpane Internet Security

"Graff and Van Wyk have written an engaging book that will have a profound effect on the security of the Internet and the safety of the people who work and play on it. The more people who read this book, the safer we will all be."

--- Dr. John Hamre, President and CEO of the Center for Strategic and International Studies and former U.S. Deputy Secretary of Defense

"This book isn't just about secure design and coding, it's also an excellent synopsis of overall good design and coding practices. ...Secure Coding is very clear in explaining that it's not just about security, it's about managing risk, it's about balancing costs and benefits. I wish I'd had this book years ago as it's taken me years to figure these things out for myself."

--- Stephen E. Hansen, Information Security Officer, Google, Inc.

"This one is different! ...Clearly Ken and Mark understand these issues, have a wealth of knowledge and experience and obviously a passion to inform others about how to think about and develop good software from a security perspective. ...It's hard to imagine how any reader can get very far into this book without reflecting on just how much it has caused them to stop and think about how they approach not just the development of secure code but in general about security and the Internet in general."

--- Ed Hart, former Deputy Director for Information Security, U.S. National Security Agency

"Graff and Van Wyk have provided a book which will teach generations the basic principles in designing and writing software code ready for the Internet and its threats. I am reminded of an old saying, "give a man a fish and feed him for a day; teach a man to fish and feed him for a lifetime." Basic secure coding practices are not a cut, copy, and paste exercise but, a process with defined fundamentals and principles, that practiced, will result in less security vulnerable software. Professionals have been waiting years for this book; a must read."

--- Mike Higgins, VP, Global Security Practice, Tekmark Global Solutions and former CEO, Para-Protect Services

"Nowadays we take it for granted that road and rail bridges stay up and are a reliable part of the transport infrastructure. This was not always the case, however, and it has only been through the development of sound engineering principles and practices and learning from the mistakes/disasters of the past that we have come to understand what is really required to develop safe structures. ...By drawing on their hard won experience the authors explore what can go wrong and what needs to be done to address the many complex issues that can give rise to insecure software and systems."

--- Alan Stanley, Managing Director, Information Security Forum

"It *is* possible to build application systems that are 'just secure enough', and 'Secure Coding' shows how. I recommend it to all executives and architects who want the new opportunities and substantial savings that good security can create."

--- Tim Townsend, enterprise security architect and IT Director, Sun Microsystems

From Other Security Professionals

"I've seen the problems and mistakes that Ken and Mark describe so many times that I recommend this book to all of my clients as a must-read very early on in all of their design projects."

--- Christoph Fischer, President, BFK edv-consulting GmbH

"This is a very important book. Most of today's security problems are caused by a combination of design flaws, poor programming standards, and programmer error. Programmers, architects, and managers need to read this book and apply it in their day-to-day work."

--- Simson L. Garfinkel, coauthor, Practical Unix and Internet Security, and founder, Sandstorm Enterprises, Inc.

"This book should be read by anyone in the business of designing, implementing or evaluating secure network applications. It combines the correct balance of theory, practice and history of coding securely and will be a relevant source of information for many years to come."

--- Ron Gula, CTO of Tenable Network Security and original author of the Dragon intrusion detection system

"This book provides readers with an overview of the procedures which should have been followed in the development of all too many applications. While it should be read from end to end I find that just jumping in to chapters is also equally enjoyable and worthwhile. The focus is primarily on network facing applications but, as the authors demonstrate, there are many other programs which form that wonderful interdependence we have come to call an Operating System, the many examples show how they too will benefit from this approach"

--- Dr. Neil Long, University of Oxford Computing Services & current Chairman of FIRST

"Good programmers write good code, bad programmers write bad code, but all programmers seem to write insecure code. Kudos to Mark and Ken for their explanation of the reasons why it's so hard to write good secure code, and what to do about it!"

--- Marcus J. Ranum, principal author of the DEC SEAL firewall, TIS Gauntlet firewall, and the Network Flight Recorder Intrusion Detection System


Site Contents Copyright (C) 2002, 2003 Mark G. Graff and Kenneth R. van Wyk. All Rights Reserved.
webmaster@securecoding.org