This site graciously hosted
by our friends at




Resources - Web Companion

This document is adapted (with permission) from the appendix in Secure Coding: Principles and Practices (O'Reilly, 2003), and contains a list of the books, papers, articles, and web sites that have inspired us and served as sources for this book. We do our best here to point to the places that provide the best resources for more information.

Of course, this short list is in no sense a complete survey of the literature of our growing field. We welcome your comments, suggestions, and additions to this list, and reserve the right to include or not include them in any subsequent editions or printings of Secure Coding. If you are interested in contributing, please contact us.

Books
  • Anderson, Ross. Security Engineering. New York, NY: John Wiley & Sons, 2001. ISBN 0-471-38922-6. A stunning achievement by a great engineer. Highly readable. Only a few chapters are directly relevant to secure coding, but we recommend the entire volume for its surprising insights.
  • Bentley, Jon. Programming Pearls, Second Edition. Reading, MA: Addison-Wesley Longman, 2000. ISBN 0-201-65788-0. Justifiably famous collection of sound programming practices and tips.
  • Brooks, Frederick P. The Mythical Man-Month: Essays on Software Engineering, Anniversary Edition. New York, NY: Addison-Wesley, 1995. ISBN 0201835959 . Classic work on the practice and business of software development and the management of projects.
  • Garfinkel, Simson, Gene Spafford, and Alan Schwartz. Practical Unix & Internet Security, 3rd Edition. Sebastopol, CA: O'Reilly & Associates, Inc., 2003. ISBN 1-56592-323-4. Comprehensive, a true tour-de-force. Chapter 16, "Writing Secure SUID and Network Programs," was a lightning bolt when first published and remains indispensable today.
  • Gong, Li. Inside Java 2 Platform Security. Reading, MA: Addison Wesley Longman, 1999. ISBN 0-201-31000-7. Worth reading simply for Dr. Gong's description of the Java jail, of which he was the principal designer.
  • Howard, Michael. Designing Secure Web-Based Applications for Microsoft Windows 2000. Redmond, Washington: Microsoft Press, 2000. ISBN 0-7356-0995-0. Excellent example of platform-specific advice.
  • Kernighan, Brian W., and P. J. Plauger. Elements of Programming Style. Computing McGraw-Hill, 1988. ISBN 0-07-034207-5. A quiet book with good examples of a sparse and sensible style not often seen today.
  • Kernighan, Brian W., and Dennis M. Ritchie. The C Programming Language 2nd Edition. Englewood Cliffs, NJ: Prentice-Hall, 1988. ISBN 0-13-110362-8. An indispensable guide to the language.
  • Maguire, Steve. Writing Solid Code: Microsoft's Techniques for Developing Bug-Free C Programs. Redmond, Washington: Microsoft Press, 1993. ISBN 1-55615-551-4. Every software engineer working in C should read this book.
  • McConnell, Steve. Code Complete: A Practical Handbook of Software Construction. Redmond, Washington: Microsoft Press, 1993. ISBN 1-55615-484-4. A true classic. We could have quoted it several more times. Please read this book.
  • McGraw, Gary, and Edward W. Felten. Securing Java: Getting Down to Business with Mobile Code, 2nd Edition. New York, NY: John Wiley & Sons, 1999. ISBN 047131952X. A thoughtful treatment of a technical subject. See the book's web site at http://www.securingjava.com.
  • Northcutt, Stephen and Judy Novak. Network Intrusion Detection, 3rd Edition. New York, NY: Que Publishing, 2002. ISBN 0735712654. A good introduction, well written with a great deal of technical detail.
  • Perrow, Charles. Normal Accidents. New York, NY: Princeton University Press, 1999. ISBN 0691004129. An entertaining yet analytical review of various large-scale twentieth-century accidents. Makes a useful distinction between "accidents" and "incidents," and explains Normal Accident Theory.
  • Reason, James. Human Error. New York: Cambridge University Press, 1990. ISBN 052131494. An analysis of the reasons people (and especially engineers) make mistakes.
  • Sheinwold, Alfred. Five Weeks to Winning Bridge, Reissue Edition. New York, NY: Pocket Books, 1996. ISBN 0671687700. At the beginning of this book we quote Mr. Sheinwold about learning from the mistakes of others. He took his own advice. One can therefore learn quite a bit from his successes, too.
  • Viega, John and Gary McGraw. Building Secure Software. Indianapolis, IN: Pearson/Addison-Wesley, 2002. ISBN 020172152X. A good general guide about how to code secure software, and the pitfalls of haphazard coding and deployment.
  • Voas, Jeffrey and Gary McGraw. Software Fault Injection: Innoculating Programs Against Errors. New York, NY: John Wiley & Sons, 1997. ISBN 0-471-18381-4. The standard text on this increasingly popular technique for application testing.
  • Weinberg, Gerald. Psychology of Computer Programming, Silver Anniversary Edition. New York, NY: Dorset House, 1998. ISBN 0932633420. The first book to explore the implications of using human beings to write programs. Indispensable to thinking about the causes of software vulnerabilities.
Papers and Articles
Web Sites and Online Resources

Of the hundreds (now, perhaps, thousands) of sites on the Web that address some facet of secure coding, the ones we have listed below are those we recommend you check first.
A Final Note on Resources

Interest in the topic of secure coding is increasing daily. In the three years from 2000 to 2003, for example, the number of relevant books, papers, and sites available on the Web--by our informal count--roughly quadrupled.


Site Contents Copyright (C) 2002, 2003 Mark G. Graff and Kenneth R. van Wyk. All Rights Reserved.
webmaster@securecoding.org