Secure Coding: Principles & Practices

Secure Coding Home \| O'Reilly.com \| Books \| Conferences \| O'Reilly Network

About the Book

  Table of Contents
  Sample Chapter
  Advance Praise
  Reviews
  Press Release
  Order
  FAQ
  Errata

About the Authors

  Bios of Mark and Ken
  Articles
  Op/Ed
  Thanks

Book Companion

  Additional Case Studies
  Checklists
  Software Tools
  Code Snippets
  Bibliography and Links
  Contributions
  Analysis of Topical
    Vulnerabilities

SC-L Mailing List

Contact Us

  Email Addresses
  URLs
  Phone Numbers
  Contact O'Reilly

Events Calendar

Conferences

Media Kit/Info

  Press Releases
  Link to Articles
  Link to Op/Eds

This site graciously hosted
by our friends at

Resources - Web Companion

This document is adapted (with permission) from the appendix in Secure Coding: Principles and Practices (O'Reilly, 2003), and contains a list of the books, papers, articles, and web sites that have inspired us and served as sources for this book. We do our best here to point to the places that provide the best resources for more information.

Of course, this short list is in no sense a complete survey of the literature of our growing field. We welcome your comments, suggestions, and additions to this list, and reserve the right to include or not include them in any subsequent editions or printings of Secure Coding. If you are interested in contributing, please contact us.

Books

Anderson, Ross. Security Engineering. New York, NY: John Wiley & Sons, 2001. ISBN 0-471-38922-6. A stunning achievement by a great engineer. Highly readable. Only a few chapters are directly relevant to secure coding, but we recommend the entire volume for its surprising insights.
Bentley, Jon. Programming Pearls, Second Edition. Reading, MA: Addison-Wesley Longman, 2000. ISBN 0-201-65788-0. Justifiably famous collection of sound programming practices and tips.
Brooks, Frederick P. The Mythical Man-Month: Essays on Software Engineering, Anniversary Edition. New York, NY: Addison-Wesley, 1995. ISBN 0201835959 . Classic work on the practice and business of software development and the management of projects.
Garfinkel, Simson, Gene Spafford, and Alan Schwartz. Practical Unix & Internet Security, 3rd Edition. Sebastopol, CA: O'Reilly & Associates, Inc., 2003. ISBN 1-56592-323-4. Comprehensive, a true tour-de-force. Chapter 16, "Writing Secure SUID and Network Programs," was a lightning bolt when first published and remains indispensable today.
Gong, Li. Inside Java 2 Platform Security. Reading, MA: Addison Wesley Longman, 1999. ISBN 0-201-31000-7. Worth reading simply for Dr. Gong's description of the Java jail, of which he was the principal designer.
Howard, Michael. Designing Secure Web-Based Applications for Microsoft Windows 2000. Redmond, Washington: Microsoft Press, 2000. ISBN 0-7356-0995-0. Excellent example of platform-specific advice.
Kernighan, Brian W., and P. J. Plauger. Elements of Programming Style. Computing McGraw-Hill, 1988. ISBN 0-07-034207-5. A quiet book with good examples of a sparse and sensible style not often seen today.
Kernighan, Brian W., and Dennis M. Ritchie. The C Programming Language 2nd Edition. Englewood Cliffs, NJ: Prentice-Hall, 1988. ISBN 0-13-110362-8. An indispensable guide to the language.
Maguire, Steve. Writing Solid Code: Microsoft's Techniques for Developing Bug-Free C Programs. Redmond, Washington: Microsoft Press, 1993. ISBN 1-55615-551-4. Every software engineer working in C should read this book.
McConnell, Steve. Code Complete: A Practical Handbook of Software Construction. Redmond, Washington: Microsoft Press, 1993. ISBN 1-55615-484-4. A true classic. We could have quoted it several more times. Please read this book.
McGraw, Gary, and Edward W. Felten. Securing Java: Getting Down to Business with Mobile Code, 2nd Edition. New York, NY: John Wiley & Sons, 1999. ISBN 047131952X. A thoughtful treatment of a technical subject. See the book's web site at http://www.securingjava.com.
Northcutt, Stephen and Judy Novak. Network Intrusion Detection, 3rd Edition. New York, NY: Que Publishing, 2002. ISBN 0735712654. A good introduction, well written with a great deal of technical detail.
Perrow, Charles. Normal Accidents. New York, NY: Princeton University Press, 1999. ISBN 0691004129. An entertaining yet analytical review of various large-scale twentieth-century accidents. Makes a useful distinction between "accidents" and "incidents," and explains Normal Accident Theory.
Reason, James. Human Error. New York: Cambridge University Press, 1990. ISBN 052131494. An analysis of the reasons people (and especially engineers) make mistakes.
Sheinwold, Alfred. Five Weeks to Winning Bridge, Reissue Edition. New York, NY: Pocket Books, 1996. ISBN 0671687700. At the beginning of this book we quote Mr. Sheinwold about learning from the mistakes of others. He took his own advice. One can therefore learn quite a bit from his successes, too.
Viega, John and Gary McGraw. Building Secure Software. Indianapolis, IN: Pearson/Addison-Wesley, 2002. ISBN 020172152X. A good general guide about how to code secure software, and the pitfalls of haphazard coding and deployment.
Voas, Jeffrey and Gary McGraw. Software Fault Injection: Innoculating Programs Against Errors. New York, NY: John Wiley & Sons, 1997. ISBN 0-471-18381-4. The standard text on this increasingly popular technique for application testing.
Weinberg, Gerald. Psychology of Computer Programming, Silver Anniversary Edition. New York, NY: Dorset House, 1998. ISBN 0932633420. The first book to explore the implications of using human beings to write programs. Indispensable to thinking about the causes of software vulnerabilities.

Papers and Articles

Advosys Consulting. "Preventing HTML Form Tampering." 2001. See http://advosys.ca/tips/form-tampering.html. Lots of good technical tips.
Advosys Consulting. "Writing Secure Web Applications." 2001. See http://advosys.ca/tips/web-security.html. As above, many sound technical tips.
Aleph1. "Smashing the Stack for Fun and Profit." Phrack Magazine. 49-14. 1996. See http://www.phrack.org/phrack/49/P49-14. Detailed, accurate, and deadly.
Al-Herbish, Thamer. "Secure Unix Programming FAQ." 1999. See http://www.whitefang.com/sup. Excellent and detailed, with good technical detail.
Anderson, Robert H. and Anthony C. Hearn. "An Exploration of Cyberspace Security R&D Investment Strategies for DARPA: The Day After... in Cyberspace II." Rand Corporation. MR-797-DARPA. 1996. Abstract available online at http://www.rand.org/cgi-bin/Abstracts/e-getabbydoc.pl?MR-797. A discussion of security retrofitting as part of a strategy for critical infrastructure protection.
Anonymous. "SETUID(7), the SETUID Man Page." Date unknown. Available online at http://www.homeport.org/~adam/setuid.7.html. Perhaps the earliest discussion of the security issues involved with Unix setuid programming, and certainly one of the best.
AusCERT. "A Lab Engineers Check List for Writing Secure Unix Code." Australian Computer Emergency Response Team. 1996. Available online at ftp://ftp.auscert.org.au/pub/auscert/papers/secure_programming_checklist. One of the first such formulations. It was one of the primary inspirations for our own book. Still quite valuable.
Bellovin, Steven M. "Shifting the Odds--Writing (More) Secure Software." Murray Hill, NJ: AT&T Research. 1994. Available online from Dr. Bellovin's site at http://www.research.att.com/~smb/talks/odds.pdf. A clear and accurate discussion of good secure coding techniques by an authority on the subject.
Bishop, Matt. "Race Conditions, Files, and Security Flaws; or the Tortoise and the Hare Redux ." Course lecture notes from CSE 95-08. 1995. Available online at http://seclab.cs.ucdavis.edu/projects/vulnerabilities/scriv/ucd-ecs-95-08.pdf. An early and definitive discussion of race condition vulnerabilities by a leading academic researcher.
Bishop, Matt. "UNIX Security: Security in Programming." SANS. 1996. See http://olympus.cs.ucdavis.edu/~bishop/secprog.html. An excellent set of recommendations.
Bishop, Matt. "Writing Safe Privileged Programs." Network Security Conference. 1997. See http://olympus.cs.ucdavis.edu/~bishop/secprog.html. An early and excellent set of comprehensive recommendations.
Bishop, Matt. "Vulnerabilities Analysis." Presentation slides. 1997. Available online at http://nob.cs.ucdavis.edu/~bishop/talks/Pdf/vulclass-raid1999.pdf. A comprehensive overview.
Bishop, Matt, and Michael Dilger. "Checking for Race Conditions in File Accesses." 1996. Not available at press time from the UC Davis archives. See http://milliways.stanford.edu/~radoshi/summaries/Bishop_Dilger_Checking_for_Race_Conditions.html. Overall, the best analysis of race conditions we have seen to date.
CERT/CC. "CERT Survivability Project Report" Computer Emergency Response Team Coordination Center (CERT/CC). 1996. Available online at http://www.ieee-security.org/Cipher/Newsbriefs/1996/960223.kerbbug.html. Good material on building robust systems.
CERT/CC. "How To Remove Meta-characters From User-Supplied Data In CGI Scripts." Computer Emergency Response Team Coordination Center. 1999. Available online from the CERT/CC repository. See http://www.cert.org/tech_tips/cgi_metacharacters.html. Expert advice on a common problem.
Cowan, Crispin, Perry Wagle, Calton Pu, Steve Beattie, and Jonathan Walpole. "Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade." Proceedings of DARPA Information Survivability Conference and Expo (DISCEX). 1999. See http://www.immunix.org/StackGuard/discex00.pdf. A detailed explanation by leading analysts.
Cowan, Crispin, Steve Beattie, Ryab Finnin Day, Calton Pu, Perry Wagle, and Erik Walthinsen. "Protecting Systems from Stack Smashing Attacks with StackGuard." Proceedings of the 1998 Usenix Security Conference. Available online at http://www.immunix.org/StackGuard/usenixsc98.pdf. The paper that introduced StackGuard. Very clear explanation of buffer overflow vulnerabilities, the stack smashing attack, and one technique to stop it.
Daemon9. "Project Neptune." Phrack Magazine , 48-13. 1996. Available online at http://www.phrack.org/phrack/48/P48-13. The first article about SYN flooding to get wide distribution.
Dole, Bryn, Steve Lodin, and Eugene Spafford. "Misplaced Trust: Kerberos 4 Session Keys." Proceedings of the 1997 ISOC Conference. 1997. Available online at http://www.isoc.org/isoc/conferences/ndss/97/dole_sl.pdf. Details of the "non-random random numbers" vulnerability in Kerberos 4 by the people who found it.
Du, Wenliang. "Categorization of Software Errors That Led to Security Breaches." Proceedings of the 1998 NISSC. 1998. Available online at http://csrc.nist.gov/nissc/1998/proceedings/paperF9.pdf. A good discussion of security vulnerability taxonomy schemes.
Galvin, Peter. "Designing Secure Software." SunWorld. 1998. Available online at http://www.sunworld.com/swol-04-1998/swol-04-security.html. Brief but clear description of some fundamental issues.
Garfinkel, Simson. "21 Rules for Writing Secure CGI Programs." 1997. See http://www.webreview.com/1997/08_08/developers/08_08_97_3.shtml. Good sound clear advice.
Gong, Li. "Java Security Model." Sun Microsystems. 1998. Available online at http://java.sun.com/products/jdk/1.2/docs/guide/security/spec/security-spec.doc.html. A general description by the principal architect.
Graff, Mark G. "Sun Security Bulletin 122." Sun Microsystems. 1993. See http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=secbull/122. The Sun security bulletin that talks about the "tarball" vulnerability.
Graff, Mark G. "Sun Security Bulletin 134." Sun Microsystems. 1996. See http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=secbull/134. The Sun security bulletin that talks about the Java "classloader" vulnerability.
Graham, Jeff. "Security-Audit's Frequently Asked Questions (FAQ)." 1999. See http://lsap.org/faq.txt. Brief but informative.
Gundavaram, Shishir, and Tom Christiansen. Perl CGI Programming FAQ. Date unknown. See http://language.perl.com/CPAN/doc/FAQs/cgi/perl-cgi-faq.html. Some good material on avoiding Perl CGI security vulnerabilities.
Hardin, Garrett, "The Tragedy of the Commons." Science. (162) 1968. An uncommon insight with wide application.
Krsul, Ivan, Eugene Spafford, and Mahesh Tripunitara. "An Analysis of Some Software Vulnerabilities." 1998. See http://widsard.sourceforge.net/doc/03.pdf. An outstanding, highly technical analysis of several vulnerability types.
Kuperman, Benjamin A., and Eugene Spafford. "Generation of Application Level Audit Data via Library Interposition." CERIAS Tech Report TR-99-11. 1999. An excellent example of modern security analysis techniques.
LeBlanc, David. "Integer Handling with the C++ SafeInt Class." 2004. Microsoft Development Network. See http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html/secure01142004.asp.
McGraw, Gary and John Viega. "Make Your Software Behave: Learning the Basics of Buffer Overflows." 2000. See http://www-106.ibm.com/developerworks/security/library/s-overflows/. Clear, accurate description of what causes buffer overflows and how to avoid coding them.
Miller, Barton P. "An Empirical Study of the Reliability Of UNIX Utilities." Communications of the ACM, 33-12. 1990. Miller's original article about the Fuzz program. Entertaining, brilliant, seminal discussion of black-box testing.
Miller, Barton P., David Koski, Cjin Pheow Lee, Vivekananda Maganty, Ravi Murthy, Ajitkumar Natarajan, and Jeff Steidl. "Fuzz Revisited: A Re-examination of the Reliability of UNIX Utilities and Services." 1995. See http://www.opensource.org/advocacy/fuzz-revisited.pdf. A worthy follow-up to the original.
Miller, Todd C. and Theo de Raadt. "strlcpy and strlcat--Consistent, Safe, String Copy and Concatenation." Proceedings of Usenix. 1999. See http://www.courtesan.com/todd/papers/strlcpy.html. Introduces new "tamper-resistant" versions of two Unix system calls.
Mudge. "How to Write Buffer Overflows." 1995. Available online at http://www.insecure.org/stf/mudge_buffer_overflow_tutorial.html. Extremely technical and deadly accurate.
NCSA. "NCSA Secure Programming Guidelines." 1997. Available online. See http://www.ncsa.uiuc.edu/General/Grid/ACES/security/programming. Brief but clear discussion of C, CGI, Perl, and some Unix shell scripting languages.
NCSA. "Writing Secure CGI Scripts." 1997. Available online from the National Center for Supercomputer Applications (NCSA) repository. See http://hoohoo.ncsa.uiuc.edu/cgi/security.html. Excellent overview.
Phillips, Paul. "Safe CGI Programming." Last updated in 1997. See http://www.go2net.com/people/paulp/cgi-security/safe-cgi.txt. Slightly dated but still useful.
Rain Forest Puppy. "Perl CGI problems." Phrack Magazine. 55-07. 1999. See http://www.insecure.org/news/P55-07.txt. A discussion of CGI security vulnerabilities.
Ranum, Marcus J. "Security-critical coding for programmers--A C and UNIX-Centric Full-Day Tutorial." 1998. Available online from Mr. Ranum's repository. See http://www.ranum.com/pubs/pdf/security-for-developers.pdf. Very worthwhile.
Reshef, Eran and Izhar Bar-Gad. "Web Application Security." See http://www.sanctuminc.com/pdf/Web_Application_Security_TISC.pdf. The paper that introduced the AppShield product, an advance in web application testing.
Saltzer, J.H., and M.D. Schroeder, "The Protection of Information in Computer Systems." Proceedings of the IEEE. 63-9. 1975. An early analysis of computer security architecture principles that is still perfectly accurate.
SecuriTeam. "Sendmail smrsh Bypass Vulnerabilities." SecuriTeam security bulletin. 2002. Available in the SecuriTeam online repository. See http://www.securiteam.com/unixfocus/6F0030A5PG.html. Bulletin that pointed out security vulnerabilities in smrsh, the Sendmail wrapper program.
Shostack, Adam. "Security Code Review Guidelines." 1999. Available online at http://www.homeport.org/~adam/review.html. Good technical description of how to avoid coding in several kinds of vulnerabilities.
Sibert, W. Olin. "Malicious Data and Computer Security." NISSC. 1996. Available online at http://www.fish.com/security/maldata.html. Clearly written yet detailed look at vulnerabilities arising from malicious data, and how to avoid them.
Sitaker, Kragen. "How to Find Security Holes." 1999. Available online at http://www.canonical.org/~kragen/security-holes.html. Accurate and useful look at both high-level and low-level design problems.
Soo Hoo, Kevin, Andrew W. Sudbury, and Andrew R. Jaquith. "Tangible ROI through Secure Software Engineering." Secure Business Quarterly. 1-2. 2001. Available online at http://www.sbq.com/sbq/rosi/sbq_rosi_software_engineering.pdf. An economic analysis of the cost of fixing security vulnerabilities at various stages in the software development cycle.
Spafford, Eugene H. "Crisis and Aftermath." Communications of the ACM. 32-6. 1989. An analysis of the 1988 Internet (Morris) worm.
Spafford, Eugene H. "UNIX and Security: The Influences of History." Information Systems Security. Auerbach Publications. 4-3. 1995. Describes how Unix utilities were developed at Berkeley, and explores the security implications.
Spafford, Eugene H. "One View of A Critical National Need: Support for Information Security Education and Research." Purdue University document COAST TR 97-8. 1997. See http://www.cerias.purdue.edu/homes/spaf/usgov/edu.pdf. Congressional testimony identifying what Dr. Spafford called a "national crisis" in information security education.
Stein, Lincoln D., and John N. Stewart. "The World Wide Web Security FAQ." Various versions. See http://www.w3.org/Security/Faq/www-security-faq.html. Good detailed technical treatment of many web security issues.
Stephenson, Peter. "Book Review: Information Security Architecture," SC Magazine . 2001. See http://www.scmagazine.com/scmagazine/sc-online/2001/review/005/product_book.html. A short but helpful view of enterprise security architecture.
Strickland, Karl. "Re: A plea for calm Re: [8lgm]-Advisory-6.UNIX.mail2.2-May-1994." Comment on comp.security.unix discussion thread. 1994. An exchange about how hard (or easy) it is for a large software vendor to fix several security vulnerabilities at the same time.
Sun Microsystems. "Secure Code Guidelines." 2000. Available online from http://www.java.sun.com/security/seccodeguide.html. Gives tips in three areas: privileged code, Java, and C.
Swanson, Marianne, and Barbara Guttman. "Generally Accepted Principles and Practices for Securing Information Technology Systems." National Institute of Standards and Guidelines Computer Security Special Publication 800-14. 1996. See http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf. This report of the GASSP committee is one of the best summaries of sound security architecture and design principles.
Thompson, Ken. "Reflections on Trusting Trust." Communications of the ACM. 27-8. 1984. Chilling, authoritative discussion of the chain of trust.
Van Biesbrouck, Michael. "CGI Security Tutorial." 1996. See http://www.info.lk/techweb/security/cgi/index.html. Contains many good CGI-specific technical tips.
Venema, Wietse. "Murphy's law and computer security." 1996. Available from from Dr. Venema's site at ftp://ftp.porcupine.org/pub/security/murphy.txt.gz. An expert and highly readable exposition of several types of common implementation errors, including not-truly-random numbers (e.g., the Kerberos 4 bug) and race condition troubles.
Venema, Wietse. "TCP Wrappers." 1997. Available from ftp://ftp.porcupine.org/pub/security/tcp_wrapper.txt.Z. Entertaining article about the genesis of TCP Wrappers.
World Wide Web Consortium. "The World Wide Web Security FAQ." 1997. See http://www.w3.org/Security/Faq/wwwsf5.html. Useful and accurate technical advice on safe CGI scripts and other similar topics.
Yoder, Joseph and Jeffrey Barcalow. "Architectural Patterns for Enabling Application Security." Proceedings of the 1997 Pattern Languages of Programming Conference (Plop 1997). 1998. Available online at http://st-www.cs.uiuc.edu/~hanmer/PLoP-97/Proceedings/yoder.pdf. Presents a strong set of architectural principles for secure coding.

Web Sites and Online Resources

Of the hundreds (now, perhaps, thousands) of sites on the Web that address some facet of secure coding, the ones we have listed below are those we recommend you check first.

AusCERT Secure Programming Checklist - Secure programming information from the Australian Computer Emergency Response Team, AusCERT.
FreeBSD Security Information - Security tips specific to the FreeBSD operating system.
Institute for Security and Open Methodologies - Contains, among other things, a repository of secure programming guidelines and testing methodologies. Included in this set is "The Secure Programming Standards Methodology Manual" by Victor A. Rodriguez.
International Systems Security Engineering Association (ISSEA) - A not-for-profit professional organization "dedicated to the adoption of systems security engineering as a defined and measurable discipline."
Packetstorm Tutorials List - A useful list of tutorials on various programming languages, testing methodologies, and more.
Sardonix Web Portal - Dedicated to the promotion of Open Source application security. By utilizing members of the open source community to audit and patch existing and popular Open Source applications, Sardonix strives to improve the overall security of applications and consequently the systems they are installed on.
Secure, Efficient, and Easy C Programming - A useful "howto" document by Timo Sirainen with tips and examples of secure C coding.
Secure Programming for Linux and Unix HOWTO - David Wheeler's "Howto" page for secure programming information specific to Linux and Unix. Not an FAQ, but a substantial online book with accurate and far-ranging advice. Includes specific secure programming tips for Ada95, C, C++, Java, Perl, and Python.
Systems Security Engineering--Capability Maturity Model - Information on the Software Engineering Institute-derived SSE-CMM, which measures the maturity level of system security engineering processes (and provides guidelines to which to aspire).
Secure Unix Programming FAQ - Another document with secure programming tips that are specific to Unix and Unix-like environments.
Windows Security - A repository of information on Microsoft Windows security issues.
Writing Safe Setuid Programs - Home page of Professor Matt Bishop at the University of California at Davis. Contains numerous highly useful and informative papers, including his "Writing Safe Setuid Programs" paper.
The World Wide Web Security FAQ - Security and secure coding tips specific to web environments.
The Open Web Application Security Project - Useful web site with tips, tools, and information on developing secure web-based applications.

A Final Note on Resources

Interest in the topic of secure coding is increasing daily. In the three years from 2000 to 2003, for example, the number of relevant books, papers, and sites available on the Web--by our informal count--roughly quadrupled.