By Brian Chess
The First professional advisor to Static research for software program Security!
Creating safe code calls for greater than simply solid intentions. Programmers want to know that their code can be secure in a virtually limitless variety of eventualities and configurations. Static resource code research provides clients the power to study their paintings with a fine-toothed comb and discover the types of error that lead on to defense vulnerabilities. Now, there’s an entire consultant to static research: the way it works, the right way to combine it into the software program improvement techniques, and the way to utilize it in the course of protection code evaluate. Static research specialists Brian Chess and Jacob West examine the commonest forms of safeguard defects that take place at the present time. They illustrate details utilizing Java and C code examples taken from real-world defense incidents, displaying how coding mistakes are exploited, how they can were avoided, and the way static research can speedily discover comparable error. This booklet is for everybody enthusiastic about development safer software program: builders, defense engineers, analysts, and testers.
Coverage includes:
Why traditional bug-catching frequently misses defense problems
How static research may help programmers get safety right
The serious attributes and algorithms that make or holiday a static research tool
36 recommendations for making static research more suitable in your code
greater than 70 varieties of critical defense vulnerabilities, with particular solutions
instance vulnerabilities from Firefox, OpenSSH, MySpace, eTrade, Apache httpd, and lots of more
ideas for dealing with untrusted input
disposing of buffer overflows: tactical and strategic approaches
heading off error particular to net functions, internet providers, and Ajax
Security-aware logging, debugging, and error/exception handling
developing, keeping, and sharing secrets and techniques and exclusive information
designated tutorials that stroll you thru the static research process
“We designed Java in order that it may be analyzed statically. This ebook exhibits you the way to use complicated static research ideas to create safer, extra trustworthy software.”
–Bill pleasure, Co-founder of sunlight Microsystems, co-inventor of the Java programming language
“'Secure Programming with Static research' is a brilliant primer on static research for security-minded builders and safeguard practitioners. Well-written, effortless to learn, tells you what you must know.”
–David Wagner, Associate Professor, collage of California Berkeley
“Software builders are the 1st and top defensive line for the protection in their code. This ebook offers them the protection improvement wisdom and the instruments they wish with the intention to cast off vulnerabilities earlier than they movement into the ultimate items that may be exploited.”
–Howard A. Schmidt, Former White condo Cyber safety Advisor
BRIAN CHESS is Founder and leader Scientist of give a boost to software program, the place his study makes a speciality of functional tools for growing safe platforms. He holds a Ph.D. in laptop Engineering from college of California Santa Cruz, the place he studied the applying of static research to discovering security-related code defects.
JACOB WEST manages enhance Software’s defense study crew, that is answerable for development safeguard wisdom into Fortify’s items. He brings services in several programming languages, frameworks, and types including deep wisdom approximately how real-world platforms fail.
CD includes a operating demonstration model of enhance Software’s resource Code research (SCA) product; broad Java and C code samples; and the educational chapters from the e-book in PDF format.
Part I: software program defense and Static Analysis 1
1 The software program safeguard Problem 3
2 advent to Static research 21
3 Static research as a part of the Code evaluation Process 47
4 Static research Internals 71
Part II: Pervasive Problems 115
5 dealing with enter 117
6 Buffer Overflow 175
7 Bride of Buffer Overflow 235
8 error and Exceptions 265
Part III: beneficial properties and Flavors 295
9 internet Applications 297
10 XML and internet Services 349
11 privateness and Secrets 379
12 Privileged Programs 421
Part IV: Static research in perform 457
13 resource Code research routines for Java 459
14 resource Code research workouts for C 503
Epilogue 541
References 545
Index 559
Read Online or Download Secure Programming with Static Analysis PDF
Similar Comptia books
Low Voltage Wiring: Security/Fire Alarm Systems
Best-of-the-best directions for dealing with low voltage wiring The A-Z reference on designing, fitting, retaining, and troubleshooting sleek protection and hearth alarm platforms is now absolutely updated in a brand new version. ready through Terry Kennedy and John E. Traister, authors with over 3 many years of hands-on event apiece within the development undefined, Low Voltage Wiring: Security/Fire Alarm structures, 3rd version offers all of the acceptable wiring information you want to paintings on protection and fireplace alarm platforms in residential, advertisement, and commercial structures.
From the number 1 identify in expert Certification Get at the quickly song to changing into CompTIA A+ qualified with this reasonable, transportable examine software. within, certification education specialist Mike Meyers courses you in your profession direction, delivering specialist information and sound suggestion alongside the way in which. With a radical concentration merely on what you must recognize to go CompTIA A+ tests 220-801 & 220-802, this certification passport is your price tag to luck on examination day.
HackNotes(tm) Linux and Unix Security Portable Reference
Guard your platforms from all kinds of hackers, hijackers, and predators with support from this insightful source. Get thorough, just-the-facts assurance of Linux, UNIX and Solaris, and find out about complicated hacking options together with buffer overflows, password idea, port re-direction, and extra.
Real World Linux Security (2nd Edition)
Your Linux approach should be attacked. Be prepared! genuine global Linux safeguard, moment version brings jointly state of the art suggestions and specific software program for safeguarding your self opposed to state-of-the-art such a lot vicious net assaults. Highlights comprise fabulous new study on IP Tables effectiveness; new how you can block ARP assaults; advances in adaptive firewalls; fast restoration from intrusions; securing instant structures, quick messaging, VPNs, Samba, and Linux 2.
Additional info for Secure Programming with Static Analysis