Software Security Bookshelf
Since posting the article Towards More Secure Software, a couple people have emailed me asking for references for secure software development. There's a lot written on the subject, and I'm sorry to say there's no one single reference I can point people to. Rather... I can give you a list of titles on my bookshelf...General Software Security
The book on the top of my list these days is Security and Usability : Designing Secure Systems that People can Use
. Edited by Lorrie Cranor and Simson Garfinkel, the text contains contributions from some of the industry's brightest minds on the subject. I like to think of this book as a text that points you in the right direction rather than telling you how to get over every obstacle along the way.Computer Security : Art and Science
by Matt Bishop gets my vote as best overall introduction to the subject. It's got a little bit of a philosophical slant to it, so you're not going to find things like "how to implement canaries to defend against buffer overflows" in this text. You will however, find information like how to structure your application to leverage cryptographic and access control primitives to ensure confidentiality of sensitive data and positive control over the flow of execution. Great Stuff. If you read but one book about computer security this year, let it be this one.Practical Guidance
There's plenty of free advice on the Internet these days, not all of it worth reading. However... David Wheeler's Secure Programming for Linux and Unix HOWTO - Creating Secure Software is a wonderful place to start, if you're a Unix programmer. Even if you're not a Unix guy... you might want to peruse this online text while waiting for other books to arrive from Amazon.Com.
John Viega and Gary McGraw penned the text Building Secure Software
which is a good introduction to the subject. It's getting a little dated and includes little about how to deal with fundamental security technologies such as SSL / TLS and X.509 certificates, but what is in there is pretty good.If you're a Windows developer, you probably want to take a look at Writing Secure Code
by Dave LeBlanc and Michael Howard. When Microsoft had their recent "Security Stand-Down" a couple years back, developers were given a copy of this book and told to read it. Now we still see a lot of vulnerabilities in Microsoft products; I'm guessing this has more to do with aggressive development schedules than any lack of good info from this text. If you do any windows coding, you'll be doing yourself a favor by spending a few weeks really digesting the contents of this text.Thinking Like An Attacker
One obstacle to writing good, clean, secure code is not understanding how attackers get into systems. There are a couple of resources out there that can help you put aside your trusting nature and learn how bad guys exploit weaknesses in systems to pry their way in. Before rushing out and buying any texts on the subject, however, sit down and read Smashing the Stack for Fun and Profit. There aren't too many more technical details here you won't find in some of the texts above, but it's presented in the context of an attacker, not a defender. Besides, it's free, and the Buffer Overflow seems to pop up just about everywhere, so it's great to have a review. Besides, it's free.
Security Warrior
by Anton Chuvakin and Cyrus Peikari is another book I offer with the caveat that it's more useful as a guide to understanding how attackers think rather than what tools they use. Reading this book won't make you a "hacker," but if you've got the kernel of a hacker in your soul, it can help draw it out.Next I have a pair of books: Takedown
by Tsutomu Shimomura and John Markoff and The Art of Deception by Kevin Mitnick. Mitnick was the famed hacker once thought so dangerous he could take down the international banking system should he be left alone with a pay phone for a few minutes. This is total garbage, of course. Mitnick is about as technical as my big toe (thought as big toes go, mine is fairly technical.) However... he is a master of human engineering. In the old days he would have been called a "con man," but you add a bit of jargon to your come-on and viola!, you're a hacker! Shimomura is the real-deal though; he's got a brilliant technical mind and a demonstrated ability for profound, individual thought. But you need to understand the thought process of both types: con-man and tech-savvy hacker. Get both books.Crypto
What's a security bookshelf without a few books on cryptography? Unless you've been under a rock for the last decade, you've probably seen Bruce Schneier's Applied Crypto
. If you have no experience with crypto whatsoever, this is as good an intro as any. Personally, I'm a little more partial to Doug Stinson's Cryptography : Theory and Practice, as I like Stinson's writing style a little more. It does, however, have a bit more math than Schneier's book, so if you're math-o-phobic, you might want to stick with Applied Crypto.If you think you're going to be called upon to implement crypto functions, or you need to know a bit more detail about how things work under the hood, Handbook of Applied Crypto
by Menezes, et al. is a great text. What makes it even greater is you can download it as a series of PDFs from the Handbook of Applied Crypto page.If you're doing anything at all with secure communications, you'll eventually be asked to do something with SSL (Secure Sockets Layer) or it's successor TLS (Transport Layer Security). TLS is pretty easy to understand from a conceptual level, but when it comes time to actually make implementation decisions, there are a bunch of little details you've got to get right. A lot of people start off by trying to make heads or tales of the OpenSSL documentation. I recommend reading Eric Rescorla's SSL and TLS: Designing and Building Secure Systems
or SSL & TLS Essentials: Securing the Web by Stephen A. Thomas first. Rescorla's text is good if you're comfortable with a moderate degree of technical detail. Thomas' is good if you want the tech-o-meter turned down a bit.One thing I've noticed about all these texts though... they're pretty light in their coverage of Elliptic Curve Cryptography. Adoption of ECC has lagged behind the DL and RSA public key crypto family of algorithms for a number of reasons. But a couple of new technologies have sprung up that make ECC worth looking at again. There are plenty of high-quality ECC implementations out there from people like Certicom and RSA. But ECC has traditionally suffered because some aspects of it's use are still covered by patents and it's generally a lot easier to explain the RSA algorithm to non-specialists. I can't do anything about the IP encumbrance issue, but I can recommend A Course in Number Theory and Cryptography
and Introduction to Elliptic Curves and Modular Forms . They are not for those with a fear of equations; lotsa math here. But if that doesn't scare you away, they're GREAT books.Finally, there are no great books about X.509 and PKI. Texts on the subject tend to be so broad as to provide no real technical guidance or so focused on technical minutiae that over-arching concepts are impossible to pick out. Carslile Adams and Steve Lloyd's Understanding PKI: Concepts, Standards, and Deployment Considerations
is about the best I've seen for a good, healthy overview. They sometimes seem to throw in unnecessary technical detail in places; other sections are frustratingly devoid of technical detail. Overall, however, it's a good text.Well.. that's it. Fifteen books and a couple of web pages should keep you busy for a while.
1 Comments:
And let's not forget the NIST Computer Security Clearinghouse site for standards and technology recommendations.
Post a Comment
<< Home