Jamie served as a computer scientist at the nsa and coauthored rootkits. Whether youve loved the book or not, if you give your honest and detailed thoughts then people will find new books that are right for them. Marco morana of foundstone proposes a longterm, holistic software. Enhancing the development life cycle to produce secure software answers the questions of why software security is important, why so much software is not. Tiller, auerbach publications, isbn 084931609x 2005. Speaker biographies owasp appsec usa 2011 your life is. A secure software development life cycle requires a process model. George cofounded foundstone in 1999, and his vision and entrepreneurial spirit helped attract a worldclass management team to join him in building one of the most successful and dominant private security companies. For example, build security in is an example of such an initiative. Black, building a test suite for web application scanners, ieee computer society 2008 8. Previously, saumil was the director of indian operations for foundstone inc, where he was instrumental in developing their web application security assessment methodology, the web assessment component of foundscan foundstone s managed security services software and was instrumental in pioneering foundstone s ultimate web hacking training class. This tutorial covers techniques and software tools for building your. How to avoid security problems the right way addisonwesley professional computing series.
See the story behind the top security practitioners, researchers, thought leaders, and developers who spoke on software security at the owasp appsec usa 2011 application security conference on september 2223, 2011 at the minneapolis convention center in minneapolis, minnesota. How to break web software, however, does contain a lot of information about hownotto architect and code a web application. Mcgraw is coauthor of the groundbreaking books building secure software and exploiting software both from addisonwesley. System and network administrators who are interested in learning whats going on in their firewalls, servers, network, and systems. How to break web software, however, does contain a lot of information about how not to architect and code a web application. Application security considera tions are often treated as the domain of specialists, to be applied after coding is done. Larry suto, analyzing the accuracy and time costs of web application security scanners 2010 9. Defcon 10 video speeches from the hacker convention. S3 system log aggregation, statistics, and analysis marcus ranum, tenable security, inc. Bpf performance tools addisonwesley professional computing series.
Foundstone offers comprehensive security training on building secure software and applications, assessing vulnerabilities to defend against hacker attacks, and improving incident response. He also built the clasp application security process, which is available online. How to avoid security problems the right way paperback addison wesley professional computing series at. If you are serious about computer security, you need to read this book, which includes essential lessons for both security professionals who have come to realize that software is the problem, and software developers who intend to make. His areas of expertise include firewall architecture and integration, security policy, network application security, and unix and nt system security. His previous work has included a formal analysis of the secure sockets layer protocol ssl, intrusion detection, analysis of distributed denialofservice tools, and the security of ip communications in space. To date, most software security books have focused solely on writing secure code and educating developers on how to do that. This paper describes techniques, tools, and labs for integrating web application security into both types of classes. Functional and security testing of web applications and web services papcdr by andrews, mike, whittaker, james a. This is a very popular book, but i have held off reading it until i have the necessary programming background to really appreciate it. This book isnt about creating a correct web application architecture, nor is it about. Building secure software provides expert perspectives and techniques to help you ensure the security of. Pdf building a test suite for web application scanners.
Integrating web application security into the it curriculum. How a process model can help bring security into software. Gary mcgraw, cigitals cto, is a leading authority on software security. Attacks and defense is a powerful guide to the latest information on web attacks and defense. If you design, develop, or manage the building of large software systems or plan to do so, or if you are interested in acquiring such systems for your corporation or government agency, use software architecture in practice, second edition, to get up to speed on the current state of software architecture. This disciplined approach will not alleviate all vulnerabilities but will increase the likelihood of building secure software to meet users needs in a costeffective fashion. This paper describes the design of a test suite for thorough evaluation of web application scanners. Prior to joining mcafee, viega was founder and chief technology officer at secure software. In order for students to be prepared for the current threat environment, we need to integrate web application security into the it curriculum. Black hat europe 2005 speakers, topics and abstracts. John viega, founder and chief scientist of secure software.
A secure software development life cycle requires a process model wherein process improvements are managed from a common framework. Enhancing the development life cycle to produce secure. Functional and security testing of web applications and web services paperback 2. With mark curphey about john viega john is the coauthor of three books on application security, building secure software addison wesley, 2001, network security with openssl oreilly, 2002 and the secure programming cookbook oreilly, 2003. A confluence of disciplines, authors kenneth van wyk, mark graff, dan peters and diana burley take a. The underlying concepts behind software security have developed over almost a decade, and were first described in building secure software viega and mcgraw and exploiting software hoglund and mcgraw. Some of them rely on the reuse of security knowledge. Viega is a well known security expert and cryptographer and has coauthored several books, including building secure software, secure programming cookbook, network security with openssl and the 19 deadly sins of software security.
This is in some ways the second book in a series on security programming. Saumil was the director of indian operations for foundstone inc, where he was. Rigorously test and improve the security of all your web software. Prior to working for dmzglobal, simon was a linuxcentric software engineer for. Cannon provides an invaluable map to guide developers through the dark forest created by the collision of cuttingedge software development and personal privacy. He holds an ms in software engineering from southern methodist university and a bs in mathematics from clarkson university. Subverting the windows kernel, a book in my addisonwesley software security series. Both information security and web programming classes need to cover this topic. Every large organization i know is building web applications and most of them are doing it badly. Jamie has an undergrad degree from james madison university in virginia, and an ms in computer science from university. His fifth book, exploiting software addisonwesley, was released in february 2004. Wiley 1998, and building secure software addisonwesley, 2001.
View carric dooleys profile on linkedin, the worlds largest professional community. His research interests include survivability, computer and network security, anonymity, cryptoraphic protocols, and cryptography. Mike andrews is a senior consultant at foundstone, specializing in software. How to avoid security problems the right way, by gary mcgraw and john viega, published by addisonwesley pub co, isbn 020172152x 2002 the ethical hack. Privacy what developers and it professionals should know. This is due to lack of documentation and awareness of the threats and attack methods. Everyday low prices and free delivery on eligible orders. He is a contributing author to newriders recent publication building linux virtual private networksvpn. I start with exploiting software by greg hoglund and gary mcgraw, published by addisonwesley. Focused around the three pillars of software security introduced in the book software security, the series expands deeply into applied best practices and essential knowledge.
By tracking revenue from both tools providers and services firms, we can get some idea of how quickly the market is growing, and which parts of the market are driving growth. Where those designations appear in this book, and addisonwesley. How to avoid security problems the right way addisonwesley professional computing 01 by viega, john, mcgraw, gary r. John is the coauthor of three books on application security, building secure software addison wesley, 2001, network security with openssl oreilly, 2002 and the secure programming cookbook oreilly, 2003. Ieee reliability and maintainability symposium, 2005, pp. This book begins where its predecessors left off, describing in detail how to put software security into practice. Web application scanners are automated, blackbox testing tools that examine web applications.
George charted foundstone s strategic course, positioning the company as a premier pure play security solutions provider. Thus, web developers would be wise to consider it as part of their reference library on secure web programming. Before joining foundstone, mike was a freelance consultant and developer of. Elizabeth fong, romain gaucher, vadim okun and paul e. How to avoid security problems the right way paperback addisonwesley professional computing series by john viega 20011004 john viega. See the complete profile on linkedin and discover carrics. Malaiya, quantitative vulnerability assessment of systems software, proc.
James is the author of how to break software addisonwesley, 2002 and coauthor. To wit, gartner analyst joseph fieman published the firstever magic quadrant for software security tools in february see below. Reusable knowledge in security requirements engineering. Building secure software requires a combination of people, processes, and tools. Security is a concern that must be taken into consideration starting from the early stages of system development. Over the last two decades, researchers and engineers have developed a considerable number of methods for security requirements engineering. Building secure software cuts to the heart of computer security to help you get security right the first time.
Despite some existing surveys about security requirements engineering, there. Software security has grown up, right under our noses. He is the coauthor of how to break web software addisonwesley, 2006. Mick is the author of linux journals popular paranoid penguin security columns, and of the upcoming book building secure servers with linux oreilly and associates, october 2002.
Mcafee security training, security, education mcafee. How to avoid security problems the right way addisonwesley professional computing series viega, john, mcgraw, gary on. Security experts stuart mcclure lead author of hacking exposed, saumil shah, and shreeraj shah present a broad range of web attacks and defense. Enhacing the development life cycle to produce secure software. Other readers will always be interested in your opinion of the books youve read.
Simon is currently employed by dmzglobal, a mssp in new zealand tasked with building and managing secure environments for a variety of customers in the. The addisonwesley software security series, gary mcgraw contributing editor, is the premiere collection of titles in software security. Functional and security testing of web applications and web services. Security in the software lifecycle sei digital library carnegie.
Exploiting software addisonwesley, 2004, building secure software addisonwesley, 2001, software fault injection wiley 1998, securing java wiley, 1999, and java security wiley, 1996. A framework for business value penetration testing, by james s. Jamie has over 17 years of experience in operating system security. He has over 30 years of experience in software development, systems development, and software project management. He is author of several dacs stateoftheart reports on software engineering topics.
142 288 953 21 675 525 1047 709 442 243 1358 388 1583 786 578 1076 594 90 1654 836 577 1141 207 777 758 988 1576 1491 1591 93 664 11 1086 1193 1444 920