Item description for Programmer's Ultimate Security DeskRef by James C. Foster...
The Programmer's Ultimate Security DeskRef is the only complete desk reference covering multiple languages and their inherent security issues. It will serve as the programming encyclopedia for almost every major language in use. While there are many books starting to address the broad subject of security best practices within the software development lifecycle, none has yet to address the overarching technical problems of incorrect function usage. Most books fail to draw the line from covering best practices security principles to actual code implementation. This book bridges that gap and covers the most popular programming languages such as Java, Perl, C++, C#, and Visual Basic.
Promise Angels is dedicated to bringing you great books at great prices. Whether you read for entertainment, to learn, or for literacy - you will find what you want at promiseangels.com!
Est. Packaging Dimensions: Length: 9.21" Width: 7.87" Height: 1.34" Weight: 2.51 lbs.
Release Date Nov 20, 2004
ISBN 1932266720 ISBN13 9781932266726
Availability 0 units.
More About James C. Foster
Foster is the Deputy Director of Global Security Solution Development for Computer Sciences Corporation where he is responsible for the vision and development of physical, personnel, and data security solutions.
Reviews - What do customers think about Programmer's Ultimate Security DeskRef?
Appallingly bad Jul 26, 2007
Based on snippets posted online, the authors and publishers of this book should be deeply ashamed of themselves. The "Risks" sections of various Common Lisp functions are complete gibberish--for instance warning about wildcard characters in filenames when discussing the IMPORT function which has nothing to do with filenames. But that's just one example of many. Basically nothing of what I've seen that they say about the "Risks" associated with Common Lisp makes any sense at all.
Bogus information, a high-impact security risk Jun 14, 2005
Quick perusal finds several lisp functions whose assesment is utterly bogus. Lest you believe this is limited to less well known languages, consider this:
This book lists the C function "gets" as a *low-impact* security risk, whereas in the real world it is one of the more common points-of-attack for buffer-overflows.
Don't buy unless you intend to sue the author.
Terse and incomplete Dec 19, 2004
Don't look to this book to really teach you anything about secure programming. It's merely a limited command reference for a handful of languages (oddly including Lisp but excluding Java) with very brief notes on the security implications of each. It was very strange to flip through this book and find literally NO text or introductions anywhere; I really think a few pages should have been added to give some background on each language including any general guidance with regard to security. At least an introduction to language-independent secure programming concepts should have been included at the beginning--this book basically relies on the back outside cover to clue the reader in to what it's about and why it's important.
Further lowering the book's value are its large print and extremely thin, rough, cheap-feeling pages (which seems to be typical of current Syngress releases), and lack of an index. Unless you're already familiar with secure programming practices and just need a pure reference to point out selected "harmful" commands in the covered languages, I don't think this book is worth buying. There's a lot more to secure programming than what this book provides and, in fact, it may mislead developers into thinking that secure programming is merely about proper use of certain unsafe functions and methods.
Very good with a couple of minor caveats... Dec 5, 2004
If you're a typical programmer, you may be unaware of the potential security risks of certain statements in your language of choice. The new book Programmer's Ultimate Security DeskRef by James C. Foster (Syngress) can help you in that area.
For as far as this book goes, it does a nice job. Each chapter for a language lists the language, and how it's used (like an example program line). There's a summary of what it does, along with a short description of how it should be used. You then get into the security aspect with a section on risk (how it might be used or exploited by an attacker), impact of the risk, and a list of additional resources where you can find more information on the risk issue. Finally, if applicable, there's a cross-reference to any other language statements that might have the same issue.
The information that's contained in the book is good, to be sure. If you use any of these languages in your normal coding efforts, you'll likely discover hidden risks in your program that you didn't know existed. I would have liked to see two other features in the book, however. The first thing I would have liked is to see a more concrete example of the potential exploit. Some of the risk assessments are general in nature, and you might have a hard time trying to bridge the gap between general caution and actual usage. And second, it seems like there could have been some additional languages added to the mix. Visual Basic isn't included (although it could be argued that VBA is close enough). Java seems to be an obvious exclusion, and it would have been much more valuable to me with that language included. And if you included ASP, you could have just as easily included JSP along with it.
Even with those omission or caveats, it's still a valuable addition to a programmer's bookshelf.
why no Java? Nov 21, 2004
This book takes a neat approach to computer security issues. The authors consider a set of languages, like C, C++ and C#. For each, they provide a list of functions and explain how these might be compromised by an attacker writing code that calls them. Often, the attacker might tweak the input arguments in such a way as to have a buffer overflow. Or, she might call a function with perfectly ok arguments. But she could use the answer to deduce important information. For example, in C, the realpath function could return data that identifies the operating system and even user and security information.