Secure programming with static analysis

Format:

Book

Author/Creator:

Chess, Brian, Author.

Contributor:

West, Jacob, Contributor.

Series:

Addison-Wesley software security series Secure programming with static analysis

Language:

English

Subjects (All):

Computer security--Quality control.

Computer security.

Debugging in computer science.

Computer software.

Physical Description:

1 online resource (624 pages)

Edition:

1st edition

Place of Publication:

[Place of publication not identified] Addison Wesley 2007

Language Note:

English

System Details:

text file

Summary:

The First Expert Guide to Static Analysis for Software Security! Creating secure code requires more than just good intentions. Programmers need to know that their code will be safe in an almost infinite number of scenarios and configurations. Static source code analysis gives users the ability to review their work with a fine-toothed comb and uncover the kinds of errors that lead directly to security vulnerabilities. Now, there’s a complete guide to static analysis: how it works, how to integrate it into the software development processes, and how to make the most of it during security code review. Static analysis experts Brian Chess and Jacob West look at the most common types of security defects that occur today. They illustrate main points using Java and C code examples taken from real-world security incidents, showing how coding errors are exploited, how they could have been prevented, and how static analysis can rapidly uncover similar mistakes. This book is for everyone concerned with building more secure software: developers, security engineers, analysts, and testers. Coverage includes: Why conventional bug-catching often misses security problems How static analysis can help programmers get security right The critical attributes and algorithms that make or break a static analysis tool 36 techniques for making static analysis more effective on your code More than 70 types of serious security vulnerabilities, with specific solutions Example vulnerabilities from Firefox, OpenSSH, MySpace, eTrade, Apache httpd, and many more Techniques for handling untrusted input Eliminating buffer overflows: tactical and strategic approaches Avoiding errors specific to Web applications, Web services, and Ajax Security-aware logging, debugging, and error/exception handling Creating, maintaining, and sharing secrets and confidential information Detailed tutorials that walk you through the static analysis process “We designed Java so that it could be analyzed statically. This book shows you how to apply advanced static analysis techniques to create more secure, more reliable software.” – Bill Joy, Co-founder of Sun Microsystems, co-inventor of the Java programming language “'Secure Programming with Static Analysis' is a great primer on static analysis for security-minded developers and security practitioners. Well-written, easy to read, tells you what you need to know.” – David Wagner, Associate Professor, University of California Berkeley “Software develope...

Contents:

Cover Page

Title Page

Copyright Page

Dedication

Contents

Praise for Secure Programming with Static Analysis

Addison-Wesley Software Security Series

Foreword

Preface

Acknowledgments

About the Authors

Part I: Software Security and Static Analysis

1. The Software Security Problem

1.1 Defensive Programming Is Not Enough

1.2 Security Features != Secure Features

1.3 The Quality Fallacy

1.4 Static Analysis in the Big Picture

1.5 Classifying Vulnerabilities

1.6 Summary

2. Introduction to Static Analysis

2.1 Capabilities and Limitations of Static Analysis

2.2 Solving Problems with Static Analysis

2.3 A Little Theory, a Little Reality

Summary

3. Static Analysis as Part of the Code Review Process

3.1 Performing a Code Review

3.2 Adding Security Review to an Existing Development Process

3.3 Static Analysis Metrics

4. Static Analysis Internals

4.1 Building a Model

4.2 Analysis Algorithms

4.3 Rules

4.4 Reporting Results

Part II: Pervasive Problems

5. Handling Input

5.1 What to Validate

5.2 How to Validate

5.3 Preventing Metacharacter Vulnerabilities

6. Buffer Overflow

6.1 Introduction to Buffer Overflow

6.2 Strings

7. Bride of Buffer Overflow

7.1 Integers

7.2 Runtime Protection

8. Errors and Exceptions

8.1 Handling Errors with Return Codes

8.2 Managing Exceptions

8.3 Preventing Resource Leaks

8.4 Logging and Debugging

Part III: Features and Flavors

9. Web Applications

9.1 Input and Output Validation for the Web

9.2 HTTP Considerations

9.3 Maintaining Session State

9.4 Using the Struts Framework for Input Validation

10. XML and Web Services

10.1 Working with XML

10.2 Using Web Services

Summary.

11. Privacy and Secrets

11.1 Privacy and Regulation

11.2 Outbound Passwords

11.3 Random Numbers

11.4 Cryptography

11.5 Secrets in Memory

12. Privileged Programs

12.1 Implications of Privilege

12.2 Managing Privilege

12.3 Privilege Escalation Attacks

Part IV: Static Analysis in Practice

13. Source Code Analysis Exercises for Java

Exercise 13.0 Installation

Exercise 13.1 Begin with the End in Mind

Exercise 13.2 Auditing Source Code Manually

Exercise 13.3 Running Fortify SCA

Exercise 13.4 Understanding Raw Analysis Results

Exercise 13.5 Analyzing a Full Application

Exercise 13.6 Tuning Results with Audit Workbench

Exercise 13.7 Auditing One Issue

Exercise 13.8 Performing a Complete Audit

Exercise 13.9 Writing Custom Rules

Answers to Questions in Exercise 13.2

14. Source Code Analysis Exercises for C

Exercise 14.0 Installation

Exercise 14.1 Begin with the End in Mind

Exercise 14.2 Auditing Source Code Manually

Exercise 14.3 Running Fortify SCA

Exercise 14.4 Understanding Raw Analysis Results

Exercise 14.5 Analyzing a Full Application

Exercise 14.6 Tuning Results with Audit Workbench

Exercise 14.7 Auditing One Issue

Exercise 14.8 Performing a Complete Audit

Exercise 14.9 Writing Custom Rules

Answers to Questions in Exercise 14.2

Epilogue

References

Index

Code Snippets.

Notes:

Bibliographic Level Mode of Issuance: Monograph

Includes bibliographical references and index.

Description based on publisher supplied metadata and other sources.

ISBN:

9780321520357

0321520351

9780132702027

0132702029

OCLC:

154684660