SecureProgramming.com
Login
Username: 
Password: 
Forgot your password?
Create a new account
Group By:Show Categories:Show Languages

Code Auditing

General / Miscellaneous

  • Building Secure Software (Addison Wesley, 2001) [View Detail]
    http://www.buildingsecuresoftware.com/
    Building Secure Software by Viega and McGraw is a technical overview of software security. The first few chapters are popular with managers, and the remainder of the book is a useful overview for developers. It's a good first look at the space.

  • Improving Web Application Security: Threats and Countermeasures [View Detail]
    http://msdn.microsoft.com/library/en-us/dnnetsec/html/ThreatCounter.asp
    This book focuses on building ASP.NET web applications. New as of September, 2003.

  • Java Security Solutions [View Detail]
    http://www.wiley.com/WileyCDA/WileyTitle/productCd-0764549286.html
    This is a dangerous book. The Java crypto APIs are not applied correctly (the authors clearly do not understand the correct use of the technologies within).

  • Secure Coding [View Detail]
    http://www.securecoding.org/
    A very-high level introduction to Secure Coding best suited for managers. Developers should definitely read a text more aimed at their level that covers the same basic concepts, as there are numerous pitfalls for one to fall into without some far more detailed advice (see other overview books in this section).

  • Securing Java [View Detail]
    http://www.securingjava.com
    A high-level overview of Java Security, focusing primarily on mobile code issues. It's not a developer's resource, and doesn't cover things like building a secure channel (e.g., SSL), or any of the modern APIs. The book is a reasonable overview of mobile code issues in Java, if somewhat dated.

  • Security Engineering [View Detail]
    http://www.cl.cam.ac.uk/~rja14/book.html
    This is a marvelous text on secure system design. It is a rich read, filled with many insightful anecdotes.

  • Translucent Databases [View Detail]
    http://www.wayner.org/books/td/
    This book discusses ways to use cryptographic primitives to protect columns in databases, preserving either secrecy or privacy.

General Cryptography

  • Modern Cryptography: Theory and Practice5 stars [View Detail]
    http://vig.prenhall.com:8081/catalog/academic/product/0,4096,0130669431,00.html
    A phenomenal treatment of modern cryptography, focused on how to make secure cryptographic protocols. See the review on this site.

  • Applied Cryptography [View Detail]
    http://www.wiley.com/legacy/compbooks/catalog/11709-9.htm
    While a classic in its own right that contains a wealth of knowledge, this book is significantly out of date. It's also dangerous... Schneier himself says that the world is filled with engineers who read the book and went on to build horribly broken systems. That is, this book focuses on the tools in the toolbox and the materials one might use to build things. It does not cover how to design and build a quality system from those components. If you understand the above going into things, then this is a great resource and a highly entertaining read for the technically inclined.

  • Handbook of Applied Cryptography [View Detail]
    http://www.cacr.math.uwaterloo.ca/hac/
    Available free on the web (and for sale in hardcover), this is a valuable reference for cryptographers and "crypto plumbers". It requires a bit of tolerance for math. Like most crypto books, this focuses more on the underlying primitives and less on how to apply them properly in the field.

  • Network Security with OpenSSL [View Detail]
    http://www.opensslbook.com/
    This covers how to use the OpenSSL library in programs. Recent versions of OpenSSL have since broken a couple of parts of the book, so be sure to leverage the book's web site, which has updated code, etc.


    Note that most of the topics from this book are also covered in some form in the Secure Programming Cookbook.


  • Practical Cryptography [View Detail]
    http://www.macfergus.com/pc/
    This book discusses how to apply cryptographic primitives in a secure way. The advice is good if you're willing to live within the somewhat rigid bounds of the authors. That is, it will be useful in many circumstances, but there are common requirements that this book doesn't cover. Do not expect a lot of code, as this book is language independent, going no deeper than protocol-level descriptions (this is not a fault... that is all that is necessary).

Public Key Cryptography

  • SSL and TLS [View Detail]
    http://www.rtfm.com/sslbook/
    This book is an outstanding reference for the SSL and TLS protocols. It's primarily geared toward people who need to understand the protocol (e.g., to implement it).

Public Key Infrastructure

  • Planning for PKI [View Detail]
    http://www.wiley.com/WileyCDA/WileyTitle/productCd-0471397024.html
    This is one of the best technical resources for achieving a thorough understanding PKI.

Symmetric Cryptography

  • The Design of Rijndael [View Detail]
    http://www.springer.de/cgi/svcat/search_book.pl?isbn=3-540-42580-2
    The reference description of the AES (Rijndael) block cipher. It details the design and discusses the design decisions behind it.

  • The Twofish Encryption Algorithm [View Detail]
    http://www.wiley.com/WileyCDA/WileyTitle/productCd-0471353817.html
    The reference description of the Twofish block cipher. It details the design and discusses the design decisions behind it.

Unix Programming

  • The Secure Programming for Linux and Unix HOWTO [View Detail]
    http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/index.html
    This is a book that gives quality advice on secure programming practices, geared primarily at Unix programmers. The book is freely available online in several formats. It does a great job of covering basic principles. Despite having very little code, it still provides a lot of practical advice for developers.

Windows Programming

  • Hacking the Code: ASP.NET Web Application Security5 stars [View Detail]
    http://www.hackingthecode.com
    Are your web applications really secure? This unique book walks you through the many threats to your web application code, from managing and authorizing users and encrypting private data to filtering user input and securing XML. For every defined threat, it provides a menu of solutions and coding considerations. Includes code samples in both C# and VB.NET.

  • Visual Basic .NET Code Security Handbook4 stars [View Detail]
    http://www.wrox.com
    A solid covering of how the .NET security mechanisms apply to VB.NET, along with weird gotchas on how you can use them incorrectly. Also covers input validation, SQL injection, and other areas the .NET mechanisms won't necessarily help you with. Would be a better resource if all the suggestions were pulled together in an appendix like with Writing Secure Code.

  • Writing Secure Code, 2nd Edition [View Detail]
    http://www.microsoft.com/MSPress/books/5957.asp
    This book is a great first text for secure programming techniques and surrounding processes for Windows platforms. The only real drawback is the lack of information on cryptography-related subjects. Nonetheless, it's a "must have" for any Windows developer.

[Python Powered]