Secure Coding: Principles & Practices

Originally published on the Birmingham Perl Mongers website at http://birmingham.pm.org/docs/reviews/securecdng.html

They say you should never judge a book by it's cover, but in the case of 'Secure Coding' I'm inclined to make an exception. OK, the front cover picture's never going to make it up onto the wall, but on the back we have glowing recommendations from some very high-profile figures, such as Dr Vinton G. Cerf (co-designer of the TCP/IP protocol) and Dr John J. Hamre (former U.S. Deputy Secretary of Defense).

The authors start by examining a variety of attack types and looking at some of the possible defences. It is illustrated how difficult it is to write a truly secure program, especially in modern systems where multiple components interact. To quote my favourite line from the book; "In computer security, the sum of the parts is often a hole". We are shown by real-life examples that this statement is very true.

The next few chapters are structured to follow the typical software development process, from architecture and design, through implementation, then on to deployment, operations, and maintenance.

A very important point which is raised, is that we may never be able to achieve 100% security within the constraints of a particular project, so the aim should actually be to develop applications that are "just secure enough". The answer to the question "How secure is enough?" will be different for each system, and it is at the architecture level that this needs to be addressed. The analysis and engineering practices to answer this question and develop a sound security architecture are looked at in depth, and while at face value much of this can seem obvious, it is (or not, depending on your point of view) sup rising how often such principles are ignored.

Moving on to the implementation phase, we are shown a range of both good and bad practices which can be used as a checklist for developers and code reviewers. Here I would challenge any programmer not to find at least one bad practice that they have at some point been guilty of!

While there are very few listings of source code (wherever possible the book is language agnostic, concentrating on techniques rather than specific implementations), 'Secure Coding' contains numerous case studies both of secure and insecure systems. These are real eye-openers to the range of issues that can occur, and at times it does seem like we are fighting a losing battle. But the examples do have the desired effect of promoting a much more security conscious way of thinking.

I also liked the fact that the authors have managed to keep the book very concise. At less than 200 pages, 'Secure Coding' certainly keeps to the point. Such a wide ranging topic could easily have produced an 800 page monster - the sort of book that looks impressive on a shelf but in reality will never get taken down to read. By producing such a readable text the authors have gone a long way to ensure that people will actually keep the book to hand and refer to the procedures and principles described on a day to day basis.

However, 'Secure Coding' is in no way a panacea - undoubtedly programmers and engineers will read it and still write insecure code. Nor is it a cookbook - it isn't filled with 'cut & paste' recipes that will somehow make your applications resilient to attack. But in this rapidly changing field such an approach would be fundamentally flawed. A testament to this is that a common technique to prevent Ethernet packet sniffing (using switches instead of hubs) was for years assumed to be secure - until of course it was cracked. You never know what's around the corner.

The only realistic way to improve computer security in the longer term is to apply security focused methodologies at each stage in the development cycle. Designers and architects cannot leave security issues to the programmers, and coders cannot assume that the specifications can handle every test case in an appropriate manner. And this is where 'Secure Coding' really scores. Each chapter provides checklists and questions which are applicable to a wide variety of applications and environments, yet specific enough to pick out the security flaws which could very easily be missed.

Whatever area of software development you are involved in, if you are at all concerned with the security of the finished product (and if not, you almost certainly should be!), then you will find 'Secure Coding' to be an essential read.