This is an HTML rendering of a working paper draft that led to a publication. The publication should always be cited in preference to this draft using the following reference:

The document's metadata is available in BibTeX format.

This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. In most cases, these works may not be reposted without the explicit permission of the copyright holder.

Diomidis Spinellis Publications

Copyright © 2002 by the Association for Computing Machinery, Inc. Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, to republish, to post on servers, or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from Publications Dept, ACM Inc., fax +1 (212) 869-0481, or

Book review: Building Secure Software: how to Avoid Security Problems the Right Way

Diomidis Spinellis
Athens University of Economics and Business

John Viega and Gary McGraw
Building Secure Software: how to Avoid Security Problems the Right Way
Addison Wesley, 2001.
493 pp. ISBN 0201-72152-X

The global scale of internetworked computers has placed increased emphasis on the security of the software implementing the clients and servers running on our networks. Indeed, many current computer security practices such as firewalls and intrusion detection systems can be attributed to the sloppy security practices used in the software they are entrusted to protect. "Building Secure Software" addresses many aspects of the process and practices that need to be followed to write secure software.

The authors rightly argue that the current "penetrate and patch" attitude common in many software development projects is not sustainable: software needs to be designed and implemented in a secure way from the ground up. Secure software has to address a number of different and sometimes conflicting goals including the prevention of security problems, traceability, monitoring, privacy, confidentiality, authentication, and integrity. As in all engineering, developers have to balance these requirements against tight budgets and event tighter deadlines. The risk management approach described in the book offers a way to appropriately address the importance of each requirement during the entire project's life cycle: from requirements, to design, to implementation, to security testing.

The choice of the implementation platform, and, recently, the decision to release source code for a project are important aspects influencing security. McGraw and Viega describe the many problems associated with using C/C++ as a development language (yet admit of commonly using it in their projects) and the issues associated with Java security. They also examine the security aspects of distributed object platforms, operating systems, and authentication technologies. The discussion of the open-source code model as a way to develop secure software is interesting and well-balanced. The authors espouse ten guiding principles for building secure software: from "secure the weakest link" to "use your community resources". Your reviewer found the description of the architectural security analysis through the use of attack trees and the overview of software auditing tools and techniques highly informative.

The rest of the book offers concrete practical advice on the actual task of coding secure software. Although it is difficult to discern the methodological principles guiding the division of the examined issues, the ground covers most common security problems. The advice is divided into areas according to the underlying low-level security implementation issues: buffer overflows, access, control, race conditions, randomness, cryptography application, trust management, password authentication, databases, clients, and firewalls. Many issues are illustrated using C (or, less commonly, Java) source code examples and, also, counterexamples from real incidents. Apart from an unwarranted, in your reviewers opinion, 30 page detailed description of stack overflow attacks (complete with examples of sample exploiting code), the treatment is well balanced and instructive. Microsoft Windows-related material appears sparsely among the many Unix-centered examples, but is not completely absent.

An appendix discussing cryptography basics, selected references, and a detailed index complete the book's offering. This is a book that will indeed help software practitioners design and implement secure software.