Creating secure code requires more than just good intentions. Programmers need to know that their code will be safe in an almost infinite number of scenarios and configurations. Static source code analysis gives users the ability to review their work with a fine-toothed comb and uncover the kinds of errors that lead directly to security vulnerabilities. Now, there’s a complete guide to static analysis: how it works, how to integrate it into the software development processes, and how to make the most of it during security code review. Static analysis experts Brian Chess and Jacob West look at the most common types of security defects that occur today. They illustrate main points using Java and C code examples taken from real-world security incidents, showing how coding errors are exploited, how they could have been prevented, and how static analysis can rapidly uncover similar mistakes. This book is for everyone concerned with building more secure software: developers, security engineers, analysts, and testers.

Coverage includes:

Why conventional bug-catching often misses security problems

How static analysis can help programmers get security right

The critical attributes and algorithms that make or break a static analysis tool

36 techniques for making static analysis more effective on your code

More than 70 types of serious security vulnerabilities, with specific solutions

Example vulnerabilities from Firefox, OpenSSH, MySpace, eTrade, Apache httpd, and many more

Techniques for handling untrusted input

Eliminating buffer overflows: tactical and strategic approaches

Avoiding errors specific to Web applications, Web services, and Ajax

Security-aware logging, debugging, and error/exception handling

Creating, maintaining, and sharing secrets and confidential information

Detailed tutorials that walk you through the static analysis process

“We designed Java so that it could be analyzed statically. This book shows you how to apply advanced static analysis techniques to create more secure, more reliable software.”

–Bill Joy, Co-founder of Sun Microsystems, co-inventor of the Java programming language

“'Secure Programming with Static Analysis' is a great primer on static analysis for security-minded developers and security practitioners. Well-written, easy to read, tells you what you need to know.”

–David Wagner, Associate Professor, University of California Berkeley

“Software developers are the first and best line of defense for the security of their code. This book gives them the security development knowledge and the tools they need in order to eliminate vulnerabilities before they move into the final products that can be exploited.”

–Howard A. Schmidt, Former White House Cyber Security Advisor

BRIAN CHESS is Founder and Chief Scientist of Fortify Software, where his research focuses on practical methods for creating secure systems. He holds a Ph.D. in Computer Engineering from University of California Santa Cruz, where he studied the application of static analysis to finding security-related code defects.

JACOB WEST manages Fortify Software’s Security Research Group, which is responsible for building security knowledge into Fortify’s products. He brings expertise in numerous programming languages, frameworks, and styles together with deep knowledge about how real-world systems fail.

CD contains a working demonstration version of Fortify Software’s Source Code Analysis (SCA) product; extensive Java and C code samples; and the tutorial chapters from the book in PDF format.

Part I: Software Security and Static Analysis 1

1 The Software Security Problem 3

2 Introduction to Static Analysis 21

3 Static Analysis as Part of the Code Review Process 47

4 Static Analysis Internals 71

Part II: Pervasive Problems 115

5 Handling Input 117

6 Buffer Overflow 175

7 Bride of Buffer Overflow 235

8 Errors and Exceptions 265

Part III: Features and Flavors 295

9 Web Applications 297

10 XML and Web Services 349

11 Privacy and Secrets 379

12 Privileged Programs 421

Part IV: Static Analysis in Practice 457

13 Source Code Analysis Exercises for Java 459

14 Source Code Analysis Exercises for C 503

Epilogue 541

References 545

Index 559

About the Author

Brian Chess is a founder of Fortify Software. He currently serves as Fortify’s Chief Scientist, where his work focuses on practical methods for creating secure systems. Brian holds a Ph.D. in Computer Engineering from the University of California at Santa Cruz, where he studied the application of static analysis to the problem of finding security-relevant defects in source code. Before settling on security, Brian spent a decade in Silicon Valley working at huge companies and small startups. He has done research on a broad set of topics, ranging from integrated circuit design all the way to delivering software as a service. He lives in Mountain View, California.

Jacob West manages Fortify Software’s Security Research Group, which is responsible for building security knowledge into Fortify’s products. Jacob brings expertise in numerous programming languages, frameworks, and styles together with knowledge about how real-world systems can fail. Before joining Fortify, Jacob worked with Professor David Wagner at the

University of California at Berkeley to develop MOPS (MOdel Checking Programs for Security properties), a static analysis tool used to discover security vulnerabilities in C programs. When he is away from the keyboard, Jacob spends time speaking at conferences and working with customers to advance their understanding of software security. He lives in San Francisco, California.

"About this title" may belong to another edition of this title.

Store Description

Visit Seller's Storefront

Seller's business information

BennettBooksLtd
NV, U.S.A.

Sale & Shipping Terms

Terms of Sale

We guarantee the condition of every book as it's described on the Abebooks web sites. If you're dissatisfied with your purchase (Incorrect Book/Not as Described/Damaged) or if the order hasn't arrived, you're eligible for a refund within 30 days of the estimated delivery date. If you've changed your mind about a book that you've ordered, please use the Ask bookseller a question link to contact us and we'll respond within 2 business days.

Right of cancellation

If you are a consumer you can cancel the contract in accordance with the following. Consumer means any natural person who is acting for purposes which are outside his trade, business, craft or profession.

INFORMATION REGARDING THE RIGHT OF CANCELLATION

Statutory Right to cancel

You have the right to cancel this contract within 14 days without giving any reason.

The cancellation period will expire after 14 days from the day on which you acquire, or a third party other than the carrier and indicated by you acquires, physical possession of the the last good or the last lot or piece.

To exercise the right to cancel, you must inform us, BennettBooksLtd, 7765 N Sheridan Rd, 60626, Chicago, Illinois, U.S.A., +1 7733871973, of your decision to cancel this contract by a clear statement (e.g. a letter sent by post, fax or e-mail). You may use the attached model cancellation form, but it is not obligatory. You can also electronically fill in and submit a clear statement on our website, under "My Purchases" in "My Account". If you use this option, we will communicate to you an acknowledgement of receipt of such a cancellation on a durable medium (e.g. by e-mail) without delay.

To meet the cancellation deadline, it is sufficient for you to send your communication concerning your exercise of the right to cancel before the cancellation period has expired.

Effects of cancellation

If you cancel this contract, we will reimburse to you all payments received from you, including the costs of delivery (except for the supplementary costs arising if you chose a type of delivery other than the least expensive type of standard delivery offered by us).

We may make a deduction from the reimbursement for loss in value of any goods supplied, if the loss is the result of unnecessary handling by you.

We will make the reimbursement without undue delay, and not later than 14 days after the day on which we are informed about your decision to cancel with contract.

We will make the reimbursement using the same means of payment as you used for the initial transaction, unless you have expressly agreed otherwise; in any event, you will not incur any fees as a result of such reimbursement.

We may withhold reimbursement until we have received the goods back or you have supplied evidence of having sent back the goods, whichever is the earliest.

You shall send back the goods or hand them over to us or BennettBooksLtd, Sean Bennett ATTN RETURNS, 7765 N Sheridan Rd, 60626, Chicago, Illinois, U.S.A., +1 7733871973, without undue delay and in any event not later than 14 days from the day on which you communicate your cancellation from this contract to us. The deadline is met if you send back the goods before the period of 14 days has expired. You will have to bear the direct cost of returning the goods. You are only liable for any diminished value of the goods resulting from the handling other than what is necessary to establish the nature, characteristics and functioning of the goods.

Exceptions to the right of cancellation

The right of cancellation does not apply to:

the delivery of newspapers, journals or magazines with the exception of subscription contracts; and
the supply of digital content (including ebooks) which is not supplied on a tangible medium (e.g. on a CD or DVD) if you accepted when you placed your order that we could start to deliver it, and that you could not cancel it once delivery had started.

Model withdrawal form

(complete and return this form only if you wish to withdraw from the contract)

To: (BennettBooksLtd, 7765 N Sheridan Rd, 60626, Chicago, Illinois, U.S.A., +1 7733871973)

I/We (*) hereby give notice that I/We (*) withdraw from my/our (*) contract of sale of the following goods (*)/for the provision of the following goods (*)/for the provision of the following service (*),

Ordered on (*)/received on (*)

Name of consumer(s)

Address of consumer(s)

Signature of consumer(s) (only if this form is notified on paper)

Date

* Delete as appropriate.

Shipping Terms

Orders ship within 2 business days. Shipping costs are based on books weighing 2.2 LB, or 1 KG. If your book order is heavy or oversized, we may contact you to let you know extra shipping is required.

Shipping rates within U.S.A.

Shipping rates within U.S.A.
Order quantity	7 to 30 business days	3 to 14 business days
First item	� 5.20	� 7.44

Delivery times are set by sellers and vary by carrier and location. Orders passing through Customs may face delays and buyers are responsible for any associated duties or fees. Sellers may contact you regarding additional charges to cover any increased costs to ship your items.