Prior to joining mcafee, viega was founder and chief technology officer at secure software. Marco morana of foundstone proposes a longterm, holistic software. To date, most software security books have focused solely on writing secure code and educating developers on how to do that. Functional and security testing of web applications and web services paperback 2. His research interests include survivability, computer and network security, anonymity, cryptoraphic protocols, and cryptography. Functional and security testing of web applications and web services. Software security has grown up, right under our noses. His previous work has included a formal analysis of the secure sockets layer protocol ssl, intrusion detection, analysis of distributed denialofservice tools, and the security of ip communications in space. Foundstone offers comprehensive security training on building secure software and applications, assessing vulnerabilities to defend against hacker attacks, and improving incident response. Some of them rely on the reuse of security knowledge.
This paper describes techniques, tools, and labs for integrating web application security into both types of classes. Attacks and defense is a powerful guide to the latest information on web attacks and defense. Security experts stuart mcclure lead author of hacking exposed, saumil shah, and shreeraj shah present a broad range of web attacks and defense. How to avoid security problems the right way, by gary mcgraw and john viega, published by addisonwesley pub co, isbn 020172152x 2002 the ethical hack. John viega, founder and chief scientist of secure software. Building secure software cuts to the heart of computer security to help you get security right the first time. Where those designations appear in this book, and addisonwesley.
Defcon 10 video speeches from the hacker convention. Mcgraw is coauthor of the groundbreaking books building secure software and exploiting software both from addisonwesley. Subverting the windows kernel, a book in my addisonwesley software security series. Rigorously test and improve the security of all your web software. Saumil was the director of indian operations for foundstone inc, where he was. James is the author of how to break software addisonwesley, 2002 and coauthor. Thus, web developers would be wise to consider it as part of their reference library on secure web programming. Enhancing the development life cycle to produce secure software answers the questions of why software security is important, why so much software is not.
His fifth book, exploiting software addisonwesley, was released in february 2004. With mark curphey about john viega john is the coauthor of three books on application security, building secure software addison wesley, 2001, network security with openssl oreilly, 2002 and the secure programming cookbook oreilly, 2003. Web application scanners are automated, blackbox testing tools that examine web applications. Mike andrews is a senior consultant at foundstone, specializing in software. This book isnt about creating a correct web application architecture, nor is it about. Despite some existing surveys about security requirements engineering, there. To wit, gartner analyst joseph fieman published the firstever magic quadrant for software security tools in february see below. System and network administrators who are interested in learning whats going on in their firewalls, servers, network, and systems.
Focused around the three pillars of software security introduced in the book software security, the series expands deeply into applied best practices and essential knowledge. He holds an ms in software engineering from southern methodist university and a bs in mathematics from clarkson university. Enhacing the development life cycle to produce secure software. How to avoid security problems the right way addisonwesley professional computing 01 by viega, john, mcgraw, gary r. He also built the clasp application security process, which is available online. Jamie has over 17 years of experience in operating system security. George cofounded foundstone in 1999, and his vision and entrepreneurial spirit helped attract a worldclass management team to join him in building one of the most successful and dominant private security companies. Speaker biographies owasp appsec usa 2011 your life is.
How a process model can help bring security into software. Gary mcgraw, cigitals cto, is a leading authority on software security. See the story behind the top security practitioners, researchers, thought leaders, and developers who spoke on software security at the owasp appsec usa 2011 application security conference on september 2223, 2011 at the minneapolis convention center in minneapolis, minnesota. See the complete profile on linkedin and discover carrics. Previously, saumil was the director of indian operations for foundstone inc, where he was instrumental in developing their web application security assessment methodology, the web assessment component of foundscan foundstone s managed security services software and was instrumental in pioneering foundstone s ultimate web hacking training class. Mcafee security training, security, education mcafee. Enhancing the development life cycle to produce secure. This disciplined approach will not alleviate all vulnerabilities but will increase the likelihood of building secure software to meet users needs in a costeffective fashion. By tracking revenue from both tools providers and services firms, we can get some idea of how quickly the market is growing, and which parts of the market are driving growth.
Black hat europe 2005 speakers, topics and abstracts. Prior to working for dmzglobal, simon was a linuxcentric software engineer for. Jamie served as a computer scientist at the nsa and coauthored rootkits. Before joining foundstone, mike was a freelance consultant and developer of. Whether youve loved the book or not, if you give your honest and detailed thoughts then people will find new books that are right for them. In order for students to be prepared for the current threat environment, we need to integrate web application security into the it curriculum. Jamie has an undergrad degree from james madison university in virginia, and an ms in computer science from university. If you are serious about computer security, you need to read this book, which includes essential lessons for both security professionals who have come to realize that software is the problem, and software developers who intend to make. Security in the software lifecycle sei digital library carnegie.
A framework for business value penetration testing, by james s. This book begins where its predecessors left off, describing in detail how to put software security into practice. A secure software development life cycle requires a process model wherein process improvements are managed from a common framework. Reusable knowledge in security requirements engineering. Black, building a test suite for web application scanners, ieee computer society 2008 8. Exploiting software addisonwesley, 2004, building secure software addisonwesley, 2001, software fault injection wiley 1998, securing java wiley, 1999, and java security wiley, 1996. How to break web software, however, does contain a lot of information about hownotto architect and code a web application. The underlying concepts behind software security have developed over almost a decade, and were first described in building secure software viega and mcgraw and exploiting software hoglund and mcgraw. Every large organization i know is building web applications and most of them are doing it badly.
Bpf performance tools addisonwesley professional computing series. John is the coauthor of three books on application security, building secure software addison wesley, 2001, network security with openssl oreilly, 2002 and the secure programming cookbook oreilly, 2003. View carric dooleys profile on linkedin, the worlds largest professional community. Mick is the author of linux journals popular paranoid penguin security columns, and of the upcoming book building secure servers with linux oreilly and associates, october 2002. Privacy what developers and it professionals should know. S3 system log aggregation, statistics, and analysis marcus ranum, tenable security, inc. Security is a concern that must be taken into consideration starting from the early stages of system development. How to avoid security problems the right way paperback addison wesley professional computing series at.
This is in some ways the second book in a series on security programming. Simon is currently employed by dmzglobal, a mssp in new zealand tasked with building and managing secure environments for a variety of customers in the. Over the last two decades, researchers and engineers have developed a considerable number of methods for security requirements engineering. A confluence of disciplines, authors kenneth van wyk, mark graff, dan peters and diana burley take a. The addisonwesley software security series, gary mcgraw contributing editor, is the premiere collection of titles in software security.
Malaiya, quantitative vulnerability assessment of systems software, proc. Functional and security testing of web applications and web services papcdr by andrews, mike, whittaker, james a. Building secure software requires a combination of people, processes, and tools. How to break web software, however, does contain a lot of information about how not to architect and code a web application. He is a contributing author to newriders recent publication building linux virtual private networksvpn. He is author of several dacs stateoftheart reports on software engineering topics. How to avoid security problems the right way addisonwesley professional computing series viega, john, mcgraw, gary on. This tutorial covers techniques and software tools for building your. He has over 30 years of experience in software development, systems development, and software project management. George charted foundstone s strategic course, positioning the company as a premier pure play security solutions provider. Both information security and web programming classes need to cover this topic.
Everyday low prices and free delivery on eligible orders. I start with exploiting software by greg hoglund and gary mcgraw, published by addisonwesley. Elizabeth fong, romain gaucher, vadim okun and paul e. Tiller, auerbach publications, isbn 084931609x 2005. This is a very popular book, but i have held off reading it until i have the necessary programming background to really appreciate it. Viega is a well known security expert and cryptographer and has coauthored several books, including building secure software, secure programming cookbook, network security with openssl and the 19 deadly sins of software security. Ieee reliability and maintainability symposium, 2005, pp. How to avoid security problems the right way addisonwesley professional computing series. Integrating web application security into the it curriculum.
A secure software development life cycle requires a process model. For example, build security in is an example of such an initiative. This is due to lack of documentation and awareness of the threats and attack methods. Other readers will always be interested in your opinion of the books youve read. If you design, develop, or manage the building of large software systems or plan to do so, or if you are interested in acquiring such systems for your corporation or government agency, use software architecture in practice, second edition, to get up to speed on the current state of software architecture. Cannon provides an invaluable map to guide developers through the dark forest created by the collision of cuttingedge software development and personal privacy. His areas of expertise include firewall architecture and integration, security policy, network application security, and unix and nt system security. Building secure software provides expert perspectives and techniques to help you ensure the security of. Larry suto, analyzing the accuracy and time costs of web application security scanners 2010 9. This paper describes the design of a test suite for thorough evaluation of web application scanners. How to avoid security problems the right way paperback addisonwesley professional computing series by john viega 20011004 john viega. Application security considera tions are often treated as the domain of specialists, to be applied after coding is done.
1137 558 279 907 389 102 1379 728 1558 1488 536 1292 1277 492 1425 183 144 787 1277 671 48 95 1650 1578 1255 1253 241 204 1450 331 1572 296 816 261 115 834 1353 369 1215 180 189 938 558 857