One thing that should be part of every Security Development Lifecycle (SDL) is static code analysis.
This topic is explained in great detail in Secure Programming with Static Analyis.
Chapter 1, The Software Security Problem, explains why security is easy to get wrong and why typical methods for catching bugs aren’t effective for finding security vulnerabilities.
Chapter 2, Introduction to Static Analysis, explains that static analysis involves a software program checking the source code of another software program to find structural, quality, and security problems.
Chapter 3, Static Analysis as Part of Code Review, explains how static code analysis can be integrated into a security review process.
Chapter 4, Static Analysis Internals, describes how static analysis tools work internally and what trade-offs are made when building them.
This concludes the first part of the book that describes the big picture. Part two deals with pervasive security problems.
Chapter 5, Handling Input, describes how programs should deal with untrustworthy input.
Chapter 6, Buffer Overflow, and chapter 7, Bride to Buffer Overflow, deal with buffer overflows. These chapters are not as interesting for developers working with modern languages like Java or C#.
Chapter 8, Errors and Exceptions, talks about unexpected conditions and the link with security issues. It also handles logging and debugging.
Chapter 9, Web Applications, starts the third part of the book about common types of programs. This chapter looks at security problems specific to the Web and HTTP.
Chapter 10, XML and Web Services, discusses the security challenges associated with XML and with building up applications from distributed components.
Chapter 11, Privacy and Secrets, switches the focus from AppSec to InfoSec with an explanation of how to protect private information.
Chapter 12, Privileged Programs, continues with a discussion on how to write programs that operate with different permissions than the user.
The final part of the book is about gaining experience with static analysis tools.
Chapter 13, Source Code Analysis Exercises for Java, is a tutorial on how to use Fortify (a trial version of which is included with the book) on some sample Java projects.
Chapter 14, Source Code Analysis Exercises for C does the same for C programs.
This book is very useful for anybody working with static analysis tools. Its description of the internals of such tools helps with understanding how to apply the tools best.
I like that the book is filled with numerous examples that show how the tools can detect a particular type of problem.
Finally, the book makes clear that any static analysis tool will give both false positives and false negatives. You should really understand security issues yourself to make good decisions. When you know how to do that, a static analysis tool can be a great help.
One thought on “Book review: Secure Programming with Static Analysis”