There is no mystical spell to be cast upon an application to make it secure. No one single party or solution can be delegated the sole responsibility of making an application secure. Everyone from the software architect, programmer, network specialist, to the end user is responsible for application security. We as programmers have perhaps the greatest degree of responsibility because it is up to us to build secure applications and do so in such a manner that the user experience is not hindered by our efforts.
Writing Secure Code Second Edition should be your starting point in developing more secure applications. The first section of the book provides groundwork for understanding how to begin your security development process. Next you will move into learning about coding techniques that will help you develop more secure applications. You progress from there into even deeper secure coding techniques. The book rounds things out in the final section by addressing areas of special consideration.
While I do suggest reading the book cover to cover, and the writing style is easy to follow, you will find yourself pausing at times to ponder the points made and to ensure you get the full understanding of what is being conveyed. There are sections of code to demonstrate what is being said, and if you are like me you will want to take the time to absorb the code and relate to how it is proving the point being made. The effort you put in to reading and understanding the material in the book will be worth it as evidenced by the increased security you build into your application code.
Even though I like the entire book, if I had to pick a favorite chapter it would have to be the one entitled ‘All Input is Evil!’ It is very easy to forget this golden rule when working on an application, I know because I find myself doing this from time to time. There is a good bit of information to be mined from this chapter alone and it is one that I go back to time and time again. If you think this will be the only chapter regarding input, you are wrong. There is an additional chapter focusing specifically on database input issues and another chapter focusing on web input issues.
I very much feel every programmer and architect should read this book. The comprehensive coverage this book provide means it has a wide audience appeal, so no matter what your coding specialties this book will be of benefit to you. After I completed reading my copy, it remains on my desk within arms reach so that I can refer to it when I find myself in need of refreshing the lessons it has taught me. The book is published as part of the Microsoft Best Practices Series so you know it will be a valued addition to your development library.
Ira Richard Smith