Software Security: Building Security In and over 900,000 other books are available for Amazon Kindle . Learn more

Quantity:


	Amazon Prime free trial required. Sign up when you check out. Learn more

More Buying Choices

Have one to sell? Sell yours here

Get a �18.30 Amazon.co.uk Gift Card

Share your own customer images

Publisher: learn how customers can search inside this book.

Start reading Software Security: Building Security In on your Kindle in under a minute.

Don't have a Kindle? Get your Kindle here, or download a FREE Kindle Reading App.

Software Security: Building Security In (Addison-Wesley Software Security) [Paperback]

Gary McGraw (Author)

RRP:	�43.99
Price:	�31.67 & this item Delivered FREE in the UK with Super Saver Delivery. See details and conditions
Deal Price:
You Save:	�12.32 (28%)
	o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o

In stock.
Dispatched from and sold by Amazon.co.uk. Gift-wrap available.

Only 2 left in stock--order soon (more on the way).

Want guaranteed delivery by Monday, February 13? Choose Express delivery at checkout. See Details

Formats	Amazon Price		New from	Used from
Kindle Edition	�20.84		--	--
Paperback	�31.67		--	--

Trade In this Item for up to �18.30

Trade in Software Security: Building Security In (Addison-Wesley Software Security) for an Amazon.co.uk gift card of up to �18.30, which you can then spend on millions of items across the site. Trade-in values may vary (terms apply). Find more products eligible for trade-in.

› See more product promotions

Frequently Bought Together

Customers Who Bought This Item Also Bought

24 Deadly Sins of Software Security: Programmin... by Michael Howard
5.0 out of 5 stars (1)

�32.29
The Security Development Lifecycle Book / CD Pa... by Michael Howard
5.0 out of 5 stars (1)

�18.14
Security Engineering: A Guide to Building Dep... by Ross J. Anderson
5.0 out of 5 stars (2)

�27.78
Secure Programming with Static Analysis: Getting S... by Brian Chess

�37.18
Exploiting Software: How to Break Code (Addison-W... by Greg Hoglund

�38.71
The Web Application Hacker's Handbook: Dis... by Dafydd Stuttard
4.8 out of 5 stars (5)

�21.75

Product details

Paperback: 448 pages
Publisher: Addison Wesley; 1 edition (3 Feb 2006)
Language English
ISBN-10: 0321356705
ISBN-13: 978-0321356703
Product Dimensions: 23.4 x 17.9 x 3 cm
Amazon Bestsellers Rank: 444,302 in Books (See Top 100 in Books)

Would you like to update product info or give feedback on images?

See Complete Table of Contents

More About the Author

Discover books, learn about writers, and more.

› Visit Amazon's Gary McGraw Page

Product Description

Review

"Overall, I rekon this was the best new security book I've seen this year. It certainly made me think more than any other security book I've read recently. I'd consider it a must-buy for the serious practitioner."--Ross Anderson, Professor of Security Engineering, University of Cambridge Computer Laboratory

Product Description

"When it comes to software security, the devil is in the details. This book tackles the details."
--Bruce Schneier, CTO and founder, Counterpane, and author of Beyond Fear and Secrets and Lies

"McGraw's book shows you how to make the 'culture of security' part of your development lifecycle."
--Howard A. Schmidt, Former White House Cyber Security Advisor

"McGraw is leading the charge in software security. His advice is as straightforward as it is actionable. If your business relies on software (and whose doesn't), buy this book and post it up on the lunchroom wall."
--Avi Rubin, Director of the NSF ACCURATE Center; Professor, Johns Hopkins University; and coauthor of Firewalls and Internet Security

Beginning where the best-selling book Building Secure Software left off, Software Security teaches you how to put software security into practice.The software security best practices, or touchpoints, described in this book have their basis in good software engineering and involve explicitly pondering security throughout the software development lifecycle. This means knowing and understanding common risks (including implementation bugsand architectural flaws), designing for security, and subjecting all software artifacts to thorough, objective risk analyses and testing.

Software Security is about putting the touchpoints to work for you. Because you can apply these touchpoints to the software artifacts you already produce as you develop software, you can adopt this book's methods without radically changing the way you work. Inside you'll find detailed explanations of

Risk management frameworks and processes
Code review using static analysis tools
Architectural risk analysis
Penetration testing
Security testing
Abuse case development

In addition to the touchpoints, Software Security covers knowledge management, training and awareness, and enterprise-level software security programs. Now that the world agrees that software security is central to computer security, it is time to put philosophy into practice. Create your own secure development lifecycle by enhancing your existing software development lifecycle with the touchpoints described in this book. Let this expert author show you how to build more secure software by building security in.

See all Product Description

Suggested Tags from Similar Products

(What's this?)

Be the first one to add a relevant tag (keyword that's strongly related to this product)

c sharp(6)

microsoft(4)

programming(4)

coding(3)

software(2)

john sharp(1)

visual studio(1)

What Other Items Do Customers Buy After Viewing This Item?

24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them by Michael Howard Paperback
5.0 out of 5 stars (1)

�32.29

Writing Secure Code 2nd Edition by Michael Howard Paperback
5.0 out of 5 stars (3)

�25.27

The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities by Mark Dowd Paperback
5.0 out of 5 stars (3)

�25.59

› Explore similar items

Customer Reviews

There are no customer reviews yet on Amazon U.K.

5 star:		(0)
4 star:		(0)
3 star:		(0)
2 star:		(0)
1 star:		(0)

Share your experience with this product with others

Create your own review

Most Helpful Customer Reviews on Amazon.com ^(beta)

Amazon.com: 4.8 out of 5 stars (20 customer reviews)

46 of 50 people found the following review helpful:

5.0 out of 5 stars A powerful book with deep truths for secure development, 2 Nov 2006

By Richard Bejtlich "TaoSecurity" - Published on Amazon.com

This review is from: Software Security: Building Security In (Addison-Wesley Software Security) (Paperback)

I read six books on software security recently, namely "Writing Secure Code, 2nd Ed" by Michael Howard and David LeBlanc; "19 Deadly Sins of Software Security" by Michael Howard, David LeBlanc, and John Viega; "Software Security" by Gary McGraw; "The Security Development Lifecycle" by Michael Howard and Steve Lipner; "High-Assurance Design" by Cliff Berg; and "Security Patterns" by Markus Schumacher, et al. Each book takes a different approach to the software security problem, although the first two focus on coding bugs and flaws; the second two examine development processes; and the last two discuss practices or patterns for improved design and implementation. My favorite of the six is Gary McGraw's, thanks to his clear thinking and logical analysis. The other five are still noteworthy books. All six will contribute to the production of more security software.

Gary McGraw's book gets my vote as the best of the six because it made the biggest impact on the way I look at the software security problem. First, Gary emphasizes the differences between bugs (coding errors) and flaws (deeper architectural problems). He shows that automated code inspection tools can be applied more or less successfully to the first problem set, but human investigation is required to address the second. Gary applauds the diversity of backgrounds found in today's security professionals, but wonders what will happen when this rag-tag bunch (myself included) is eventually replaced by "formally" trained college security graduates.

Second, Gary explains that although tools cannot replace a flaw-finding human, they can assist programmers trying to avoid writing bugs. Gary is the only author I encountered who acknowledged that it is unrealistic to expect a programmer to keep dozens or hundreds of sound coding practices and historical vulnerabilities in his head while writing software. An automated tool is a powerful way to apply secure coding lessons in a repeatable and measurable manner. Gary also reframed the way I look at software penetration testing, by showing in ch 6 that they are best used to discover environmental and configuration problems of software in production.

Third, Gary is not afraid to point out the problems with other interpretations of the software security problem. I almost fell out of my chair when I read his critique on pp 140-7 and p 213 of Microsoft's improper use of terms like "threat" in their so-called "threat model." Gary is absolutely right to say Microsoft is performing "risk analysis," not "threat analysis." (I laughed when I read him describe Microsoft's "Threat Modeling" as "[t]he unfortunately titled book" on p 310.) I examine this issue deeper in my reviews of Microsoft's books. Gary is also correct when he states on p 153 that "security is more like insurance than it is some kind of investment." I bookmarked the section (pp 292, 296-7) where Gary explained how the "19 Deadly Sins of Software Security" mix "specific types of errors and vulnerability classes and talk about them all at the same level of abstraction." He's also right that the OWASP Top Ten suffers the same problem. Finally, Gary understands the relationships between operators and developers and the importance of security vocabulary.

I was pleasantly surprised by "Software Security". I reviewed an early draft for Addison-Wesley and wondered where the author was taking this book. It ended up being my favorite software security book, easily complementing Gary's earlier book "Building Secure Software." In my opinion, Gary is thinking properly about all the fundamental issues that matter. This book should be distributed to all Microsoft developers to help them frame the software security problem properly.

32 of 36 people found the following review helpful:

5.0 out of 5 stars A must-have for anyone building networked systems, 4 Feb 2006

By Avi Rubin "Computer Security Expert" - Published on Amazon.com

This review is from: Software Security: Building Security In (Addison-Wesley Software Security) (Paperback)

On the one hand, it is risky for me to praise this book. I make my living teaching and practicing computer security. If everyone writing software these days were to read this book, I might eventually find myself out of business.

Gary McGraw, one of the leading security luminaries int he world, has got it right. Security cannot be added to systems once they are built. It must be designed in from the very beginning. The security posture and design must be considered in every phase of the development of a system - from the early design to the actual coding of the instructions.

Gary has done a fanstastic job explaining how to build secure systems, and detailing the importance and complexity of software security.

I've always been a big fan of Gary's, and with this latest installment in his 3 part series, Gary has provided readers with the most important advice and instruction to help keep the bad guys out of your systems.

11 of 11 people found the following review helpful:

5.0 out of 5 stars Required residing for all software developers, 1 Mar 2007

By Ben Rothke "Author of 'Computer Security: 20 ... - Published on Amazon.com

This review is from: Software Security: Building Security In (Addison-Wesley Software Security) (Paperback)

The root cause of many security vulnerabilities is poorly written software. Often, software applications are written without security in mind. The logical, yet elusive, solution is to ensure that software developers are trained in writing secure code.

Software Security: Building Security In is a valiant attempt to show software developers how to do just that. The book is the latest step in Gary McGraw's software security series, whose previous titles include Building Secure Software and Exploiting Software.

In past decades, writing secure code was left to the military and banking industry. Today, with everything on networks, all sectors must get into the act.

Much of the problem is that organizations target their security elsewhere--specifically on networks--rather than on software. But so many malicious attacks are directed at software that it is foolish to leave this vulnerability exposed.

McGraw goes into detail not only about writing secure code but also about key related areas, which he terms "the seven touchpoints of software security."

These points comprise code review, architectural risk analysis, penetration testing, risk-based security tests, abuse cases, security requirements, and security operations. A major portion of the book effectively discusses these "touchpoints," making the work a recommended tool for inculcating software developers with a security mind-set.

› Go to Amazon.com to see all 20 reviews 4.8 out of 5 stars

Were these reviews helpful? Let us know

.jsOffDisplayBlock { display: block; } .jsOffDisplayInline { display: inline; } .jsOffVisibility { visibility: visible; } .jsOnDisplayBlock { display: none; } .jsOnDisplayNoneBlock { display: block; } .jsOnDisplayNoneInline { display: inline; } .jsOnDisplayInline { display: none; } .jsOnVisibility { visibility: hidden; } .jqOnDisplayBlock { display: none; } .jqOnDisplayInline { display: none; } .jqOnVisibility { visibility: hidden; } .jqOnDisplayNoneBlock { display: block; } .jqOnDisplayNoneInline { display: inline; }