on 6 December 2014
I bought this book on the basis of its good reviews, and on the whole I am glad that I did, although as I read through it I wasn't always so sure. I found it a frustrating read in some places.
It is clear that the authors have a bias towards high-level programming. They assume that the reader is familiar with web-site programming techniques, but provide a detailed description of how a stack works. My background is embedded assembly, C and occasionally C++. As a result I know how a stack works, but would have welcomed more detail in the concepts behind the web application sins.
The cryptographic sins left me feeling that the authors were trying too hard to fit such a broad topic into their preferred format. The subject is worthy of a book in its own right. As an example, the authors equated stream ciphers with RC4 and because RC4 is no longer considered secure they recommended avoiding stream ciphers altogether. A more detailed discussion might have considered how block-cipher modes can be used to implement stream ciphers, and how stream ciphers should always be used with effective integrity mechanisms.
Nevertheless the book is now in my reference library and I know I will refer to in the future. On a number of occasions I came across insights that made me sure that buying and reading it was a good investment.
on 15 September 2011
Noticed there were no reviews on this on amazon.co.uk, been some time since I bought it.
Having owned the previous "edition" for years I did NOT think twice before ordering this one when it was published.
The 24 deadly sins cover the things you MUST consider, the ESSENTIAL security stuff you CANNOT miss. Got it? This is probably one of the most important books about security, which you will return to again and again to remind yourself of the importance, and to make sure you can persuade others to the risks associated with these security issues.
This said lets look into some details, the parts included are very vendor neutral (good thing), covers multiple languages (some bias perhaps, but pretty neutral), the book includes lots of code examples to show the problems and lots of references to papers, tools, methods - enough to keep anyone busy doing better at software security.
The product description already list the specific sins, so there you have it - buy the book, hit your developers or yourself repeatedly if you forget some of these when doing development, system work, implementation projects etc.
Highly recommended - and do NOT consider it "old" just because it is published in 2009, the stuff is still too important.
on 2 December 2012
This book is VERY good, I mean, VERY GOOD! It goes straight to the point, it shows the weaknesses, then explains them, then shows you tons of solutions that you can use right away out of the box.
It is very easy and fast to read, so its a good book when you're with shortage of time!