REVIEW: "Secure Coding", Mark G. Graff/Kenneth R. van Wyk

From: Rob Slade, doting grandpa of Ryan and Trevor (
Date: 10/16/03

Date: Thu, 16 Oct 2003 13:24:10 GMT


"Secure Coding", Mark G. Graff/Kenneth R. van Wyk, 2003,
0-596-00242-4, U$29.95/C$46.95
%A Mark G. Graff
%A Kenneth R. van Wyk
%C 103 Morris Street, Suite A, Sebastopol, CA 95472
%D 2003
%G 0-596-00242-4
%I O'Reilly & Associates, Inc.
%O U$29.95/C$46.95 800-998-9938 fax: 707-829-0104
%P 224 p.
%T "Secure Coding: Principles and Practices"

Recent events have demonstrated that we are badly in need of guidance
in the matter of the construction of secure software (or the safe
fabrication of code). This book covers a topic that is very
necessary. Unfortunately, the work is insufficient to the task.

Chapter one provides us with the all-too-common information that
attacks happen, and that there are bugs in software, but at least the
writing style is thought-provoking. At times the material is also
bemusing, as in the beginning of chapter two, which proposes that code
be "just secure enough"--even though the end of the previous chapter
pointed out that premise as one of the problems of software quality.
We are given thirty principles of secure architecture (the first one
of which has at least seventeen sub-points), and while all of them are
good, they are both too many to serve as a convenient guide, and still
not exhaustive of the possible problems. (Number thirty tacitly
admits this, asking "what did I forget?") There are some examples
that provide a limited amount of practical advice on design, in
chapter three, but much of the content is abstract and vague. It is
hard to find a structure or thread through the material, which seems
to be a miscellaneous collection of security topics such as risk
management. Chapter four dispenses good suggestions about
implementation, but the text hardly constitutes any kind of failsafe
process for building software. Operations, in chapter five, seems to
be basically a review of all aspects of security. Chapter six starts
out by bemoaning the fact that so much of testing is done on an ad hoc
basis, without structure and process. This is quite ironic, in view
of the fact that the book can fairly be described as ad hoc, too.

While the advice given in the text is useful and good, it is also
generally well-known, and often unsupported by material in regard to
how the recommended outcomes might be accomplished. This is certainly
a rallying cry for what we need to do, but doesn't necessarily move us
closer to actually doing it.

copyright Robert M. Slade, 2003 BKSECCOD.RVW 20030902

"If you do buy a computer, don't turn it on."     - Richards' 2nd Law
============= for back issues:
[Base URL] site
      or mirror
CISSP refs:     [Base URL]mnbksccd.htm
Security Dict.: [Base URL]secgloss.htm
Security Educ.: [Base URL]comseced.htm
Book reviews:   [Base URL]mnbk.htm
                [Base URL]review.htm
Security Educ.:
Review mailing list: send mail to

Relevant Pages

  • Re: Ten least secure programs
    ... it's probably better you leave the topic alone ... I said I do not have security issues with the programs I code. ... I didn't realize you were a Linux user, ... > the most widely used and secure UNIX flavors? ...
  • "An Asp.Net accident waiting to happen" - Draft article
    ... In a time where Security ... in shared hosting environments. ... technologies that allow the creation and deployment of secure ... IIS 6 web server and windows 2003 also provide some tools to deploy ...
  • RE: Why Easy To Use Software Is Putting You At Risk
    ... I do agree that the additions and changes to Solarius will make it more secure and that this is good. ... Why Easy To Use Software Is Putting You At Risk ... instead I would say that the view that security is ... Four Construction Workers Died after Crane Collapse in Toledo, ...
  • Why Easy To Use Software Is Putting You At Risk
    ... Anyone who has been working with computers for a long time will have noticed ... because DNS does not configure properly or security permissions are relaxed ... Is It Also Secure ... guarantee that no one really knows for sure, not even Microsoft developers. ...
  • Re: Screensaver takes too much time to fade-out...
    ... If you are serious about making your machine secure, ... learn a thing or two about security. ... These logs are mailed to the root user at 3am. ... Setup dovecot and use a local email client to fetch it. ...