Adware Report : Innocent Code : A Security Wake-Up Call for Web Programmers: Amazon U.S.A.

From the book lists at Adware Report:

All information current as of 00:39:38 Pacific Time, Saturday, 19 March 2005.

Innocent Code : A Security Wake-Up Call for Web Programmers

   by Sverre H. Huseby

  Paperback:
    John Wiley & Sons
    27 February, 2004

   US$29.70

   Usually ships in 24 hours

Click the button below to . . .

(which will add the book to your Amazon U.S.A. "Shopping Cart")

. . . or use your browser's Back button to return to the search-list page.

Editorial description(s):

Review
"...the security book that all web developers need to read...sound advice...ignore at peril..." (Tech Book Report, January 2004)

"...achieves its aims admirably..." (PC Utilities, April 2004)

"...should be required reading for web developers..." (about.com, March 2004)

"...if you are a web techie you will love this book, I did..." (Infosecurity Today, July 04)

Review
“…the security book that all web developers need to read…sound advice…ignore at peril…” (Tech Book Report, January 2004)

"…achieves its aims admirably…" (PC Utilities, April 2004)

“…should be required reading for web developers…” (about.com, March 2004)

“…if you are a web techie you will love this book, I did…” (Infosecurity Today, July 04)

Book Info
Text focuses on a small, and often neglected, piece of the web site security picture: program code security. For coders and programmers of dynamic Web applications. DLC: Computer security.

About the Author
Sverre Huseby runs his own company selling courses and consultancy services in Web application security. He's an active participant on webappsec mail forum.

Book Description
* This concise and practical book shows where code vulnerabilities lie-without delving into the specifics of each system architecture, programming or scripting language, or application-and how best to fix them
* Based on real-world situations taken from the author's experiences of tracking coding mistakes at major financial institutions
* Covers SQL injection attacks, cross-site scripting, data manipulation in order to bypass authorization, and other attacks that work because of missing pieces of code
* Shows developers how to change their mindset from Web site construction to Web site destruction in order to find dangerous code

Reader review(s):

Focused info for developers more than security pros, March 17, 2004
This book is similar in many respects to Web Hacking: Attacks and Defense (ISBN ). While that book was aimed at security professionals who needed to understand the exposures and vulnerabilities in web systems that were commonly exploited by the bad guys and gals, this book is aimed more at developers.

Like for former book, this one systematically covers exposures and vulnerabilities, and provides remedies at the code level. What sets this book apart is every component of a modern web site, from web server to backend database is covered, problem areas from a developer's perspective are highlighted, and solutions for resolving the problem areas given. I like this book because developers, from casual hobbyists to professionals, will easily grasp the information. More importantly, the material is not insultingly simple to experienced developers, nor is it over the head of less experienced ones.

Another reason I like this book is in systematically uncovering exposures the QA team can also use this book as a sourcebook for developing a baseline set of test cases that will catch security-related problems during acceptance, functional qualification, or regression test cycles.

In my opinion not only should web developers (including DBAs) and QA professionals read this book, but it should also be adopted by development organizations and projects as a part of coding standards.

Highly recommended, August 6, 2004
Security is a serious issue and education of the developer about writing secure code is extremely important. There are a lot of books out there that write either about how to configure your servers or about the various security technologies (cryptography, WSE etc) - this is not unimportant but it is incomplete because it ignores weaknesses introduced through coding practices.
The author manages a tight and very readable book that is addressed at the software developer. It can be read in about a day or afternoon (if you happen to be stranded at an airport lounge). I will be suggesting it to be one of our standard literature titles on the development floor.

A great tool. , November 30, 2004
Aside from the publication errors ( 2 chapter 2's and part of chapter 1 at the end of chapter 2 - arg). The books is full of great examples and useful information for developer's and IT security auditors. If nothing else it helps so provide simple examples of possible exploits. (And given the publication errors, my copy is a colletor's item...) Cheers!!!

{end of page}

(Page code from the SEO Tools, Toys, and Packages site)