Reddit Reddit reviews Writing Secure Code, Second Edition (Developer Best Practices)

We found 8 Reddit comments about Writing Secure Code, Second Edition (Developer Best Practices). Here are the top ones, ranked by their Reddit score.

Computers & Technology
Books
Computer Programming
Software Design, Testing & Engineering
Software Development
Writing Secure Code, Second Edition (Developer Best Practices)
Check price on Amazon

8 Reddit comments about Writing Secure Code, Second Edition (Developer Best Practices):

u/kobakai · 16 pointsr/ItalyInformatica

> Supponiamo che uno (anzi, più di uno visto che siamo tutti componenti di un LUG) voglia iniziare a smanettare un po' in quest'ambito, che cosa consigli?

di farlo :)

> Mettere su un webserver e iniziare a tentare di bucarlo con gli exploit conosciuti può essere una buona idea oppure è meglio prima procedere con altro?

Tutto fa brodo (mi', ventesimo proverbio, mi sto biscardizzando :). Però per prima cosa devono essere chiare le problematiche agli strati più bassi: boot da media esterno, forensics "malevola" (accesso al fs, reset delle password, estrazione delle password, trojanizzazione dell'OS, ..), MITM e i suoi derivati, poi nmap e network/service discovery come se piovesse, analisi di tutti i servizi esposti, poi "finalmente" potete dedicarvi anche alla parte (web) applicativa.. :)

Ci sono moltissimi "playground" per divertirsi ed imparare, sia come vm da scaricare che contest, crackme & co. online, alcuni al volissimo:

u/dfhaan · 8 pointsr/Games

The values in memory for things like round count, rate of fire, accuracy and recoil were all trusted implicitly from the client with zero validation. Magazine holds a couple hundred thousand bullets? Sounds legit. These all count as user input as they come from an untrusted source (unprotected memory).

If you would like to know more this is a good book.

Every other multiplayer shooter manages to detect people using magazines that held 999,999,999 bullets and shot at 99,999 rounds per minute.

u/OrionBlastar · 7 pointsr/learnprogramming

https://www.amazon.com/Deadly-Sins-Software-Security-Programming/dp/0071626751

https://www.amazon.com/Writing-Secure-Code-Strategies-Applications/dp/0735617228

u/abrasax · 2 pointsr/technology

Ah, yes, but that depends on how you define 'quality', i suppose. I'm not sure that support for CSS 2.1 is important to them (i can only guess). What i do know, is that the procedure i have witnessed when doing my graduate project at MDCC was rather elaborate and thorough. There are actually books ( 1, 2. Both required reading for every MS developer) that describe their security assurance process quite well, if you should be interested. Well, almost. Their internally developed system for automated code review (which is applied as a supplement - not a replacement - to the manual review) is not discussed, but i can assure you that it is quite fabulous.

u/perspectiveiskey · 2 pointsr/programming

Has anyone read both Writing Secure Code 2nd edition and the first edition?

Is the 2nd edition talking about really awesome things that are worth my time or is it incremental?

u/some_dev · 2 pointsr/gamedev

Understand the principle of least privilege and privilege separation. Understand why security through obscurity is not a good strategy.

Understand built-in access controls for your OS and other products (SQL) and how they apply to the above principles. If you can't accomplish least privilege through the built-in access controls, then write a service that performs validation and restricts access between the other two software components.

Also, if you're working with a database, know about SQL injection and how to avoid it (use parameterized queries).

The following should be your baseline level of knowledge for building networked applications that handle user credentials:

  • Symmetric and asymmetric encryption.
  • Hashing, salts, and what kinds of attacks salting prevents.
  • A few popular cryptographic algorithms: SHA and AES for example.
  • Understand man-in-the-middle attacks.
  • How to set up SSL.

    You don't need to know in detail how the algorithms work, but you should understand the overall idea, what kinds of attacks they prevent, and how to apply them properly.

    The best thing you can do is find a good book on security that goes into principles and practical examples and read it cover-to-cover. I used Writing Secure Code, but this book is pretty Windows-specific and deals a lot with the Windows API.
u/CSMastermind · 2 pointsr/AskComputerScience

Senior Level Software Engineer Reading List


Read This First


  1. Mastery: The Keys to Success and Long-Term Fulfillment

    Fundamentals


  2. Patterns of Enterprise Application Architecture
  3. Enterprise Integration Patterns: Designing, Building, and Deploying Messaging Solutions
  4. Enterprise Patterns and MDA: Building Better Software with Archetype Patterns and UML
  5. Systemantics: How Systems Work and Especially How They Fail
  6. Rework
  7. Writing Secure Code
  8. Framework Design Guidelines: Conventions, Idioms, and Patterns for Reusable .NET Libraries

    Development Theory


  9. Growing Object-Oriented Software, Guided by Tests
  10. Object-Oriented Analysis and Design with Applications
  11. Introduction to Functional Programming
  12. Design Concepts in Programming Languages
  13. Code Reading: The Open Source Perspective
  14. Modern Operating Systems
  15. Extreme Programming Explained: Embrace Change
  16. The Elements of Computing Systems: Building a Modern Computer from First Principles
  17. Code: The Hidden Language of Computer Hardware and Software

    Philosophy of Programming


  18. Making Software: What Really Works, and Why We Believe It
  19. Beautiful Code: Leading Programmers Explain How They Think
  20. The Elements of Programming Style
  21. A Discipline of Programming
  22. The Practice of Programming
  23. Computer Systems: A Programmer's Perspective
  24. Object Thinking
  25. How to Solve It by Computer
  26. 97 Things Every Programmer Should Know: Collective Wisdom from the Experts

    Mentality


  27. Hackers and Painters: Big Ideas from the Computer Age
  28. The Intentional Stance
  29. Things That Make Us Smart: Defending Human Attributes In The Age Of The Machine
  30. The Back of the Napkin: Solving Problems and Selling Ideas with Pictures
  31. The Timeless Way of Building
  32. The Soul Of A New Machine
  33. WIZARDRY COMPILED
  34. YOUTH
  35. Understanding Comics: The Invisible Art

    Software Engineering Skill Sets


  36. Software Tools
  37. UML Distilled: A Brief Guide to the Standard Object Modeling Language
  38. Applying UML and Patterns: An Introduction to Object-Oriented Analysis and Design and Iterative Development
  39. Practical Parallel Programming
  40. Past, Present, Parallel: A Survey of Available Parallel Computer Systems
  41. Mastering Regular Expressions
  42. Compilers: Principles, Techniques, and Tools
  43. Computer Graphics: Principles and Practice in C
  44. Michael Abrash's Graphics Programming Black Book
  45. The Art of Deception: Controlling the Human Element of Security
  46. SOA in Practice: The Art of Distributed System Design
  47. Data Mining: Practical Machine Learning Tools and Techniques
  48. Data Crunching: Solve Everyday Problems Using Java, Python, and more.

    Design


  49. The Psychology Of Everyday Things
  50. About Face 3: The Essentials of Interaction Design
  51. Design for Hackers: Reverse Engineering Beauty
  52. The Non-Designer's Design Book

    History


  53. Micro-ISV: From Vision to Reality
  54. Death March
  55. Showstopper! the Breakneck Race to Create Windows NT and the Next Generation at Microsoft
  56. The PayPal Wars: Battles with eBay, the Media, the Mafia, and the Rest of Planet Earth
  57. The Business of Software: What Every Manager, Programmer, and Entrepreneur Must Know to Thrive and Survive in Good Times and Bad
  58. In the Beginning...was the Command Line

    Specialist Skills


  59. The Art of UNIX Programming
  60. Advanced Programming in the UNIX Environment
  61. Programming Windows
  62. Cocoa Programming for Mac OS X
  63. Starting Forth: An Introduction to the Forth Language and Operating System for Beginners and Professionals
  64. lex & yacc
  65. The TCP/IP Guide: A Comprehensive, Illustrated Internet Protocols Reference
  66. C Programming Language
  67. No Bugs!: Delivering Error Free Code in C and C++
  68. Modern C++ Design: Generic Programming and Design Patterns Applied
  69. Agile Principles, Patterns, and Practices in C#
  70. Pragmatic Unit Testing in C# with NUnit

    DevOps Reading List


  71. Time Management for System Administrators: Stop Working Late and Start Working Smart
  72. The Practice of Cloud System Administration: DevOps and SRE Practices for Web Services
  73. The Practice of System and Network Administration: DevOps and other Best Practices for Enterprise IT
  74. Effective DevOps: Building a Culture of Collaboration, Affinity, and Tooling at Scale
  75. DevOps: A Software Architect's Perspective
  76. The DevOps Handbook: How to Create World-Class Agility, Reliability, and Security in Technology Organizations
  77. Site Reliability Engineering: How Google Runs Production Systems
  78. Cloud Native Java: Designing Resilient Systems with Spring Boot, Spring Cloud, and Cloud Foundry
  79. Continuous Delivery: Reliable Software Releases through Build, Test, and Deployment Automation
  80. Migrating Large-Scale Services to the Cloud
u/PowershellPoet · 1 pointr/cybersecurity

Unfortunately, most of the university programs lag significantly behind industry. I've interviewed candidates with graduate degrees in cybersecurity that were not aware of most modern techniques used to find persistent adversaries. The good things those programs provide is a broad coverage of information security as a whole.

I saw you mention "finding the vulnerabilities before the bad guys do". Unfortunately, in the real world the code is either unpublished and you're a software security consultant, analyst, or tester, or it is published and you're fixing a hole that the adversary has already discovered. If your interest is in the software security side, I would recommend two books above all others.

The 24 Deadly Sins of Software Security: https://www.amazon.com/Deadly-Sins-Software-Security-Programming/dp/0071626751?_encoding=UTF8&%2AVersion%2A=1&%2Aentries%2A=0

Writing Secure Code: https://www.amazon.com/Writing-Secure-Code-Strategies-Applications/dp/0735617228/ref=sr_1_1?s=books&ie=UTF8&qid=1499038741&sr=1-1&keywords=writing+secure+code

That said, there is also a lot of work in the systems engineering side of the house - along the lines of credential theft and secure enterprise design. If you think this might be interesting to you, I would recommend reading papers such as these:

Microsoft Pass the Hash Whitepaper: https://www.microsoft.com/en-us/download/details.aspx?id=36036

Think Like a Hacker (shameless plug for my book): https://www.amazon.com/Think-Like-Hacker-Sysadmins-Cybersecurity/dp/0692865217/ref=sr_1_sc_1?ie=UTF8&qid=1499038880&sr=8-1-spell

Cybersecurity is typically broken into various subfields, such as reverse engineering, forensics, threat intelligence, and the like - each with its own set of tools and skills. Ultimately, I would recommend attending a decent hacking conference such as DEFCON, DerbyCon, ShmooCon, or the like to get familiar with the field.