Facebook Twitter Pinterest
  • Alle Preisangaben inkl. MwSt.
Nur noch 3 auf Lager (mehr ist unterwegs).
Verkauf und Versand durch Amazon. Geschenkverpackung verfügbar.
Secure Programming with S... ist in Ihrem Einkaufwagen hinzugefügt worden
+ EUR 3,00 Versandkosten
Gebraucht: Gut | Details
Zustand: Gebraucht: Gut
Kommentar: Buy with confidence. Excellent Customer Service & Return policy.Ships from USA. Please give between 2-5 week for delivery.
Möchten Sie verkaufen?
Zur Rückseite klappen Zur Vorderseite klappen
Hörprobe Wird gespielt... Angehalten   Sie hören eine Hörprobe des Audible Hörbuch-Downloads.
Mehr erfahren
Dieses Bild anzeigen

Secure Programming with Static Analysis, w. CD-ROM: Getting Software Security Right with Static Analysis (Addison-Wesley Software Security) (Englisch) Taschenbuch – 29. Juni 2007

2.0 von 5 Sternen 1 Kundenrezension

Alle Formate und Ausgaben anzeigen Andere Formate und Ausgaben ausblenden
Neu ab Gebraucht ab
Kindle Edition
"Bitte wiederholen"
"Bitte wiederholen"
EUR 57,28
EUR 52,00 EUR 19,99
10 neu ab EUR 52,00 8 gebraucht ab EUR 19,99
click to open popover

Es wird kein Kindle Gerät benötigt. Laden Sie eine der kostenlosen Kindle Apps herunter und beginnen Sie, Kindle-Bücher auf Ihrem Smartphone, Tablet und Computer zu lesen.

  • Apple
  • Android
  • Windows Phone

Geben Sie Ihre Mobiltelefonnummer ein, um die kostenfreie App zu beziehen.

Jeder kann Kindle Bücher lesen — selbst ohne ein Kindle-Gerät — mit der KOSTENFREIEN Kindle App für Smartphones, Tablets und Computer.




The First Expert Guide to Static Analysis for Software Security! Creating secure code requires more than just good intentions. Programmers need to know that their code will be safe in an almost infinite number of scenarios and configurations. Static source code analysis gives users the ability to review their work with a fine-toothed comb and uncover the kinds of errors that lead directly to security vulnerabilities. Now, there's a complete guide to static analysis: how it works, how to integrate it into the software development processes, and how to make the most of it during security code review. Static analysis experts Brian Chess and Jacob West look at the most common types of security defects that occur today. They illustrate main points using Java and C code examples taken from real-world security incidents, showing how coding errors are exploited, how they could have been prevented, and how static analysis can rapidly uncover similar mistakes. This book is for everyone concerned with building more secure software: developers, security engineers, analysts, and testers.Coverage includes: Why conventional bug-catching often misses security problems How static analysis can help programmers get security right The critical attributes and algorithms that make or break a static analysis tool 36 techniques for making static analysis more effective on your code More than 70 types of serious security vulnerabilities, with specific solutions Example vulnerabilities from Firefox, OpenSSH, MySpace, eTrade, Apache httpd, and many more Techniques for handling untrusted input Eliminating buffer overflows: tactical and strategic approaches Avoiding errors specific to Web applications, Web services, and Ajax Security-aware logging, debugging, and error/exception handling Creating, maintaining, and sharing secrets and confidential information Detailed tutorials that walk you through the static analysis process "We designed Java so that it could be analyzed statically.

This book shows you how to apply advanced static analysis techniques to create more secure, more reliable software."--Bill Joy, Co-founder of Sun Microsystems, co-inventor of the Java programming language "'Secure Programming with Static Analysis' is a great primer on static analysis for security-minded developers and security practitioners. Well-written, easy to read, tells you what you need to know." --David Wagner, Associate Professor, University of California Berkeley "Software developers are the first and best line of defense for the security of their code. This book gives them the security development knowledge and the tools they need in order to eliminate vulnerabilities before they move into the final products that can be exploited." --Howard A. Schmidt, Former White House Cyber Security Advisor BRIAN CHESS is Founder and Chief Scientist of Fortify Software, where his research focuses on practical methods for creating secure systems. He holds a Ph.D. in Computer Engineering from University of California Santa Cruz, where he studied the application of static analysis to finding security-related code defects.

JACOB WEST manages Fortify Software's Security Research Group, which is responsible for building security knowledge into Fortify's products.He brings expertise in numerous programming languages, frameworks, and styles together with deep knowledge about how real-world systems fail. CD contains a working demonstration version of Fortify Software's Source Code Analysis (SCA) product; extensive Java and C code samples; and the tutorial chapters from the book in PDF format. Part I: Software Security and Static Analysis 1 1 The Software Security Problem 3 2 Introduction to Static Analysis 21 3 Static Analysis as Part of the Code Review Process 47 4 Static Analysis Internals 71 Part II: Pervasive Problems 115 5 Handling Input 117 6 Buffer Overflow 175 7 Bride of Buffer Overflow 235 8 Errors and Exceptions 265 Part III: Features and Flavors 295 9 Web Applications 297 10 XML and Web Services 349 11 Privacy and Secrets 379 12 Privileged Programs 421 Part IV: Static Analysis in Practice 457 13 Source Code Analysis Exercises for Java 459 14 Source Code Analysis Exercises for C 503 Epilogue 541 References 545 Index 559

Über den Autor und weitere Mitwirkende

Brian Chess is a founder of Fortify Software. He currently serves as Fortify's Chief Scientist, where his work focuses on practical methods for creating secure systems. Brian holds a Ph.D. in Computer Engineering from the University of California at Santa Cruz, where he studied the application of static analysis to the problem of finding security-relevant defects in source code. Before settling on security, Brian spent a decade in Silicon Valley working at huge companies and small startups. He has done research on a broad set of topics, ranging from integrated circuit design all the way to delivering software as a service. He lives in Mountain View, California. Jacob West manages Fortify Software's Security Research Group, which is responsible for building security knowledge into Fortify's products. Jacob brings expertise in numerous programming languages, frameworks, and styles together with knowledge about how real-world systems can fail. Before joining Fortify, Jacob worked with Professor David Wagner at the University of California at Berkeley to develop MOPS (MOdel Checking Programs for Security properties), a static analysis tool used to discover security vulnerabilities in C programs. When he is away from the keyboard, Jacob spends time speaking at conferences and working with customers to advance their understanding of software security. He lives in San Francisco, California.

Alle Produktbeschreibungen


2.0 von 5 Sternen
5 Sterne
4 Sterne
3 Sterne
2 Sterne
1 Stern
Siehe die Kundenrezension
Sagen Sie Ihre Meinung zu diesem Artikel


Format: Taschenbuch Verifizierter Kauf
The book handles the topic in a good and comprehensive way.
But my intention was to work through the tutorials which are provided in a CD that is delivered together with the book.
This CD is also advertised in the book's abstract.
When installing the software from the CD I have been asked to visit a web page from a company named "Fortify" to register and receive the required license key. However, the given web link is not working - even the entire domain is not existing anymore and the company itself seems not to exist anymore.
Has anyone a hint how I could receive a license key for the book's CD ?
I believe it is not OK to sell a book, where the digital part is not useable any more.
Kommentar 2 Personen fanden diese Informationen hilfreich. War diese Rezension für Sie hilfreich? Ja Nein Feedback senden...
Vielen Dank für Ihr Feedback.
Wir konnten Ihre Stimmabgabe leider nicht speichern. Bitte erneut versuchen
Missbrauch melden

Die hilfreichsten Kundenrezensionen auf Amazon.com (beta)

Amazon.com: HASH(0x93aa5948) von 5 Sternen 13 Rezensionen
4 von 5 Kunden fanden die folgende Rezension hilfreich
HASH(0x92b36840) von 5 Sternen Recommend a Different Book 19. August 2015
Von R. Smith - Veröffentlicht auf Amazon.com
Format: Taschenbuch Verifizierter Kauf
I typically review systems and commercial software from a security stand point. Recently, there has been a push to review software that is developed in-house utilizing tools such as Burpsuite and Fortify SCA. The classes that have been offered to my co-workers have been best described as How-To install the Fortify software. I was hoping to find a book with an in-depth view of utilizing Fortify to analyze source code. While the main focus of the book is not on Fortify, I was hoping that the 2 Chapters (Tutorials) would be a good start as this is the only book I know of that deals with Fortify (except the proprietary HP manuals).

Why not just use the proprietary manuals and play with the software at work? Simple, I do not have time to read through manuals and play at work. I need something I can work with at home. The biggest problem I have with this book is that the software included is no longer functional. To install, you have to get a license from the Fortify website which is now owned by HP. Neither the authors nor HP will provide a license so the software is useless.

If you are looking for a book to aide in secure code analysis, this is not the book for you. Secure Programming with Static Analysis… I read as make your applications secure by using static code analysis to identify problems. While the authors do give a fair amount of bad code to learn from, the details are less forth coming than in other books. Rather than give examples of how to use static code analysis tools to identify and correct problems, the authors give details of how they wrote rules to identify the problematic code. So if you are a programmer wanting to write your own "Fortify" software, this is a great start. I deducted 1 star because I felt the book only lives up to the “secure programming” portion of its name. You will not be getting any hands-on with Static Analysis from this book (as I mentioned the software no longer functions).

At the time the book was written, it probably was cutting edge knowledge and software security as described by the author was believed to be a job only a programmer could do. This is the way the book is written. Books like The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws are much friendlier towards non-programmers and have way more detail than this book. In fact the WAHH describes how a non-programmer may perform secure code analysis with a little research and gives you enough information to get started. It may seem unfair to judge this book published in 2007 by information available in 2015. However, I feel it is more unfair that someone like myself will purchase it based on the reviews when better books are available. I deducted 2 stars for the limited (and old) information.

To address comments about how the WAHH does not address some of the topics (in-depth) that are covered in this book such as native compiled languages, I would recommend Hacking: The Art of Exploitation, 2nd Edition but it not for the faint of heart. The Shellcoder's Handbook: Discovering and Exploiting Security Holes might be more in-line with my previous recommendation, however I have yet to read this book so I will reserve judgment.

In all, I am giving the book 2 stars as the information contained in it may be useful to other readers but there are far better sources to go too. In fact, I hope the whole industry dumps the use of Fortify in favor of open source alternatives that the worker bees can actually get their hands on. Check out OWASP for a list of alternatives. If you are a developer looking into secure programming, after reading the previously mentioned book check out US Cert/SEI secure programming [language of choice] books. This book will likely make it into my trash very soon unless you want to buy it???
3 von 3 Kunden fanden die folgende Rezension hilfreich
HASH(0x92b442a0) von 5 Sternen ComputerWrangler 28. September 2015
Von Computer Wrangler - Veröffentlicht auf Amazon.com
Format: Taschenbuch Verifizierter Kauf
OK book, but I purchased it for the practice software for HP Fortify - which doesn't work. HP no longer supports it, and it won't run without HP support.. I sent the book back.
19 von 27 Kunden fanden die folgende Rezension hilfreich
HASH(0x92b44180) von 5 Sternen Disappointing and Lacks details 17. Februar 2008
Von Craig Anderson - Veröffentlicht auf Amazon.com
Format: Taschenbuch
If you are an architect who really serious about building security to your large-scale applications, then this book would offer only a hello world to security. All you find is a full-blownup security chapter "Part 1 and 2" for Standalone application applications beyond that nothing but google-able content. The worst is Part III discusses on web apps, XML web services security, privacy and privileged programs - poorly written and highly repetitive content. To the most disappointment, there is no chapter to show how to put-to-gether all these stuff in a real world enterprise application. I also noticed the book if has the same Java examples from the Java site. The chapter on Web services security is a joke, shows the authors lack of understanding on Web services security fundamentals. After browsing all the pages, I don't found anything that shows how to incorporate them in a working security architecture. The book also trying to promote a product, maybe this book is relevant for those use the author suggested products.
13 von 20 Kunden fanden die folgende Rezension hilfreich
HASH(0x92b4215c) von 5 Sternen The best book for learning how to fix your code 5. Juli 2007
Von James Walden - Veröffentlicht auf Amazon.com
Format: Taschenbuch
After having read every secure programming book in print, this is the book I would recommend to both working developers and students. The abundance of code examples in C/C++ and Java help this book stand out from the shelf of other secure programming books, but that's just the beginning of what sets this book apart from the rest.

While most secure programming books focus on the basics of security mistakes like buffer overflows, they're short on how to find and fix security flaws in a large body of code. Most of us have too much code to inspect manually line by line by the next release, so this book shows the reader how to effectively use static analysis tools as a part of the code review process to automate finding security bugs. The CD that comes with the book has a working demo version of the Fortify Source Code Analyzer tool, so the reader can gain hands-on experience with static analysis.

Once you've found the bugs, you could attempt to fix them one by one, or you could fix them in a consistent, structured manner using secure design strategies to solve problems like input validation and memory management that are the source of so many security problems. Secure Programming with Static Analysis has a readable and practical discussion of these strategies, with many code examples so the reader can easily apply these strategies. It also shows how to use static analysis tools to ensure that all of your code follows these strategies, so that no input escapes validation.

Every software developer needs to know how to program securely, and there's no better place to start learning than this book.
0 von 1 Kunden fanden die folgende Rezension hilfreich
HASH(0x92b42624) von 5 Sternen Secure Programming With Static Analysis -by Brain Chess and Jacob West 20. Februar 2011
Von Vishal .S - Veröffentlicht auf Amazon.com
Format: Taschenbuch Verifizierter Kauf
I brought this book as a course requirement and it has been much more than that. This book enlightens you with situations which you would have encountered previously but never realized how an adversary could exploit the situation to either break into your system or just cause havoc from outside. The authors have shared their company Software named Fortify which helps us analyze programs using static analysis. The only drawback is that the software is an out of date one which refuses to configure with windows 7 system and requires XP compatibility. Also understandably it is a demo version which has extreme constrains on the size of code being analyzed. Wish the authors would have looked into these minor details.
Waren diese Rezensionen hilfreich? Wir wollen von Ihnen hören.