O’Reilly news

"Secure Programming Cookbook for C and C++": Security Begins with Well-Written Code

July 24, 2003

Sebastopol, CA--Over the next three years, private organizations and government agencies will spend an estimated $21 billion on network security to fight off password sniffing, spoofing, buffer overflows, denials of service, viruses, worms, and other attacks. Despite this tremendous effort, experts including John Viega, coauthor of the Secure Programming Cookbook for C and C++ (O'Reilly, US $49.95), assert that many security problems boil down to one fundamental cause: poorly written, poorly tested, and insecure code underlying applications that run the very systems everyone is trying so hard to secure.

That's not something system administrators can fix at the network level, Viega explains, but depends on programmers to write code that attackers cannot exploit. "Writing secure code is difficult, even for experts," he points out. "Unfortunately, programmers generally hold a world view that they write correct code all the time, and only occasionally do mistakes occur. In reality, mistakes are commonplace in nearly everyone's code." He points to a recent NIST study that estimates the computer industry in the United States alone spends $60 billion a year patching and customizing poorly written software.

Viega is one of the pioneers in the field of software security who wrote the first publicly available tool to help programmers find and fix security vulnerabilities in their own code. His new book, co-written by Matt Messier, takes the same practical approach to fortifying code. Rather than recite principals and guidelines, "Secure Programming Cookbook for C and C++" is a nuts-and-bolts reference that teaches by example, focusing on two of the most widely used programming languages available.

"There are already several other books out there on the topic of writing secure software," Viega explains. "Many of them are quite good, but they universally focus on the fundamentals, not code. None of them show you how to do such things as SSL-enable your applications properly, which can be surprisingly difficult."

The book shows how to eliminate common problems by providing code solutions that programmers can insert directly into their applications, along with explanations of why and how the code samples work. Viega and Messier cover a wide range of security topics, including cryptography (both symmetric and public key), random numbers, safe initialization, input validation, networking, authentication, access control, email, and anti-tampering. Altogether, there are more than 200 recipes to help programmers secure the C and C++ programs they write for both Unix (including Linux) and Windows environments.

Viega assumes that programmers who pick up "Secure Programming Cookbook for C and C++" already understand security basics, but that "strangely enough, programmers make the same mistakes over and over again," he says. "Most security problems have been seen before. It's rare to actually see a new one. We give people the tools they haven't had before, so they have a fighting chance."

Additional Resources:

Secure Programming Cookbook for C and C++
John Viega and Matt Messier
ISBN 0-596-00394-3, 790 pages, $49.95 US, $77.95 CA, 35.50 UK
1-800-998-9938; 1-707-827-7000

About O’Reilly

O’Reilly Media spreads the knowledge of innovators through its books, online services, magazines, and conferences. Since 1978, O’Reilly Media has been a chronicler and catalyst of cutting-edge development, homing in on the technology trends that really matter and spurring their adoption by amplifying “faint signals” from the alpha geeks who are creating the future. An active participant in the technology community, the company has a long history of advocacy, meme-making, and evangelism.

Email a link to this press release