- Howard, Michael, David LeBlanc, and John Viega.
19 Deadly Sins of Software Security.
Emeryville, CA: Osborne, 2005.
ISBN 0-07-226085-8.
-
During his brief tenure as director of the National Cyber Security
Division of the U.S. Department of Homeland Security, Amit Yoran (who
wrote the foreword to this book) got a lot of press attention when he
claimed, “Ninety-five percent of software bugs are caused by the
same 19 programming flaws.” The list of these 19 dastardly
defects was assembled by John Viega who, with his two co-authors,
both of whom worked on computer security at Microsoft, attempt to exploit
its notoriety in this poorly written, jargon-filled, and utterly worthless
volume. Of course, I suppose that's what one should expect when a
former official of the agency of geniuses who humiliate millions of U.S.
citizens every day to protect them from the peril of grandmothers with
exploding sneakers team up with a list of authors that includes a former
“security architect for Microsoft's Office division”—why
does the phrase “macro virus” immediately come to mind?
Even after reading this entire ramble on the painfully obvious, I cannot
remotely guess who the intended audience was supposed to be. Software
developers who know enough to decode what the acronym-packed (many never
or poorly defined) text is trying to say are already aware of the
elementary vulnerabilities being discussed and ways to mitigate them.
Those without knowledge of competent programming practice are unlikely
to figure out what the authors are saying, since their explanations
in most cases assume the reader is already aware of the problem. The
book is also short (281 pages), generous with white space, and packed
with filler: the essential message of what to look out for in code can
be summarised in a half-page table: in fact, it has been, on
page 262! Not only does every chapter end with a summary of “do”
and “don't” recommendations, all of these lists are
duplicated in a ten page appendix at the end, presumably added because
the original manuscript was too short. Other obvious padding is giving
examples of trivial code in a long list of languages (including proprietary
trash such as C#, Visual Basic, and the .NET API); around half of the code
samples are Microsoft-specific, as are the “Other Resources”
at the end of each chapter. My favourite example is on pp. 176–178,
which gives sample code showing how to
read a password from a file (instead of idiotically embedding it in
an application) in four different programming languages: three of
them Microsoft-specific.
Like many bad computer books, this one seems to assume that
programmers can learn only from long enumerations of specific items,
as opposed to a theoretical understanding of the common cause which
underlies them all. In fact, a total of eight chapters on supposedly
different “deadly sins” can be summed up in the following
admonition, “never blindly trust any data that comes from outside your
complete control”. I had learned this both from my elders and
brutal experience in operating system debugging well before my
twentieth birthday. Apart from the lack of content and ill-defined
audience, the authors write in a dialect of jargon and abbreviations
which is probably how morons who work for Microsoft speak to one
another: “app”, “libcall”,
“proc”, “big-honking”, “admin”,
“id” litter the text, and the authors seem to believe the
word for a security violation is spelt “breech”. It's rare
that I read a technical book in any field from which I learn not a
single thing, but that's the case here. Well, I suppose I
did learn that a prominent publisher and forty dollar cover
price are no guarantee the content of a book will be of any value.
Save your money—if you're curious about which 19
“sins” were chosen, just visit the Amazon link above and
display the back cover of the book, which contains the complete list.
September 2006 