Learn secure programming

Any application that uses the Internet to communicate between clients and servers can potentially be subverted by an attacker (see the protect your Web site page for more information), and the server may be compromised. Even applications that are meant to be run locally, such as a data visualization program on Unix or a Windows application that uses SQL Server, can potentially be exploited on a system to gain elevated priviledges and compromise the entire system.

In order to prevent this, anyone developing client/server applications, CGI interfaces to web pages, ASP or JavaScript client side programs, SQL database front ends or stored procedures, etc., should understand the risks and ways to write secure applications.

A couple of good books on the subject are:

• Building Secure Software: How to Avoid Security Problems the Right Way, by John Viega and Gary McGraw (Addison-Wesley, ISBN 0201-72152-X)
• Writing Secure Code, by Michael Howard and David LeBlanc (Microsoft Press, ISBN 0-7356-1588-8)

For the World Wide Web and its applications, see:

• The World Wide Web Security FAQ
• Writing More Secure CGI Scripts, by Les Cottrell

For C programs on Unix systems, see:

• Writing Secure SUID Programs by Matt Bishop
• Security Code Review Guidelines by Adam Shostack
• Secure Programming for Linux and Unix HOWTO, by David A. Wheeler
• Software Vulnerability Analysis

You can find an extensive list of secure coding resources at SecureProgramming.com.

UW Technology
Contact Us
Modified: January 5, 2007