Writing Secure Code

This book is short, so dont be lazy. Read the whole book; you never know what you might be working on next !

That said, some sins affect only certain languages and affect only certain environments, so its important that you read the sins that affect the programming languages you use, the targeted operating systems, and the environment (Web, and so forth).

Heres a summary of the minimum you should read based on some common scenarios:

• Everyone should read Sins 6, 12, and 13.

• If you program in C/C++, you must read Sins 1, 2, and 3.

• If you program for the Web using technologies such as JSP, ASP, ASP.NET, PHP, CGI or Perl, you should read Sins 7 and 9.

• If you are creating an application to query database engines, such as Oracle, MySQL, DB2, or SQL Server, you should read Sin 4.

• If you are writing networked systems (Web, client-server, or something like it), you should review Sins 5, 8, 10, 14, and 15.

• If your application performs any kind of cryptography or handles passwords, you should read Sins 8, 10, 11, 17, and 18.

• If your application runs on Linux, Mac OS X, or UNIX, you should read Sin 16.

• If your application will be used by unsophisticated users, please review Sin 19.

We believe this is a very important book because it brings together three of the most well-known security engineering practitioners today to cover all common languages as well as development and deployment platforms. We trust you will gain a great deal of wisdom and get a great deal of guidance from the book.

Michael Howard

David LeBlanc

John Viega

July 2005