Book Review: Secure Programming with Static Analysis


This is one of the better books I have read about software security in quite a while.  It does a solid job of explaining what static analysis is and how it can be applied to software security and then provides a expansive tour of security issues that can be detected with static analysis and the patterns that lead to this detectability.  Just reading through all of these examples forces the reader to come to a better understanding of how software security vulnerabilities come about in general.

When I first picked up the book I expected it to be be essentially a 500 page advertisement and user manual for Fortify‘s Source Code Analyzer tool.  That would make sense as the authors are Brian Chess and Jacob West – Fortify’s founder/Chief Scientist and manager of their Security Research Group.  I don’t know that I would have a problem with that because I’m a big fan of the tool, but it would have limited the audience of folks the book would have been useful for.  However I was especially pleased to find that the book is a actualy a great general purpose reference for software security and static analysis that anyone wanting to write more secure code can read.

Part I (chapters 1 – 4) provides a very solid introduction to the value of software security and the theory behind static analysis and provides some really interesting material on different approaches to static analysis that can be applied to solve software security problems.  This is pretty theoretical stuff, but does a great job of providing a framework for the patterns explored through the rest of the book.  There is also some good material on how to integrate the use of static analysis tools into a software development process – essentially establishing who is going to run the tool, when it is going to be run and what is going to be done with the results.  The first three chapters could be read by anyone interested in the topic – the fourth chapter is probably for programmers only.

Part II (chapters 5 – 8) steps through the general problems of software security that can be attacked with static analysis – primarily input validation.  The bulk of this material is focused on C and C++ issues – buffer overflows, integer overflows and string formatting vulnerabilities.  Even though I personally don’t do a lot of C/C++ programming any more I found the material to be fascinating.  If you actually are programming in C and/or C++ on a regular basis you will hopefully find the material both fascinating and immediately useful.  Chapter 8 has material that applies to all environments for dealing with exceptions and error codes, resource leaks and logging.

Part III (chapters 9 – 12) looks at more specialized topics.  There is good material on web applications and web services as well as some information on how to integrate cryptography into applications.  Chapter 12 deals with programs at different privilege levels.  Again – since I don’t do a lot of system-level C and C++ programming it has been quite some time since I wrote a binary that was supposed to have setuid privileges.  Regardless I found the material very interesting.

Part IV (chapters 13 and 14) is a tutorial on how to use Fortify SCA.  The book comes with a CD-ROM containing a demo version of the software and you can go online to get a license key.  Running through the exercises is a good way to get an idea of how modern, commercial static analysis tools work and get a feel for how they might integrate into your team’s development process.

Overall I really enjoyed this book.  The fact that it mixed a theoretical treatment of the material with a large number of practical examples made it very interesting.  I consider myself to be pretty knowledgeable in this area and I learned some new tips and tricks from the book.  More importantly – I learned some new ways to think about software security and that really has long-term value for me.

dan _at_

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Categories: Uncategorized

One Response to “Book Review: Secure Programming with Static Analysis”

  1. anonium

    One of the best file searchers and download centers is here
    Find al the necessary information there!

Leave a Reply

Your email address will not be published. Required fields are marked *