Three Angles on Security

Plane flights are a great way to catch up on my reading, though they play hell with my back. I got through two and a half books on my way to and from the west coast last week, and finished the last one while eating handfuls of Vitamin I [1]. One of the three was very good, and the other two were certainly worth reading, so herewith the reviews. The best of the three was Chess and West's Secure Programming with Static Analysis. The authors work for Fortify Software, which (unsurprisingly) builds and sells static analysis tools to help programmers identify security holes in their code. Here, "static analysis" means "what you can find out by analyzing the program's source, rather than by running it". It's a rich and complicated field, full of undecidable problems, but the authors make the core concepts accessible by grounding them in real-world problems. What data structures do analysis tools use to represent programs? How does Perl's "taint mode" trace user-entered values through a program? Perhaps most importantly, how can you incorporate static analysis into your regular build and QA cycles, so that problems are caught and corrected before they reach the customer? Readers will need a basic understanding of how compilers, call stacks, and pointers work to follow the discussion, but anyone who has ever forked a process or opened a socket should be OK. If you're not, now's the time to go back to your old textbooks and refresh your memory: tools like the ones discussed in this book are quickly becoming part of the mainstream, and developers who don't know how to drive them will soon find themselves in the same bucket as ones who never got on top of HTTP, or still aren't quite sure what a design pattern is. Second on my list was Conti's Security Data Visualization. As you'd guess from the title, Conti believes that developers and administrators can, and should, use data visualization to monitor and improve computer security. After a fairly slow-moving introduction, he presents a series of increasingly complicated case studies: an attack (or possible attack), a way of representing the key data pictorially, and then some analysis. Conti even includes a chapter on how to attack security visualizations, i.e., ways of pushing data into them that mask the signal of an attack. I'm not entirely convinced that the techniques he describes will scale to very large systems, but there are so many holes in small ones that I probably shouldn't worry. The last book of my trip was Hoglund and McGraw's Exploiting Online Games. It's a timely topic: more and more real money is tied up in virtual economies, and online gambling (particularly poker) is a multi-billion dollar industry. I also think it's a great way to introduce security to students, many of whom spend as much time in the world of Warcraft as they do in this one. The book covers a lot of important issues. It also includes a refreshing amount of nitty-gritty detail, much of which assumes in-depth knowledge of C/C++ Windows programming. But there was a little too much "gosh wow!" for my liking. Page 85 is just one example: are all those exclamation marks really necessary!!?? A sterner editor, and a little less self-reference, would have made this a stronger book, but even with its flaws, it's a much better investment of time than Air Canada's in-flight entertainment. [1] Ibuprofen.
Brian Chess and Jacob West: Secure Programming with Static Analysis. Addison-Wesley Professional, 2007, 0321424778, 624 pages. Greg Conti: Security Data Visualization. No Starch Press, 2007, 1593271433, 272 pages. Greg Hoglund and Gary McGraw: Exploiting Online Games: Cheating Massively Distributed Systems. Addison-Wesley Professional, 2007, 0132271915, 384 pages.