This site graciously hosted
by our friends at

Press Release

For Immediate Release
For more information, a review copy, cover art, or an interview with the authors, contact:
Kathryn Barrett (707) 827-7094 or

Avoid Costly Security Flaws with O'Reilly's
"Secure Coding: Principles & Practices"

Sebastopol, CA--Rarely a week goes by without an announcement of a new attack on computer systems. Viruses, worms, denials of service, and password sniffers are attacking all types of systems--from banks to e-commerce sites to seemingly impregnable government and military computers--at an alarming rate.

But, according to Kenneth R. van Wyk, coauthor of the new book, "Secure Coding: Principles and Practices" (O'Reilly, US $29.95), "there are really very few classes of errors being made." Despite their many manifestations and targets, nearly all attacks have one fundamental cause: the code underlying these computers and networks is not secure.

"Secure software doesn't happen by accident," says van Wyk. "The vast majority of security flaws being announced today are entirely avoidable."

Writing secure code isn't easy, and there are no quick fixes to bad code. According to Mark G. Graff, coauthor of "Secure Coding: Principles and Practices," to build code that repels attack, software developers must "understand where vulnerabilities come from and counteract those tendencies with time-proven practices."

"Good programmers write good code, bad programmers write bad code, but all programmers seem to write insecure code," says Marcus J. Ranum, principal author of the DEC SEAL firewall, TIS Gauntlet firewall, and Network Flight Recorder Intrusion Detection System. "Kudos to Mark and Ken for their explanation of the reasons it's so hard to write good secure code and what to do about it!"

"Secure Coding: Principles and Practices" makes the case that developers must be vigilant throughout the entire code lifecycle:

-Architecture: during this stage, applying security principles such as "least privilege" will help limit even the impact of successful attempts to subvert software.

-Design: during this stage, designers must determine how programs will behave when confronted with fatally flawed input data. The book also offers advice about performing security retrofitting when you don't have the source code--ways of protecting software from being exploited even if bugs can't be fixed.

-Implementation: during this stage, programmers must sanitize all program input (the character streams representing a programs' entire interface with its environment--not just the command lines and environment variables that are the focus of most security analysis).

-Testing: during this stage, programs must be checked using both static code checkers and runtime testing methods--for example, the fault injection systems now available to check for the presence of such flaws as buffer overflow.

-Operations: during this stage, patch updates must be installed in a timely fashion. In early 2003, sites that had diligently applied Microsoft SQL Server updates were spared the impact of the Slammer worm that did serious damage to thousands of systems.

Trial and error can be a time consuming, costly, and embarrassing lesson when it comes to secure code. van Wyk and Graff have managed to pack decades of experience in secure coding into a concise and engaging book. "We have grey hairs, and we earned 'em learning the lessons we teach in the book," laughs Graff.

Jeremy Allison, the coauthor of Samba calls "Secure Coding": "A wonderful book...I wish it had been available when I was writing parts of Samba. I might not have had the last two security embarrassments to my name." Stephen E. Hansen, Information Security officer for Google, Inc., agrees: "I wish I had this book years ago as it has taken me years to figure these things out for myself."

Additional Resources:

See what critics, security professionals, executives, academics, and other readers have said about "Secure Coding: Principles and Practices," see:

For more info on the book, including Table of Contents, author bios, and index:

Chapter 1, "No Straight Thing," is available online:

For a cover graphic in JPEG format, go to:

Secure Coding: Principles & Practices
By Mark G. Graff, Kenneth R. van Wyk
ISBN 0-596-00242-4, 224 pages, $29.95 US, $46.95 CA, 20.95 UK

About O'Reilly

O'Reilly & Associates is the premier information source for leading-edge computer technologies. The company's books, conferences, and web sites bring to light the knowledge of technology innovators. O'Reilly books, known for the animals on their covers, occupy a treasured place on the shelves of the developers building the next generation of software. O'Reilly conferences and summits bring alpha geeks and forward-thinking business leaders together to shape the revolutionary ideas that spark new industries. From the Internet to XML, open source, .NET, Java, and web services, O'Reilly puts technologies on the map. For more information:

O'Reilly is a registered trademark of O'Reilly & Associates, Inc. All other trademarks are property of their respective owners.

Site Contents Copyright (C) 2002, 2003 Mark G. Graff and Kenneth R. van Wyk. All Rights Reserved.