This site graciously hosted
by our friends at
Resources - Web Companion
This document is adapted (with permission) from the appendix in
Secure Coding: Principles and Practices (O'Reilly, 2003), and
contains a list of the books, papers, articles, and web sites that
have inspired us and served as sources for this book. We do our best
here to point to the places that provide the best resources for more
Of course, this short list is in no sense a complete survey of the
literature of our growing field. We welcome your comments,
suggestions, and additions to this list, and reserve the right to
include or not include them in any subsequent editions or printings
of Secure Coding. If you are interested in contributing, please
- Anderson, Ross. Security Engineering. New York, NY:
John Wiley & Sons, 2001. ISBN 0-471-38922-6. A stunning
achievement by a great engineer. Highly readable. Only a few
chapters are directly relevant to secure coding, but we
recommend the entire volume for its surprising insights.
- Bentley, Jon. Programming Pearls, Second Edition.
Reading, MA: Addison-Wesley Longman, 2000. ISBN 0-201-65788-0.
Justifiably famous collection of sound programming practices
- Brooks, Frederick P. The Mythical Man-Month: Essays on
Software Engineering, Anniversary Edition. New York, NY:
Addison-Wesley, 1995. ISBN 0201835959 . Classic work on the
practice and business of software development and the
management of projects.
- Garfinkel, Simson, Gene Spafford, and Alan Schwartz.
Practical Unix & Internet Security, 3rd Edition.
Sebastopol, CA: O'Reilly & Associates, Inc., 2003. ISBN
1-56592-323-4. Comprehensive, a true tour-de-force. Chapter
16, "Writing Secure SUID and Network Programs," was a
lightning bolt when first published and remains indispensable
- Gong, Li. Inside Java 2 Platform Security. Reading,
MA: Addison Wesley Longman, 1999. ISBN 0-201-31000-7. Worth
reading simply for Dr. Gong's description of the Java jail, of
which he was the principal designer.
- Howard, Michael. Designing Secure Web-Based Applications
for Microsoft Windows 2000. Redmond, Washington: Microsoft
Press, 2000. ISBN 0-7356-0995-0. Excellent example of
- Kernighan, Brian W., and P. J. Plauger. Elements of
Programming Style. Computing McGraw-Hill, 1988. ISBN
0-07-034207-5. A quiet book with good examples of a sparse and
sensible style not often seen today.
- Kernighan, Brian W., and Dennis M. Ritchie. The C
Programming Language 2nd Edition. Englewood Cliffs, NJ:
Prentice-Hall, 1988. ISBN 0-13-110362-8. An indispensable
guide to the language.
- Maguire, Steve. Writing Solid Code: Microsoft's
Techniques for Developing Bug-Free C Programs. Redmond,
Washington: Microsoft Press, 1993. ISBN 1-55615-551-4. Every
software engineer working in C should read this book.
- McConnell, Steve. Code Complete: A Practical Handbook of
Software Construction. Redmond, Washington: Microsoft
Press, 1993. ISBN 1-55615-484-4. A true classic. We could
have quoted it several more times. Please read this book.
- McGraw, Gary, and Edward W. Felten. Securing Java:
Getting Down to Business with Mobile Code, 2nd Edition.
New York, NY: John Wiley & Sons, 1999. ISBN 047131952X. A
thoughtful treatment of a technical subject. See the book's
web site at http://www.securingjava.com.
- Northcutt, Stephen and Judy Novak. Network Intrusion
Detection, 3rd Edition. New York, NY: Que Publishing,
2002. ISBN 0735712654. A good introduction, well written with
a great deal of technical detail.
- Perrow, Charles. Normal Accidents. New York, NY:
Princeton University Press, 1999. ISBN 0691004129. An
entertaining yet analytical review of various large-scale
twentieth-century accidents. Makes a useful distinction
between "accidents" and "incidents," and explains Normal
- Reason, James. Human Error. New York: Cambridge
University Press, 1990. ISBN 052131494. An analysis of the
reasons people (and especially engineers) make mistakes.
- Sheinwold, Alfred. Five Weeks to Winning Bridge, Reissue
Edition. New York, NY: Pocket Books, 1996. ISBN
0671687700. At the beginning of this book we quote Mr.
Sheinwold about learning from the mistakes of others. He took
his own advice. One can therefore learn quite a bit from his
- Viega, John and Gary McGraw. Building Secure Software.
Indianapolis, IN: Pearson/Addison-Wesley, 2002. ISBN
020172152X. A good general guide about how to code secure
software, and the pitfalls of haphazard coding and deployment.
- Voas, Jeffrey and Gary McGraw. Software Fault Injection:
Innoculating Programs Against Errors. New York, NY: John
Wiley & Sons, 1997. ISBN 0-471-18381-4. The standard text on
this increasingly popular technique for application testing.
- Weinberg, Gerald. Psychology of Computer Programming,
Silver Anniversary Edition. New York, NY: Dorset House,
1998. ISBN 0932633420. The first book to explore the
implications of using human beings to write programs.
Indispensable to thinking about the causes of software
Papers and Articles
- Advosys Consulting. "Preventing HTML Form Tampering." 2001.
Lots of good technical tips.
- Advosys Consulting. "Writing Secure Web Applications." 2001.
As above, many sound technical tips.
- Aleph1. "Smashing the Stack for Fun and Profit." Phrack
Magazine. 49-14. 1996. See http://www.phrack.org/phrack/49/P49-14.
Detailed, accurate, and deadly.
- Al-Herbish, Thamer. "Secure Unix Programming FAQ." 1999. See
and detailed, with good technical detail.
- Anderson, Robert H. and Anthony C. Hearn. "An Exploration of
Cyberspace Security R&D Investment Strategies for DARPA: The
Day After... in Cyberspace II." Rand Corporation.
MR-797-DARPA. 1996. Abstract available online at
A discussion of security retrofitting as part of a strategy
for critical infrastructure protection.
- Anonymous. "SETUID(7), the SETUID Man Page." Date unknown.
Available online at http://www.homeport.org/~adam/setuid.7.html.
Perhaps the earliest discussion of the security issues
involved with Unix setuid programming, and certainly one of
- AusCERT. "A Lab Engineers Check List for Writing Secure Unix
Code." Australian Computer Emergency Response Team. 1996.
Available online at ftp://ftp.auscert.org.au/pub/auscert/papers/secure_programming_checklist.
One of the first such formulations. It was one of the primary
inspirations for our own book. Still quite valuable.
- Bellovin, Steven M. "Shifting the Odds--Writing (More)
Secure Software." Murray Hill, NJ: AT&T Research. 1994.
Available online from Dr. Bellovin's site at
A clear and accurate discussion of good secure coding
techniques by an authority on the subject.
- Bishop, Matt. "Race Conditions, Files, and Security Flaws; or
the Tortoise and the Hare Redux ." Course lecture notes from
CSE 95-08. 1995. Available online at
An early and definitive discussion of race condition
vulnerabilities by a leading academic researcher.
- Bishop, Matt. "UNIX Security: Security in Programming." SANS.
1996. See http://olympus.cs.ucdavis.edu/~bishop/secprog.html.
An excellent set of recommendations.
- Bishop, Matt. "Writing Safe Privileged Programs." Network
Security Conference. 1997. See http://olympus.cs.ucdavis.edu/~bishop/secprog.html.
An early and excellent set of comprehensive recommendations.
- Bishop, Matt. "Vulnerabilities Analysis." Presentation
slides. 1997. Available online at http://nob.cs.ucdavis.edu/~bishop/talks/Pdf/vulclass-raid1999.pdf.
A comprehensive overview.
- Bishop, Matt, and Michael Dilger. "Checking for Race
Conditions in File Accesses." 1996. Not available at press
time from the UC Davis archives. See http://milliways.stanford.edu/~radoshi/summaries/Bishop_Dilger_Checking_for_Race_Conditions.html.
Overall, the best analysis of race conditions we have seen to
- CERT/CC. "CERT Survivability Project Report" Computer
Emergency Response Team Coordination Center (CERT/CC). 1996.
Available online at http://www.ieee-security.org/Cipher/Newsbriefs/1996/960223.kerbbug.html.
Good material on building robust systems.
- CERT/CC. "How To Remove Meta-characters From User-Supplied
Data In CGI Scripts." Computer Emergency Response Team
Coordination Center. 1999. Available online from the CERT/CC
repository. See http://www.cert.org/tech_tips/cgi_metacharacters.html.
Expert advice on a common problem.
- Cowan, Crispin, Perry Wagle, Calton Pu, Steve Beattie, and
Jonathan Walpole. "Buffer Overflows: Attacks and Defenses for
the Vulnerability of the Decade." Proceedings of DARPA
Information Survivability Conference and Expo (DISCEX). 1999.
A detailed explanation by leading analysts.
- Cowan, Crispin, Steve Beattie, Ryab Finnin Day, Calton Pu,
Perry Wagle, and Erik Walthinsen. "Protecting Systems from
Stack Smashing Attacks with StackGuard." Proceedings of the
1998 Usenix Security Conference. Available online at
The paper that introduced StackGuard. Very clear explanation
of buffer overflow vulnerabilities, the stack smashing attack,
and one technique to stop it.
- Daemon9. "Project Neptune." Phrack Magazine , 48-13. 1996.
Available online at http://www.phrack.org/phrack/48/P48-13.
The first article about SYN flooding to get wide distribution.
- Dole, Bryn, Steve Lodin, and Eugene Spafford. "Misplaced
Trust: Kerberos 4 Session Keys." Proceedings of the 1997 ISOC
Conference. 1997. Available online at http://www.isoc.org/isoc/conferences/ndss/97/dole_sl.pdf.
Details of the "non-random random numbers" vulnerability in
Kerberos 4 by the people who found it.
- Du, Wenliang. "Categorization of Software Errors That Led to
Security Breaches." Proceedings of the 1998 NISSC. 1998.
Available online at http://csrc.nist.gov/nissc/1998/proceedings/paperF9.pdf.
A good discussion of security vulnerability taxonomy schemes.
- Galvin, Peter. "Designing Secure Software." SunWorld. 1998.
Available online at http://www.sunworld.com/swol-04-1998/swol-04-security.html.
Brief but clear description of some fundamental issues.
- Garfinkel, Simson. "21 Rules for Writing Secure CGI
Programs." 1997. See http://www.webreview.com/1997/08_08/developers/08_08_97_3.shtml.
Good sound clear advice.
- Gong, Li. "Java Security Model." Sun Microsystems. 1998.
Available online at http://java.sun.com/products/jdk/1.2/docs/guide/security/spec/security-spec.doc.html.
A general description by the principal architect.
- Graff, Mark G. "Sun Security Bulletin 122." Sun Microsystems.
1993. See http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=secbull/122.
The Sun security bulletin that talks about the "tarball" vulnerability.
- Graff, Mark G. "Sun Security Bulletin 134." Sun Microsystems.
1996. See http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=secbull/134.
The Sun security bulletin that talks about the Java
- Graham, Jeff. "Security-Audit's Frequently Asked Questions
(FAQ)." 1999. See http://lsap.org/faq.txt. Brief but
- Gundavaram, Shishir, and Tom Christiansen. Perl CGI
Programming FAQ. Date unknown. See http://language.perl.com/CPAN/doc/FAQs/cgi/perl-cgi-faq.html.
Some good material on avoiding Perl CGI security
- Hardin, Garrett, "The Tragedy of the Commons."
Science. (162) 1968. An uncommon insight with wide
- Krsul, Ivan, Eugene Spafford, and Mahesh Tripunitara. "An
Analysis of Some Software Vulnerabilities." 1998. See http://widsard.sourceforge.net/doc/03.pdf.
An outstanding, highly technical analysis of several
- Kuperman, Benjamin A., and Eugene Spafford. "Generation of
Application Level Audit Data via Library Interposition."
CERIAS Tech Report TR-99-11. 1999. An excellent example of
modern security analysis techniques.
- LeBlanc, David. "Integer Handling with the C++ SafeInt
Class." 2004. Microsoft Development Network. See http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html/secure01142004.asp.
- McGraw, Gary and John Viega. "Make Your Software Behave:
Learning the Basics of Buffer Overflows." 2000. See http://www-106.ibm.com/developerworks/security/library/s-overflows/.
Clear, accurate description of what causes buffer overflows
and how to avoid coding them.
- Miller, Barton P. "An Empirical Study of the Reliability Of
UNIX Utilities." Communications of the ACM, 33-12. 1990.
Miller's original article about the Fuzz program.
Entertaining, brilliant, seminal discussion of black-box testing.
- Miller, Barton P., David Koski, Cjin Pheow Lee, Vivekananda
Maganty, Ravi Murthy, Ajitkumar Natarajan, and Jeff Steidl.
"Fuzz Revisited: A Re-examination of the Reliability of UNIX
Utilities and Services." 1995. See http://www.opensource.org/advocacy/fuzz-revisited.pdf.
A worthy follow-up to the original.
- Miller, Todd C. and Theo de Raadt. "strlcpy and
strlcat--Consistent, Safe, String Copy and Concatenation."
Proceedings of Usenix. 1999. See http://www.courtesan.com/todd/papers/strlcpy.html.
Introduces new "tamper-resistant" versions of two Unix system
- Mudge. "How to Write Buffer Overflows." 1995. Available
online at http://www.insecure.org/stf/mudge_buffer_overflow_tutorial.html.
Extremely technical and deadly accurate.
- NCSA. "NCSA Secure Programming Guidelines." 1997. Available
online. See http://www.ncsa.uiuc.edu/General/Grid/ACES/security/programming.
Brief but clear discussion of C, CGI, Perl, and some Unix
shell scripting languages.
- NCSA. "Writing Secure CGI Scripts." 1997. Available online
from the National Center for Supercomputer Applications (NCSA)
repository. See http://hoohoo.ncsa.uiuc.edu/cgi/security.html.
- Phillips, Paul. "Safe CGI Programming." Last updated in 1997.
Slightly dated but still useful.
- Rain Forest Puppy. "Perl CGI problems." Phrack
Magazine. 55-07. 1999. See http://www.insecure.org/news/P55-07.txt.
A discussion of CGI security vulnerabilities.
- Ranum, Marcus J. "Security-critical coding for programmers--A
C and UNIX-Centric Full-Day Tutorial." 1998. Available online
from Mr. Ranum's repository. See http://www.ranum.com/pubs/pdf/security-for-developers.pdf.
- Reshef, Eran and Izhar Bar-Gad. "Web Application Security."
The paper that introduced the AppShield product, an advance in
web application testing.
- Saltzer, J.H., and M.D. Schroeder, "The Protection of
Information in Computer Systems." Proceedings of the IEEE.
63-9. 1975. An early analysis of computer security
architecture principles that is still perfectly accurate.
- SecuriTeam. "Sendmail smrsh Bypass Vulnerabilities."
SecuriTeam security bulletin. 2002. Available in the
SecuriTeam online repository. See http://www.securiteam.com/unixfocus/6F0030A5PG.html.
Bulletin that pointed out security vulnerabilities in smrsh,
the Sendmail wrapper program.
- Shostack, Adam. "Security Code Review Guidelines." 1999.
Available online at http://www.homeport.org/~adam/review.html.
Good technical description of how to avoid coding in several
kinds of vulnerabilities.
- Sibert, W. Olin. "Malicious Data and Computer Security."
NISSC. 1996. Available online at http://www.fish.com/security/maldata.html.
Clearly written yet detailed look at vulnerabilities arising
from malicious data, and how to avoid them.
- Sitaker, Kragen. "How to Find Security Holes." 1999.
Available online at http://www.canonical.org/~kragen/security-holes.html.
Accurate and useful look at both high-level and low-level
- Soo Hoo, Kevin, Andrew W. Sudbury, and Andrew R. Jaquith.
"Tangible ROI through Secure Software Engineering." Secure
Business Quarterly. 1-2. 2001. Available online at http://www.sbq.com/sbq/rosi/sbq_rosi_software_engineering.pdf.
An economic analysis of the cost of fixing security
vulnerabilities at various stages in the software development
- Spafford, Eugene H. "Crisis and Aftermath." Communications
of the ACM. 32-6. 1989. An analysis of the 1988 Internet
- Spafford, Eugene H. "UNIX and Security: The Influences of
History." Information Systems Security. Auerbach Publications.
4-3. 1995. Describes how Unix utilities were developed at
Berkeley, and explores the security implications.
- Spafford, Eugene H. "One View of A Critical National Need:
Support for Information Security Education and Research."
Purdue University document COAST TR 97-8. 1997. See http://www.cerias.purdue.edu/homes/spaf/usgov/edu.pdf.
Congressional testimony identifying what Dr. Spafford called
a "national crisis" in information security education.
- Stein, Lincoln D., and John N. Stewart. "The World Wide Web
Security FAQ." Various versions. See http://www.w3.org/Security/Faq/www-security-faq.html.
Good detailed technical treatment of many web security issues.
- Stephenson, Peter. "Book Review: Information Security
Architecture," SC Magazine . 2001. See http://www.scmagazine.com/scmagazine/sc-online/2001/review/005/product_book.html.
A short but helpful view of enterprise security architecture.
- Strickland, Karl. "Re: A plea for calm Re:
[8lgm]-Advisory-6.UNIX.mail2.2-May-1994." Comment on
comp.security.unix discussion thread. 1994. An exchange
about how hard (or easy) it is for a large software vendor to
fix several security vulnerabilities at the same time.
- Sun Microsystems. "Secure Code Guidelines." 2000. Available
online from http://www.java.sun.com/security/seccodeguide.html.
Gives tips in three areas: privileged code, Java, and C.
- Swanson, Marianne, and Barbara Guttman. "Generally Accepted
Principles and Practices for Securing Information Technology
Systems." National Institute of Standards and Guidelines
Computer Security Special Publication 800-14. 1996. See http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf.
This report of the GASSP committee is one of the best
summaries of sound security architecture and design principles.
- Thompson, Ken. "Reflections on Trusting Trust."
Communications of the ACM. 27-8. 1984. Chilling,
authoritative discussion of the chain of trust.
- Van Biesbrouck, Michael. "CGI Security Tutorial." 1996. See http://www.info.lk/techweb/security/cgi/index.html.
Contains many good CGI-specific technical tips.
- Venema, Wietse. "Murphy's law and computer security." 1996.
Available from from Dr. Venema's site at ftp://ftp.porcupine.org/pub/security/murphy.txt.gz.
An expert and highly readable exposition of several types of
common implementation errors, including not-truly-random
numbers (e.g., the Kerberos 4 bug) and race condition
- Venema, Wietse. "TCP Wrappers." 1997. Available from ftp://ftp.porcupine.org/pub/security/tcp_wrapper.txt.Z.
Entertaining article about the genesis of TCP Wrappers.
- World Wide Web Consortium. "The World Wide Web Security FAQ."
1997. See http://www.w3.org/Security/Faq/wwwsf5.html.
Useful and accurate technical advice on safe CGI scripts and
other similar topics.
- Yoder, Joseph and Jeffrey Barcalow. "Architectural Patterns
for Enabling Application Security." Proceedings of the 1997
Pattern Languages of Programming Conference (Plop 1997). 1998.
Available online at http://st-www.cs.uiuc.edu/~hanmer/PLoP-97/Proceedings/yoder.pdf.
Presents a strong set of architectural principles for secure
Web Sites and Online Resources
Of the hundreds (now, perhaps, thousands) of sites on the Web that
address some facet of secure coding, the ones we have listed below
are those we recommend you check first.
- AusCERT Secure Programming Checklist -
Secure programming information from the Australian Computer
Emergency Response Team, AusCERT.
- FreeBSD Security Information - Security
tips specific to the FreeBSD operating system.
- Institute for Security and Open Methodologies
- Contains, among other things, a repository of secure
programming guidelines and testing methodologies. Included in
this set is "The Secure Programming Standards Methodology
Manual" by Victor A. Rodriguez.
- International Systems Security Engineering
Association (ISSEA) - A not-for-profit
professional organization "dedicated to the adoption of
systems security engineering as a defined and measurable
- Packetstorm Tutorials List - A useful
list of tutorials on various programming languages, testing
methodologies, and more.
- Sardonix Web Portal - Dedicated to the
promotion of Open Source application security. By utilizing
members of the open source community to audit and patch
existing and popular Open Source applications, Sardonix
strives to improve the overall security of applications and
consequently the systems they are installed on.
- Secure, Efficient, and Easy C Programming
- A useful "howto" document by Timo Sirainen with tips and
examples of secure C coding.
- Secure Programming for Linux and Unix HOWTO
- David Wheeler's "Howto" page for secure programming
information specific to Linux and Unix. Not an FAQ, but a
substantial online book with accurate and far-ranging advice.
Includes specific secure programming tips for Ada95, C, C++,
Java, Perl, and Python.
- Systems Security Engineering--Capability Maturity
Model - Information on the Software Engineering
Institute-derived SSE-CMM, which measures the maturity level
of system security engineering processes (and provides
guidelines to which to aspire).
- Secure Unix Programming FAQ - Another
document with secure programming tips that are specific to
Unix and Unix-like environments.
- Windows Security - A repository of
information on Microsoft Windows security issues.
- Writing Safe Setuid Programs - Home page
of Professor Matt Bishop at the University of California at
Davis. Contains numerous highly useful and informative papers,
including his "Writing Safe Setuid Programs" paper.
- The World Wide Web Security FAQ -
Security and secure coding tips specific to web environments.
- The Open Web Application Security Project
- Useful web site with tips, tools, and information on
developing secure web-based applications.
A Final Note on Resources
Interest in the topic of secure coding is increasing daily. In the
three years from 2000 to 2003, for example, the number of relevant
books, papers, and sites available on the Web--by our informal