Plenty of good security books are out, but while my security library grows at an alarming rate, the bulk of the resources focus on security from a network-centric perspective. Securing a system or application is more than just keeping hackers out of a network. The majority of security writers seem to ignore developmental aspects of security, choosing instead to focus on hackers, hacker techniques, and securing against threats from the Internet, perhaps because hacker books sell. However, developers must understand and follow sound security disciplines to build securable applications. Very few books present this information. What’s a developer to do?
Books you must read
I've compiled a list of must-reads for security-conscious (or those who want to be security-conscious) developers. The resources on my reading list detail developmental principles from a high-level, design perspective—detailing what needs to be done and providing an easy to understand rationale. Together, these establish a basic understanding of security-centric application development.
You won't find implementation-specific, how-to references listed here. Though they have their place in the security market, I've chosen to exclude them because they don't provide the whats and whys—that is, the security rationale that transcends platform-specific implementation. For example, books on how to perform auditing in J2EE give the specifics for how to perform auditing, but don't tell when to audit or why. I’ve met many phenomenal programmers who know how to build security functionality into an application but cannot build a secure system because they don't understand the security basics. Knowing the whats and whys is just as important as knowing the hows.
My only exceptions to the how-to references are Hacking Exposed, 3rd Edition, by the Poundstone Group and Internet Firewalls and Network Security, published by New Riders. While these two don't have a great deal to do with development, they balance developmental security theory by presenting the two other sides of the security triangle: hacker mentalities and methodologies and network security support. Developers must understand hacker mentalities or they won't be able to successfully defend against them. Developers must understand how to build applications that interoperate with modern network defenses and defense techniques. These two books make this possible.
Here’s my must-read list:
- The Rainbow Series by the National Institute of Standards and Technology (NIST)
- The Computer Security Handbook, by Hutt, Bosworth, and Hoyt
- Writing Secure Code, by Howard and LeBlanc
- Building Secure Software: How to Avoid Security Problems the Right Way, by Viega and McGraw
- Hacking Exposed, by McClure, Scambray, and Kurtz
- Internet Firewalls and Network Security, by Siyan and Hare
The Rainbow Series is available as a free download on the SecurityFocus Web site. Although the Rainbow Series was published in the late 80s, it provides the foundation for modern security thought. It's an invaluable resource—a reference every programmer should have. I keep copies of the Orange, Tan, and Lavender Books from the Rainbow Series readily available on my desk—I keep the others in the series on CD within reach. The most important guide in the series is the Orange Book; it describes and explains the “trusted computing base” along with the fundamental principles of security doctrine. Though it’s a little too thick to memorize, all developers should be thoroughly versed in the Orange Book. It’s available free, so there’s no excuse not to have a copy.
The Computer Security Handbook is incredibly thorough and will take awhile to read through and digest. Much of this resource is aimed at security analysts specifically and doesn't apply to development. I recommend that developers focus on Chapter 1, “Management Role,” and Chapter 10, “System Applications Controls.” The first chapter solidifies the basic tenets of security. The tenth chapter rolls these basics into a developmental model—a roadmap for building securable systems. Both chapters are relatively short, and the information presented gets developers running in the right direction.
The developer’s responsibility for security
Writing Secure Code and Building Secure Software both approach computer security as if it were primarily a developer’s responsibility. While I don't entirely agree that it’s all the programmer’s fault when a system is compromised, programmers have a responsibility to write sound code and follow security best practices while designing and coding. When reading these two references, realize that hardware manufacturers must also participate in the security process.
A good example of how hardware can be used to bypass security mechanisms is the BIOS password. Security-conscious people may set a BIOS password on their desktop to prevent unauthorized access—but the password can be easily bypassed because hardware manufacturers set a means of getting around this (jumpering a couple of pins on the motherboard). The principles set forth in these books are sound. Remember, however, as you read these, that there is more to security than just good software.
My favorite book is Hacking Exposed. The authors give invaluable insight into the minds and methods of the hacker underground. While the methods and tools documented in these types of books may be obsolete or outdated, this is still a valuable reference. The idea isn’t to learn how to hack, but to typify attack methodologies to build defense mechanisms against them. After all, the best defense is knowledge about your adversaries’ offense.
Lastly, Internet Firewalls and Network Security presents the basics of network security, rounding out and completing the security picture. Systems must be designed to work with firewalls, intrusion detection systems, and VPNs if they are to be present in the target environment. I’ve met many programmers who insist that network defenses don't or won't affect their design. While the defenses will not affect the design, they will affect performance. A system designed without knowledge of the target network’s defenses will often behave poorly and perform badly. It’s hard to keep up with all the changes in the network technology arena. Dr. Siyan has done a great job, though, of taking a snapshot of firewall technology and putting it in the context of the Internet threat and basic network security.
I would have trouble identifying a single resource for developmental security. So many facets must be discussed. The six references listed complement each other to build a complete picture. Every security-conscious programmer should have these in his or her professional library.