This is one of the better books I have read about software security in quite a while. It does a solid job of explaining what static analysis is and how it can be applied to software security and then provides a expansive tour of security issues that can be detected with static analysis and the patterns that lead to this detectability. Just reading through all of these examples forces the reader to come to a better understanding of how software security vulnerabilities come about in general.
When I first picked up the book I expected it to be be essentially a 500 page advertisement and user manual for Fortify‘s Source Code Analyzer tool. That would make sense as the authors are Brian Chess and Jacob West – Fortify’s founder/Chief Scientist and manager of their Security Research Group. I don’t know that I would have a problem with that because I’m a big fan of the tool, but it would have limited the audience of folks the book would have been useful for. However I was especially pleased to find that the book is a actualy a great general purpose reference for software security and static analysis that anyone wanting to write more secure code can read.
Part I (chapters 1 – 4) provides a very solid introduction to the value of software security and the theory behind static analysis and provides some really interesting material on different approaches to static analysis that can be applied to solve software security problems. This is pretty theoretical stuff, but does a great job of providing a framework for the patterns explored through the rest of the book. There is also some good material on how to integrate the use of static analysis tools into a software development process – essentially establishing who is going to run the tool, when it is going to be run and what is going to be done with the results. The first three chapters could be read by anyone interested in the topic – the fourth chapter is probably for programmers only.
Part II (chapters 5 – 8) steps through the general problems of software security that can be attacked with static analysis – primarily input validation. The bulk of this material is focused on C and C++ issues – buffer overflows, integer overflows and string formatting vulnerabilities. Even though I personally don’t do a lot of C/C++ programming any more I found the material to be fascinating. If you actually are programming in C and/or C++ on a regular basis you will hopefully find the material both fascinating and immediately useful. Chapter 8 has material that applies to all environments for dealing with exceptions and error codes, resource leaks and logging.
Part III (chapters 9 – 12) looks at more specialized topics. There is good material on web applications and web services as well as some information on how to integrate cryptography into applications. Chapter 12 deals with programs at different privilege levels. Again – since I don’t do a lot of system-level C and C++ programming it has been quite some time since I wrote a binary that was supposed to have setuid privileges. Regardless I found the material very interesting.
Part IV (chapters 13 and 14) is a tutorial on how to use Fortify SCA. The book comes with a CD-ROM containing a demo version of the software and you can go online to get a license key. Running through the exercises is a good way to get an idea of how modern, commercial static analysis tools work and get a feel for how they might integrate into your team’s development process.
Overall I really enjoyed this book. The fact that it mixed a theoretical treatment of the material with a large number of practical examples made it very interesting. I consider myself to be pretty knowledgeable in this area and I learned some new tips and tricks from the book. More importantly – I learned some new ways to think about software security and that really has long-term value for me.
dan _at_ denimgroup.com