Home
Fractals
Tutorials
Books
My blog
My LinkedIn Profile

BOOKS i'm reading

Napoleon Hill Keys to Success: The 17 Principles of Personal Achievement, Napoleon Hill, ISBN: 978-0452272811
The 4-Hour Workweek: Escape 9-5, Live Anywhere, and Join the New Rich (Expanded and Updated), Timothy Ferriss, ISBN: 978-0307465351
The Fountainhead, Ayn Rand, ISBN: 0452273331
Web Hosting Canada

mailto:olivier@olivierlanglois.net

Category: Software security

12/16/07

Permalink 05:35:07 pm, by lano1106, 365 words, 2160 views   English (CA)
Categories: Windows programming, Software security

Writing Secure Code

Writing Secure Code, Michael Howard and David LeBlanc, ISBN: 0735615888


This is a good book as it does a good job covering the different sources of software insecurities:

  • The classical buffer overflows on the stack and on the heap
  • Canonical issues on input
  • The least privilege principle
  • There is a brief overview on how store a secret

On the last point, the authors know well the topic. If you are using cryptography to protect something in your software but just store the private key in a global variable then you are helping tremendously the job of hackers as all they will have to do is look into your executable binary to search for something that looks like a key. A security measure is as strong as its weakest element and no hacker is foolish enough to attack a cryptographic algorithm that is proven strong. Even if you store the key in a secure place, all that is needed to retrieve the key is to perform a memory dump at the right time just before the software use the key. At least, you can make hackers job harder as there is nothing you can do to make your software 100% safe against hacker if the software is valuable enough to motivate them to hack your software. All you can do by improving your software security is to buy you some time before your software is hacked. All that to say that there is no bullet proof solution against hackers but the book gives solid leads to improve software security in that aspect.

In this book, there is a strong emphasis on Microsoft security technologies. The Windows Crypto API and the Microsoft OSes privileges API are described in length. If you develop on Windows and want to make your software more secure then this is an excellent book for you. If you develop on another platform, there is still something for you in this book as there are a lot of code snippets that are platform independent to improve software security such as input validation for file names to protect yourself against canonization bugs.

This is a very good book about software security but I do not recommend it simply because there is a new edition of it.

07/04/07

Permalink 10:19:17 pm, by lano1106, 207 words, 2209 views   English (CA)
Categories: Software security, Software security

Security Engineering: A Guide to Building Dependable Distributed Systems

Security Engineering: A Guide to Building Dependable Distributed Systems, Ross J. Andersen, ISBN: 0471389226

The title is maybe misleading. It is not really a guide that will show you a procedure step by step 'how to do' to build secure systems as most engineering books do. It is rather a survey of the different security protocols used in various fields. Of course, you can learn from the success and errors described in the book and use this knowledge for developing a new system but you will have to connect the dots yourself.

The book is very dense in information and at first, its format was making it tedious for me to read. It did take around 3 chapters before I get accustomed to the format. Once, this aspect was out of the way, this book became amazingly interesting. It describes systems used in banking, by diplomats, military, for nuclear weapons, police, set-up box TV decoders smart cards and anti tampering devices in general, spies, biometric authentication, etc.. and focus on the security protocols used by these systems and then highlights the weaknesses of the systems and how people have figured out how to workaround these protocols.

The best quality of the book is that it will help you to better understand the mindset of a secure system designer and a system hacker.

Permalink 09:41:16 pm, by lano1106, 300 words, 2204 views   English (CA)
Categories: Software security, Software security

Beyond Fear

Beyond fear, Bruce Schneier, ISBN: 0387026207

The content of this book slightly overlap the content of the author previous book (Secrets and Lies: Digital Security in a Networked World) but presents the material with a different angle. An angle with the perspective of a security expert that witness security measures taken by governments in reaction of the 9/11 terrorism attack and wants people to understand the absurdity of some of these measures.

It is not technical at all and does not necessitate any particular background to understand and enjoy. The author explains clearly how to make a risk assessment of something that you want to make more secure and then evaluate the cost of the security measures. Only when you have that data, you can evaluate if the added security is worth it.

These explanations are backed up with concrete examples such as evaluating the risk to make purchase with a credit card over the internet. Other examples include the absurdity of securing a lunch in a company refrigerator because the potential loss if having a lunch stolen does not justify securing it. The author also explains that even with technologies that looks very accurate such as facial recognition with an error rate of, let’s say, 0.0001 % are totally ineffective when they have to control a huge number of persons like a stadium crowd because even with this accuracy, they would create an unmanageable amount of false positive alerts.

The author also elaborate about why you should question the motivation of a security provider when it is a third party and link this with how people fears can be exploited to introduce invasive, excessively expensive and inefficient security measures. I think that the goal of the author was to make people more critics about security questions and my opinion is that his goal has been successfully achieved.

07/03/07

Permalink 10:28:37 pm, by lano1106, 94 words, 2465 views   English (CA)
Categories: Software security, Software security

Secrets and Lies: Digital Security in a Networked World

Secret and lies: Digital security in a networked world, Bruce Schneier, ISBN: 0471453803

This book is not very technical but it is very interesting to read and is very good to convey the basic principles of security. This book will teach you why security is more important than ever with the advent of computers and internetworking. It will present you potential attackers, their motivations and their resources. It shows how to add security to a system by doing some analysis of how the system could be attacked. After reading this book, you will have a better understanding of what it means to make a digital system secure.

06/26/07

Permalink 10:20:38 pm, by lano1106, 193 words, 2748 views   English (CA)
Categories: Software security, Software security

Applied cryptography

Applied Cryptography: Protocols, Algorithms, and Source Code in C, Second Edition, Bruce Schneier, ISBN: 0471117099

This book is extremely complete. It briefly covers the history of cryptography. It describes the political implications of cryptography and finally it shows how cryptography can be used in applications and presents the different cryptographic algorithms.

The algorithm section starts with a number theory primer.Honestly, I have found it a little bit too thin to learn all the needed background to fully understand the algorithms but on the other side, you cannot expect a simple 600 pages book to provide that background in the latest mathematical research number theories. It has at least the merit that it did stimulate my curiosity about number theory when I have read the first edition of this book.

Another point that makes this book interesting is that at the end of each chapter presenting the various algorithms in a given category, you will get Bruce Schneier opinion on which algorithm is the best. Of course, this type of information usually become outdated real fast but it is interesting to follow his thought process and test his predictions as the book grow older.

So, if you are looking for your first cryptography book, it should be this one.

:: Next Page >>

Olivier Langlois's blog

I want you to find in this blog informations about C++ programming that I had a hard time to find in the first place on the web.

| Next >

March 2024
Sun Mon Tue Wed Thu Fri Sat
 << <   > >>
          1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30
31            

Search

Custom Search

Misc

XML Feeds

What is RSS?

Who's Online?

  • Guest Users: 1

powered by
b2evolution