Software Books

There seem to be three categories of computer security books. The first category is books written for system administrators or computer owners, and explains how to protect the computers under their control. The second category is the "true crime" genre that recounts the exploits of black hat hackers or explains the hacker culture (sometimes as "how-to" books for non-programmers). The third, and rarest, category is books for professional programmers that explain the coding idioms that make programs more secure or more insecure.

This book is an excellent contribution to the third category. It explains how certain ways of programming in C and C++ make programs vulnerable to security attacks. There are many code examples throughout the book illustrating the issues.

Although everything is explained in great detail, the treatment is not superficial. (No background in computer security is required, but the reader should be at least a journeyman C or C++ programmer.) Some of the security holes will surprise readers familiar with the basics of computer security. My favorite example: Many programmers know that the gets() function once was involved with compromising 10% of the computers on the Internet in a single day, but did you know that printf can also be a security flaw in some cases? The statement:
printf(s);
can allow an attacker to run any code of his choosing if s is a string provided by the attacker. Even more surprising is the printf attack has been used successfully on popular programs.

This book should be read by any programmer who does I/O across a network, or who writes applications that provide a captive environment for their users (data entry stations, information kiosks), or who writes programs to manipulate sensitive data. Even programmers merely curious about security issues will find this book a readable treatment. I guess the Black Hats can read the book to get more ideas for future attacks.

I can personally vouch for Seacord's expertise. He is a security analyst as the Computer Emergency Response Team/Coordination Center, and I've worked with him on the ANSI/ISO C Programming Language Standards Committee. I've found his information on computer security both educational and valuable.
[...]

This is an important book for people that write computer programs and their managers.
It is also very well organized and well written. Seacord reveals how the bad guys take
advantage of bugs in programs to break into a system or damage it. It is the most
complete list of exploitable bug types that I am aware of.

Many examples are given, naming software that have been exploited by bad guys. Some
may protest that this provides the bad guys with a list of easy targets. All of the
vulnerable software has been updated to fix the bug, and the improved version has been
available for a long time.

Everyone that writes software intended to be used by someone else should read this book.
Every organization that writes software should have a copy.

Most of the security flaws are buffer overflows. Secord shows how, from the simple use of
gets() through mistakes triggered by subtle differences in the rules for signed and unsigned
integers of various sizes. There are other ways, and some are quite subtle, but still
preventable. The bad guys are not Jay Leno's "Dumb crooks."

The primary way to frustrate the bad guys is to not have any of the bugs they exploit.
Seacord admits zero bugs is an elusive goal and recommends defense in depth by the use of
various freeware or commercial packages intended to trap or prevent certain errors.
He lists and describes many, with their strengths and weaknesses.

Read this book and make your code better. Read it again, next year.

The following are my opinions, based on over 40 years writing software, but I doubt
Seacord would disagree. Every security bug is also a bug that can cause a crash or a
wrong output from a program. The major cause of fewer bugs is the attitude of the
programmer. Managers can affect the attitude of the programmers by their choice of
questions. Do not ask "Is it done yet?" Instead try approaches like: "Tell me about how
you validated the inputs and how you identified all the inputs." "Who reviewed your test
cases?" "How did you decide you had tested enough?" The fewer bugs of any kind in your
product, the less likely the bad guys are going to target it, other things being equal.

I had the honor of taking a short course at a software security summit from Robert Seacord. I would have to say it was one of the most informative security related courses that I have taken. This book encompasses the course that I took and does a great job of explaining what to watch out for when writing code.

I highly recommend this book for any serious developer.

This book slipped under my radar, but I recently picked it up and was quite impressed.

This book is fairly unique in that it is accessible and well-written, yet, at the same time, unabashedly technical. It's quite simply a very good book, and it should prove valuable to readers new to software security, as well as experienced security consultants and vulnerability researchers.

I know the problem domain intimately, and was quite impressed at the level of thoroughness and the technical depth of the coverage. This book isn't merely a well-written exploration of known insecure programming idioms and attack techniques; there's actually a considerable amount of original research and material that you won't find elsewhere. Specifically, the coverage of integer issues goes above and beyond what has been previously written, and it's incredibly topical given the current trends in vulnerability research. Seacord's mastery of the C language and his ability to distill the practical rules of thumb out of the somewhat fragmented C standards really results in an excellent resource.

Seacord gives an unsettling walkthrough of vulnerabilities present in much of C and C++ coding. Buffer overflows take up a significant portion of the discussion. Which leads into considering how these can be introduced into unwary code. Consider C. The common string functions of strcpy, strcat, gets, streadd() and others are shown to be very exposed to error or attack. C++ also has similar drawbacks.

The text explains that much of these trace back to some bad usages. Strings are defined to be null terminated. And bounds checking is often not done. While this is often true of code that the programmer writes, it is also true of various common C library functions, like those mentioned above. In fact, Seacord goes so far as to emphatically assert that gets() should never be used in your code. Instead, he suggests fgets() or gets_s().

Seacord also covers other topics, like dynamic memory management, which might have vulnerable heaps. Various 3rd party analysis tools are suggested, to find these errors.

Overall, the book can be quite disturbing, if you are maintaining a large body of C or C++ code. Might make you want to delve in and replace those gets(), at the very least.

While the text doesn't mention this, it turns out that recent languages like Java and C# have far more robust string handling abilities. They were written after the above flaws in C and C++ become apparent.

Have been using code from this book with great success, extending the functionality of SSJS objects (SuperFile, SuperMail)--until now (SuperClient). SuperClient can't seem to see the [client] object in an iPlanet WebServer 4.1 environment. So, digging around in vendor supplied documentation for that version, we find [customClient]. The description of this [customClient] object is very similar to [SuperClient]. Now, while merging the functionality of the two, the book continues to be a wonderful asset.

iPlanet Web Server, Enterprise Edition Server-Side JavaScript Guide (v4.1)* March 2000 (p140 ff) Creating a Custom [client] Object

EXTRACT: Properties of the predefined [client] object can have only string values. To extend the [client] object with a custom object include the following line at the beginning of pages that require it: [var customClient = getCustomClient();] If this is NOT the first page that requests the object you get an existing object, otherwise a new one is created.

I have been using and referring this book to development teams for the past year. An excellent tutorial and reference point for people exposing the power of Server-side JavaScript.

The book was very good with the best history of JavaScript (server and client-side) I have ever read. However, nobody in the professional world will start a project today in SSJS, the language is extinct. Only legacy web applications will be using this and there are so many better server-side languages available now.

I have scanned this book, and true to what the other reviewers have said, this book looks excellent. I like that SSJS seems to separate the business stuff from the presentation stuff (HTML) unlike ColdFusion and ASP's. How many people are using SSJS?

If any one wanted to learn good SSJS programming techniques, this is the best buy. Authors not only have real stuff but they explained in a much better way than anyother about SSJS concepts with wonderful, real life examples. Ofcourse, you shoud know about javascript fundamentals (core javascript) before you read this book and authors are very specific about the content of the book and their target is only for users of SSJS

Now I have not read the book all the way through. I only use it as a reference when I can't figure something out on my own.

It has had the answer every time I needed it, so I am very impressed so far. Also bought the book on the new version of Office by the same authors and have the same thing to say about it.

Good Stuff

This product was in excellant condition upon arrival and arrived before expected.
I have used Que Books by the same authors previously. I find these are excellent reference books.

Very detailed, as you would expect from a Que book, but quite well organized. Except for unique requirements, the book blurb is true - "the only book on Vista you will ever need".

I have read and put to work about half of this book and I'm impressed with its thorough coverage. However be aware that to fully benefit from this book you must have intermediate to advanced prior knowledge of the Windows OS. This new edition includes SP1, but I found several remnants of references to pre SP1 Vista features that were not corrected or edited. For example, the Search link was deleted from the Start Menu by SP1. Yet the book refers to this link as if it was still present. If these minor problems had been corrected I would have rated this book 5 stars.

A very comprehensive treatment which lives up to its title of the only vista book you need.A real bargain at the price.

It is one of the best books on SQL I have read. This is a good book not only for those who want to use SQL Anywhere but for all SQL Afficianodos. It is both comprehensive and compact. I found this book useful while trying to understand Mobilink. I recommend this book without any hesitation to anyone who wants to understand how everything works in SQL Anywhere.

In a word: Awesome! This is the definitive book on Sybase SQL Anywhere 9. If you use this at work, especially in a replicated environment, then you MUST have this on your shelf.

This is a down-to-earth, no-holds barred approach to dealing with the good/bad/indifferent aspects of SQL Anywhere Studio 9. I am a data architect for a company that manages over 4,600 remote databases and this book has single-handedly helped me solve issues we have been having for months.

The author, Breck Carter, is a man who has been in the trenches with "the rest of us" to solve some of the most vexing data management problems. The solutions are as simple as they are elegant.

Written in a "real-world" tone, this book gets to the nitty-gritty of 99% of problems. The chapter on Mobilink replication is worth the price of the book alone as it goes into extreme detail on the how/whens/whys of moving data around and how to best utilize this impressive feature.

Highly Recommend!

Some of the documentation in this book is included no were else besides Sybase official docs. Given that "official docs" have such a dry reputation, I was happy to find this book. Indeed it is much easier to read, and contains lots of important information for configuring and programming in your SQL environment.

This book is packed with pertinant, in-depth info. The author does not have an overly-wordy style, so there is no inflated page-count.

This book is simply a must-to-have for db-developers; it presents a complete and compact reference for experienced developers as well as it offers a comprehensive immersion in SQL Anywhere to beginners and less experienced ones.

If I had to use only one word to express my opinion about this book I would just say: RELIEF. Relief of not getting drowned again in hundred of pages of irrelevant topics, misleading information, decorative pictures and tools descriptions.

I highly recommend this book to application programmers, as myself, accustomed to flirting with different db-engines but still seeking a solid understanding relational db paradigms.

I started using Sybase SQL Anywhere before Sybase owned it--when it was called The "Watcom" Database Engine. "SQL Anywhere Studio 9 Developer's Guide" is an outstanding reference. The book was written by someone who obviously has a great deal of experience using SQL Anywhere Studio to build real-world software solutions. Highly recommended.

While some passages are repetitive, on the whole, this book is very informative. The author leaves nothing to chance and is thorough in his explanation of various methods and how to reproduce them. The explanations by example are flushed out with no assumptions made about user knowledge, which was great in my case because before reading this book, all I knew about SAS is that it existed. Now, I can apply various and powerful statistical techniques on my own. Thanks Prof. Hatcher!

More detailed explanation of every subject discussed. Nothing was assummed. The appendix include vital information for new SAS users.

This is the single best statistics text I've ever read. It's extremely easy to follow, very practical, and gives outstanding examples. Everything is so clearly described in the book that one might call it Factor analysis and SEM for Dummies. I only wish that the book covered nonrecursive SEM models.

Very easy to read. Examples are simple and effective. The book explains the statistical concepts as well as the SAS programming tricks. In fact, the book provides complete code - you will be able to get good amount of analysis done just by copying that code. However, you also need to buy the "The Little SAS Book" if you never used SAS before.

This outstanding book was one of the mainstays for my Ph.D. dissertation. It explain factor analysis and SEM techniques in a clear and effective way, with an hands-on approach that guides the reader during all the data analysis and result interpretation phases.

One of the first book written on structured systems analysis and still, after 20 years, one of the best. The techniques has stood the test of time.

I read this book over 20 years ago. It is still the best. I keep it right on my desk.

I was introduced to Data Flow Diagraming in college with this book. Since then I have seen many other books describing DFD's. All fail to explain them as clearly as this book does. I highly recommend it!

This is an EXCELLENT text and workbook. I was searching for a current publication. I have a very old copy but I find it still extremely relevant. I Took a graduate course in structured systems analysis in 1997 and the text the professor/ school ordered for the students was horrible and absolutely no help. I took out my old copy and was able to follow along very well. (I would bet the professor was also using this text as his guide :-) THIS BOOK NEEDS TO BE KEPT IN CIRCULATION!!!!

As a business process consultant and information systems designer, I am constantly looking for effective techniques for capturing business details and new system requirements. I have looked at every new tool and method to come along, but this is STILL the best one there is. A testament to this book and it's methods is that many of the latest software tools, using the latest technology, still build on the methods and diagrams used in this book. And it's all still valid. Every consultant, business analyst, and systems designer MUST have a copy of this book in their library!

Testing has often been the misbegotten portion of the software development process. Frequently neglected until the semi-chaotic end of the production cycle, the testing phase has traditionally been shortened to accommodate a fixed release date. The relationships between the developer and test groups are to some extent adversarial, but in so many cases it often breaks down into open hostility. Among developers, it is often considered demeaning to have to soil ones hands by actually testing the code. With such a sullied background, it is no wonder that production code is generally riddled with bugs.
As the authors of this book point out, all of the above are dangerous conditions. With the expansion of code reuse and RAD tools, the development of the initial iteration is going to be done at a faster pace than before. Since the number of pathways through the code is operationally infinite, the only way relatively bug-free code will be developed is by allocating more resources to testing and making the choice and tracking of test cases a more scientific endeavor. The most significant point of the ten made in this book is that the testing process should be considered on an equal basis with that of development so that both groups communicate as equals. Without that, all the fancy, efficient tools in the world are reduced to the level of mere toys.
This is a book that can and should be read by developers, managers and yes, even testers, as all will benefit from the simple words of wisdom.

This book gives excellent insight for the beginning QA professional. It not so detailed that developers and managers will not want anything to do with it either. It explains ways to communicate quality assurance without offending anyone. The content is concentrated on the expressing QA in a brighter light without ruffling too many feathers. I recommend it for everyone in a technical environment with the goal of attaining quality. THIS IS A MUST HAVE FOR ANY QA PROFESSIONAL.

Much has changed in software development and testing practices since this text was written in the late 90's. However, many of the identified challenges are still with us. I find myself rereading this book as it is a useful reference for a test manager. The authors identify dual disparate roles for the software tester. In role one, the focus is on the task of testing software, such as test planning, test design, and execution. In role two, the tester or test manager's role is more as a politician and marketer to protect the test staff and promote the value they bring to each project . The text focuses on the second role, which elaborates on what the authors identify as the top ten people oriented challenges for the software test professional.

The first section of the book includes an assessment to help you identify your strengths and weaknesses in meeting people related testing challenges. The bulk of the text contains individual chapters on the top 10 challenges. The challenges are explained along with guidelines to overcome the challenge. Chapters can be read out of order and this format allows you to focus on your weaknesses as identified in the self assessment. The last section of the book describes a six step change process to implement improvements. My favorite two chapters were "Explaining Testing to Managers" and "Getting Trained in Testing." Highly recommended.

This is an excellent review of the biggest recurring problems of the software testing world. As I read the descriptions of each of the 10 challenges, I was astonished at how many of the pitfalls I fall into on a regular basis. Perry & Rice don't just lay out what the challenges are - they also discuss how to meet each one. Each item on the list has its own chapter with sections on the impact on testing, solutions to the challenge, impediments to implementing the solutions, and helpful guidelines to creating a plan of action. This is without a doubt an excellent book for those of us in the trenches of software testing each day. (One bit of advice, though - if you're looking for a book on "how to do software testing", look elsewhere. Perry and Rice have other good books on the subject, but this one is really intended to help you step back from your daily testing work and see where you could improve on your approach to it.)

When this book was written software testing was starting to consolidate into an 'honorable' profession, and the number of good books about testing could be counted on your fingers (and probably a few toes). The discipline has matured into a profession, and there are so many excellent books on the subject now that it boggles my mind.

You'd think that the top ten challenges listed in this book would have been long ago resolved and replaced with a new set. Sadly, that isn't the case. Each challenge listed is as valid today as it was when this book was written, and except for #10 on the list (getting trained in testing), which has dramatically improved, the other nine are still there. Read the book. Take the advice of the two authors, both of whom are seasoned professionals who give the solutions to these challenges, and move the profession forward.

Here are the top five challenges that I see today, drawn from the list in the book:

#1 today, #6 in the book: Communicating with Customers -- And Users
#2 today, #3 in the book: Hitting a Moving Target
#3 today, #1 in the book: Having to Say No
#4 today, #4 in the book: Testing What's Thrown Over the Wall
#5 today, #2 in the book: Fighting a Lose-Lose Situation

Your order may be different, but I am willing to bet that the list will be the same. This book does give realistic solutions to these problems, so if you agree with the list, then you'll find this book valuable.

As someone with a background in the comparatively 'easier' (and more stable) Mac world, I found this book, more than any other Windows 98 guidebooks, to be the most useful in terms of explaining why my Wintel product was failing. The book is exceptionally well-designed. Not only is the materially organized in a useful fashion, the page-layout makes things easy to read. The author's writing style is crisp and engaging, and that which he is trying to teach is genuinely useful. Indeed, _Using the Windows 98 Registry_ is so straightforward in its approach, I felt like I was reading a tech manual for a Macintosh product. I would second another reviewers' comments, though, that future editions could benefit from the inclusion of case studies.

I purchased the book to understand how Windows 98 registry really works. I had sometimes to correct corrupt registry entries arising from my heavy user actions and this may be very scary.

Hunneycutt's book was the right choice. This is a book written by an expert with high pedagogic skills. I found not only the whys of registry but a number of tips that helped resolving my issues. Reading this book felt me more in control of the machine.

Also useful are some of the freeware and shareware described in the book, like regmon. To be frank, however, I didn't find much use for the featured software that come with the book's CD.

The book offered a lot more than my immediate needs requested. For instance, as a programmer I found it may be a powerful reference tool for those needing to write code accessing the registry.

As a hint for the next edition I suggest increasing anedotical contents for troubleshooting application entries and other heavy user issues.

This book has tons of useful information and goes into detail in the areas where you need it to. Lots of good desktop edits, good CD, and very easy to read & follow.

This book is excellent for understanding the "theory" of the Win 98 registry, but I have not found it very useful for guidance in the practical aspects of actually tweaking registry settings. It usually contains enough information about a particular registry section to know if it is not worth editing, but it often does not give enough coverage to important keys. It would definitely benefit a lot from input by a person who commonly solves problems using the registry. That said, I have sometimes found it helpful when trying to find which key contains a given piece of info that I am interested in tweaking.

This book is one of the best written registry books that I have read. It explains all the hard to find details that most other books barely touch on. It's the only registry book that I recommend!

I have taught programming for about 20 years in a local college. I have several other Rod Stephens books so when I needed a book to help me with the new features in Visual Basic 2008, this book was my first choice. I was not disappointed. At over 1000 pages it covers just about everything you might need, whether you are a beginner or an expert. The good explanations are backed up by good examples. I highly recommend it.

For the novice user this book will take you by the hand, and guide you through VB.NET from the IDE, to basic principles and concepts of OO programing, and into concrete examples, covering a vast amount of information. There is an incredible 200+ page appendix.

Like most other books on the subject, the sections that cover parts of VB that I work with daily (and thus understand well) offered few new insights. The other 75% of the book has proved to be extremely helpful!

If you truly "know" VB.NET '08 inside and out, then you don't need this book (or any others for that matter!), for the rest of us the useful information abounds.

A weighty tome with substance to match the heft. Mr. Stephens knows his material and knows how to make his knowledge accessible. This book has become a necessary adjunct all of my VB projects.

I'm experienced with VB.Net but needed a quick reference book for the new features (esp. LINQ) and that would also provide an overview for features I might not otherwise discover.

My first project with VB 2008 sent me right to the book. I was able to easily adapt code lifted right off the page on the first task. However, different code from the book for a second task was less successful (LINQing on a data set table). The syntax (in the book) for the ORDER BY clause was erroneous and raised a perplexing error. (Perhaps the Wrox web site corrects this; I haven't checked.) Googling brought me to a Microsoft web site with an example with the correct syntax.

I guess you should expect such issues when applying 15th century technology (i.e., printed paper) to a bleeding edge tool.

All in all, however, the book was worth the modest investment. Make use of Amazon's excerpts to evaluate it for your own needs (I did).

By the way, the (first) one I received was damaged (crumpled pages, torn backcover) in packaging, but Amazon redeemed themselves by promptly sending an intact replacement.

This is a great book. Starting for the simplicity and going strong describing in simple language the complicated topics for the beginner to the advanced programmer in VB 2008(VB 9).

I enjoyed the reading and I am not done yet with the book. And after reading some paragraphs again, have been able to find new details that allow me to improve my routines.

Thank you Rod for the book.

BUt why do VB when c# is just as easy and you can write unmanaged within it. Its just a no brainer with all the limitations of VB still.

Visual Basic experts Lars Powers and Mike Snell effective collaborate in the Visual Basic Programmer's Guide to the .NET Framework Class Library to instruct intermediat to advanced level users on a full range of issues including: delineating and define the pieces of .NET; explaining how/why .NET was conceived and what this means to VB6/Windows DNA developers; how to execute Windows programming using the .NET namespaces; position the .NET namespaces within the context of the reader's project; how to make architecture decisions when using .NET namespaces; as well as details about the construction of Web Services and how they programmatically communicate with each other. Visual Basic Programmer's Guide to the .NET Framework Class Library is enhanced further with call-outs and highlighted sections will illustrate concepts by relating previous VB6/Windows DNA best practices with the new .NET approach. 1152 pages. User Level: Intermediate-Advanced. Highly Recommended.

I found this book to be a handy 2nd book to have on .NET programming... it doesn't have much content to help you make the transition to .NET (I'd have to recommend Gary Cornell's Programming VB .NET: A Guide for Experienced Programmers for that task), but it does do a great job of helping you find the right class libraries and write code with them once you are up and running with your language of choice.

Each chapter is focused on a namespace. The authors then spend a few pages bringing people up to speed on the spotlight technology (I am new to XML and particularly liked the intro to XML piece). Then they dive right into the details of using the .NET classes to achieve your desired end-result. The class library that ships with .NET is huge, and I found it helpful to use this book as a guide to highlight the classes I should worry about to get 80-90% of my programming work done.

Now for the cons: the sample applications could have been a bit more in-depth, and I really think they should have spent the time to make the book "bi-lingual" by providing some C# code as well - but overall, a great addition to your .NET bookshelf.

The challenge for a reference book like this is to be better the documentation that Microsoft provide - MSDN and the .Net framework SDK. My experience is that this book certainly achieves that.

For example, today I needed to show the "save file" dialog and then write the contents of a text box to a text file. I know how to do that in VB6, but I hadn't done it in VB.Net before. I searched MSDN which gave me accurate descriptions of the menthods and properties of at least four classes for writing data to files, but I still had no idea which one(s) I needed to use.

I am sure the sample code I needed is somewhere in MSDN, but I hadn't found it after 20 minutes searching when I gave up and referred to this book. In five minutes I had found what I was after, my code worked and I was able to get on with my next task. That is what this book is for. If you want to learn about the new programming features in VB.Net (like polymorphism, delegates etc) this is not your book. But if you want help getting your .Net program to talk to anything (files, printers, active directory, browsers, TCP/IP Sockets, XML/XSLT or whatever) This book will be a valuable resource.

Just note that while this book covers ASP.Net and ADO.Net, if you work with these a lot you might want more depth than is provided here. I will be considering the Wrox "ASP.Net Namespace Reference" when it is released.

Because of a project, I needed to finally make the jump from VB6 to VB.NET. After reviewig several books, I grabbed the book by Powers and Snell. It helped tremendously on the key pieces of my project. What I really like are the numerous code examples - worth the price of the book alone! I even contacted the authors to get their thoughts on something and ask a few questions. Not only did they reply with great answers, but their indepth knowledge of .NET helped finalize an important part of my project architecture. Looking forward to more titles by Powers and Snell. Thanks again guys!