Writing Secure Code Revisited
Last year and this year I have dedicated some time "revisiting" the secure code development area. My start point was the book "Writing Secure Code" from Michael Howard and David LeBlanc, from Microsoft Press.
Getting back to books published more than 10 years ago is interesting. We can evaluate what went right and what didn′t.
Some subjects evolved tremendously, like: Threat Modeling, Static Testing and Penetration Testing.
Threat Modeling from a chapter , now deserves an entire book, as Adam Shostack did at "Threat Modeling: Design for Security", published in 2014. The book describes several useful models that can be employed to make detailed analysis of potential threats and how to mitigate them. This book is strongly recommended by Bruce Schneier. Threat Modeling transform the software analyst in a very good and precise inquirer !
It is very interesting to see how some initial ideas described in "Writing Secure Code" about Threat Modeling evolved to a software tool developed by Microsoft. This is the case of Threat Modeling Tool, freely available, and very useful to develop models that can increase the visualization of weak areas prior to the coding. It is also a great teaching ( and learning ) tool.
Static Testing had also a tremendous increase. For example, the evolution of Coverity, acquired by Synopsis last year. The tool addresses the complete secure code development task, not only verification. Actually implements the maturity model concept. And it is also a "short cut" for the OWASP Top 10.
Penetration Testing is a more "generous" area in terms of publication and tools. Patrick Engebretson′s "The basics of hacking and penetration testing" is a good start. With explosion of SaaS this area increased in importance a lot.
Finally, my study showed that "Writing Secure Code" deserves a new revision !