First. Full disclosure. I am an ex-employee of Fortify Software. Second. I was a reviewer of this book. That said... I'd say the target audience for this book is 50% of developers and all the tire-kickers who don't think static analysis is possible (let alone accurate).
Why only 50% of developers? This is based upon one of my own heuristics when putting together (or working in large) development teams. i.e. 50% of the developers in the world shouldn't even be writing code, and, the world would be safer place if they weren't. Unfortunately they are. And, they need tools. And, one of those tools should be a static analysis tool focused on software security. I've only scanned a few hundred million lines of code at Fortune 500 companies over the past 5 years. And, the vast majority of that code proves to me that 50% of developers couldn't even write (compilation error free) a `Hello World' from scratch let alone find all of the cross-site scripting or buffer overflows in their own production code.
The tire-kickers are the other 50% of developers (architects, lead developers, etc). They need to try; findbugs, FxCop, splint, and the tool on the accompanying CD of this book. Some will be too smart to use a tool like the one in the accompanying CD. They won't see the value in giving their developers a tool that simply checks for the obvious. They have the policies in place that completely eliminate the possibility of the other developers `introducing vulnerabilities' into the code base and/or `checking in code that breaks the the build'. Wow! ... Other tire-kickers are not so smart. (Again, full disclosure. I'd fit into that category.) The only question that I would hope to answer from reading this book is; If I give a tool as described in this book to my dumbest developer... will they be able to produce better code. I know the answer. YOU have to read this book.
Disappointing and Lacks details
If you are an architect who really serious about building security to your large-scale applications, then this book would offer only a hello world to security. All you find is a full-blownup security chapter "Part 1 and 2" for Standalone application applications beyond that nothing but google-able content. The worst is Part III discusses on web apps, XML web services security, privacy and privileged programs - poorly written and highly repetitive content. To the most disappointment, there is no chapter to show how to put-to-gether all these stuff in a real world enterprise application. I also noticed the book if has the same Java examples from the Java site. The chapter on Web services security is a joke, shows the authors lack of understanding on Web services security fundamentals. After browsing all the pages, I don't found anything that shows how to incorporate them in a working security architecture. The book also trying to promote a product, maybe this book is relevant for those use the author suggested products.
making more robust code
Chess and West describe methods of building security into your coding projects. As an integral part of the development process. There are tools out there which perform the static analysis described in the text. These are far removed from the early tools, which the book correctly describes as glorified grep. (That is, they were merely fancy parsers.)
The tools are not definitive, as you are cautioned. Often, their greatest virtue can be to point out source code that should be subject to manual scrutiny. In a large code base, of hundreds of thousands of lines, this can be invaluable assistance.
A quick comparative summary of various bug and security tools is also provided in Chapter 2. Specifically, figure 2.2 is a nice qualitative summary of these tools.
Various chapters of the book deal with problems also covered elsewhere. Like finding buffer overflows. Especially with string logic. While the Web also is now a source of weaknesses in web applications that are weak in input and output validation. You have to carefully filter anything that you solicit as user input on a web page.
If your code must be secure, read this book
Every software developer who has to write secure code should read this book. This book will tell you how to use static analysis tools to help you build more secure software. It's a great primer for software developers who are new to static analysis and for security practitioners who want to learn how recent advances in the field can improve their software.
I reviewed an pre-release version. It's good stuff. It's well-written, easy to read, and tells you what you need to know without getting bogged down in the details. Brian Chess and Jacob West have a great deal of experience in this area and they do a good job of conveying pragmatic information you can apply in practice to improve your software.
Glad to see this is out!
I was an early technical reviewer of the manuscript and I'm thrilled to see that the book is finally in print so other people can get their hands on it.
Brian and Jacob live and breathe this stuff, and it shows. If you're a developer or manager of developers and you're coding software that may eventually be run over the internet (that's pretty much 100% of it, right?) you should read this book!
