Secure Coding in C and C++ 2nd Edition
Secure Coding in C and C++ 2nd Edition

Author: Robert C. Seacord
Publisher: Addison-Wesley
Pages: 600
ISBN: 978-0321822130
Audience: Experienced C/C++ Programmers
Rating: 4.5
Reviewer: Mike James

In C we need to keep the security of our code in mind all the time otherwise it can be compromised and form a route into the machine. This book aims to help you fix the problem before it starts.

Security is a bigger problem for lower level languages in that it is generally the programmer's responsibility to make sure that code is secure. C and C++ are particularly prone to programme-induced problems because both languages give you enough freedom to make really big mistakes. 

It is worth saying at this point that in this context "security" doesn't mean coding or encryption, but ways in which your code can contain vulnerabilities which can be exploited to take over the machine or to access data or resources that should be out of bounds. 

This book is an attempt to make C/C++ programmers more aware of just how vulnerable their code is. Most of the exploits are at the C level because its more direct approach to memory use. C++ is often put forward as the way of solving the problems because it packages the way memory is accessed in a way that makes it safer - as long as you stick to the rules. 




There are nine chapters in total and what they deal with is fairly obvious from their titles. 

Chapter 1. Running with Scissors - general look at security
Chapter 2. Strings
Chapter 3. Pointer Subterfuge
Chapter 4. Dynamic Memory Management
Chapter 5. Integer Security
Chapter 6. Formatted Output
Chapter 7. Concurrency
Chapter 8. File I/O
Chapter 9. Recommended Practices

Each chapter starts out by explaining the basic functioning of the language. For example in Chapter 2 you are first taught the basics of strings in C and this can be a bit boring if you already know the material. From this point the book moves on to consider how things can go wrong with string handling and how this can result in a memory overrun into the stack. Next the book provides general ideas about how a given vulnerability might be used by an attacker. For example a stack incursion can be used to inject code. The coverage is up-to-date enough to include reasonably recent ideas such as return oriented programming ROP. 

As the book goes on you will learn more and more about the inner workings of both C and the operating system. If you don't know what a stack or a heap is then you will by the end of Chapter 2. If you don't know how the C++ manages memory then you will by the end of Chapters 3 and 4.




Chapter 5 introduces the theory and practice of numerical representations an how using say a signed integer as an index can be used against you. Chapter 6 introduces you to the many possible flaws in formatting most of which should be well known. Chapter 7 deals with the less well known topic of how concurrency can be used against you . Most of the discussion however is just as applicable to writing good quality concurrent programs that don't suffer race hazards or deadlock. Chapter 8 looks at file systems, mostly Unix/Posix, and how to work with data in a secure way. The book closes with a look at best practices.

It is shocking that we need such attention to detail to ensure that our C, and to a lesser extent C++, programmers don't commit the sort of errors that have been in circulation for a very long time - but we do. It is also slightly sad that to find a book on the inner workings of things that deals with the material at a practical level we have to be dealing with security issues. It is also worth noting that the assembly language and systems examples are x86 oriented. 

This is a very good book and highly recommended as long as you mostly want to know about flaws that arise in C. It doesn't really cover the security implications of working in C++ without dropping down to write some pure C. 



The Definitive Guide to MongoDB

Authors: David Hows, Eelco Plugge, Peter Membrey, Tim Hawkins
Publisher: APress, 2013
Pages: 308
ISBN: 978-1430258216
Aimed at: programmers who want to learn MongoDB
Rating: 4.5

"A Complete Guide to Dealing with Big Data Using MongoDB". Does it live up to this claim?

Joe Celko’s SQL for Smarties Advanced SQL Programming 5th Ed

Author: Joe Celko
Publisher: Morgan Kaufmann
Pages: 854
ISBN: 9780128007617
Print: 0128007613
Kindle: B00R17NZZC
Aimed at: Advanced SQL developers or computer science students
Rating: 5
Reviewed by: Kay Ewbank

This is a must-read book for any SQL programmer, covering advanced topics in an understandable wa [ ... ]

More Reviews

Last Updated ( Thursday, 19 June 2014 )

RSS feed of book reviews only
I Programmer Book Reviews
RSS feed of all content
I Programmer Book Reviews
Copyright © 2016 All Rights Reserved.
Joomla! is Free Software released under the GNU/GPL License.