Helpful References

Below is a list of some material that will help programmers and security profressionals learn more about secure programming. Some of the material will also be helpful in preparing for the assessments. This is not intended as a complete list or an endorsement, but simply as a starter for those interested in learning more. If you have found other helpful references, please send a note to spa@sans.org and we'll add to the list.

Book References for Software Security

19 Deadly Sins of Software Security

Michael Howard, David LeBlanc, John Viega

Building Secure Software: How to Avoid Security Problems the Right Way

John Viega, Gary McGraw

Exploiting Software: How to Break Code

Gary McGraw, Greg Hoglund

Foundations of Security: What Every Programmer Needs to Know

Neil Daswani, Christoph Kern, Anita Kesavan

Hacking Exposed: Web Applications

Scambray, Shema, Sima

Introduction to Computer Security

Matt Bishop

J2EE & Java: Developing Secure Web Applications with Java Technology (Hacking Exposed)

Art Taylor, Brian Buege, Randy Layman

Secure Coding in C and C++

Robert Seacord

Secure Coding: Principles and Practices

Ken Van Wyk, Mark Graff

Secure Programming Cookbook for C and C++

John Viega, Matt Messier

Security and Usability

Simson Garfinkel, Lori Faith Cranor

Software Security: Building Security In

Gary McGraw

The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities

Mark Dowd, John McDonald, Justin Schuh

The Security Development Lifecycle

Michael Howard, Steve Lipner

Web Security, Privacy & Commerce, Second Edition

Simson Garfinkel, Gene Spafford

Writing Secure Code, Second Edition

Michael Howard, David C. LeBlanc

Websites & Podcasts for Software Security

CERT - Secure Coding Initiative

http://www.cert.org/secure-coding/

Microsoft Corporation - Security Developer Center

http://msdn2.microsoft.com/en-us/security/aa570401.aspx

MITRE - Common Weakness Enumeration (CWE)

http://cwe.mitre.org/

OWASP - Open Web Application Security Project

http://www.owasp.org/index.php/Main_Page

© 2000-2007 The SANS™ Institute

SANS Web Privacy Policy: www.sans.org/privacy.php - Web Contact: webmaster@sans-ssi.org
SANS SSI Press Room: www.sans-ssi.org/press / Policy On SANS Trademark Usage