Books on Secure Coding and related topics
Secure Programming is a very rapidly evolving field. The best general book at the moment is Dowd et al, which is recommended reading for this module. Not all of it can be covered, but it is a useful reference.
For some specialized topics, particularly if you want to go deeper in your MSc project, the following books and resources are recommended:
- Mark Dowd, John McDonald and Justin Schuh: "The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities", Addison Wesley, 2006. It is by far the most comprehensive book on general software security, with emphasis on systems security and C code.
- Robert Seacord: "Secure Coding in C and C++" is thorough on memory corruptions specific to C and C++, such as buffer overflows and heap corruption.
- Brian Chess and Jacob West: "Secure Programming with Static Analysis" emphasizes the use of automated tools for finding vulnerabilities. (In particular, their commercial tool is advocated.).
- Michael Howard: "Writing Secure Code" presents a Microsoft-centric view of secure coding, mainly in C++. Comprehensive but a little dated.
- Greg Hoglund and Gary McGraw: "Exploiting Software: How to Break Code" explains attacks in some technical detail. As it is a few years old, it does not contain the lastest buffer overflow attacks.
- Gary McGraw: "Software Security: Building Security In" covers a secure software engineering lifecycle and management.
- Mike Andrews and James A. Whittaker: "How to Break Web Software: Functional and Security Testing of Web Applications and Web Services" gives a quick introduction to some of the most widespread attacks; easily accessible at undergraduate level.
- Marco Pistoia, Nataraj Nagaratham, Larry Koved and Anthony Nadalin: "Enterprise Java Security" covers the Java security architecture in some detail, including an explanation of stack inspection. (However, I think they are wrong about describing the granting of permissions as providing lexical scope.)
- Michael Howard and Steve Lipner: " The Software Security Lifecycle" covers software engineering and managment for security (rather than coding).
- Ross J. Anderson: "Security Engineering: A Guide to Building Dependable Distributed Systems" is recommended as background reading for computer security in general, including economic factors.
- Some basic knowledge of pointers and arrays in C will be needed for buffer overflows. Kernighan and Ritchie's "The C Programming Language" is the canonical reference for C, known as "K&R".
- For more background on program analysis, see books on compiler construction. For instance, there are several chapters on static analysis in Aho, Lam, Sethi and Ullman: "Compilers: Principles, Techniques, and Tools".
- In addition, there is a huge research literature on security. Google Scholar and the ACM Digital Library (free access from the university) are good starting points.
- There is also Wikipedia... It can be initially useful when you know nothing about a topic, but at postgraduate level you should really read the primary literature whenever possible.