Hi Everyone,
Welcome to my blog! From time to time, I'll post interesting tidbits of info and/or opinions. For now, check out the new book that I have co-authored with Christoph Kern and Anita Kesavan entitled "Foundations of Security: What Every Programmer Needs To Know" (now available at Amazon at:
http://www.amazon.com/gp/product/1590597842?ie=UTF8&tag=learnsecurity-20&linkCode=as2&camp=1789&creative=9325&creativeASIN=1590597842 or at your local bookstore).
*** If you know or work with programmers, please let them know about it. ***Summary of the Book The book teaches new and current software professionals state-of-
the-art software security design principles, methodology, and concrete programming techniques they need to build
secure software systems – making them highly marketable to companies and employers.
Why Security Is So CriticalChances are that unless we all learn something about security,
the Internet will continue to be a very vulnerable place in which cybercriminals thrive.
*
The number of security vulnerabilities reported to
the federally-funded Computer Emergency Response Team (CERT) at Carnegie-Mellon University climbed from 5,990 in 2005 to 8,064 in 2006.
* According to IBM's
Internet Security Systems division, 88.4 percent of all 2006 vulnerabilities could be exploited remotely, and over half
the vulnerabilities would allow an attacker to gain access to
the host (e.g., your computer) after successful exploitation.
Many of these vulnerabilities are used by cyberthieves to commit identity theft, steal credit card numbers, and launch online attacks using malware and botnets. That's really bad. So bad that popular technology websites like C|net dedicate an entire section of their sites to high-profile threat announcements, and they are filled with new articles every single day.
What's the Root Cause of Security Failures? Software. Software with security design flaws and software with implementation bugs. As a technologist, given my love for software and my embarrassment at
the current state of
the world, I worked with
the Stanford Center for Professional Development (SCPD) near
the tail end of my PhD to help create a Computer Security Certification program (
http://proed.stanford.edu/?security) that has to-date helped many companies and software professionals mitigate security flaws in software.
The courses that make up
the certification program became
the basis for
the material in this book. Given
the importance of
the material in this book to
the security of
the future of
the Internet, I was extremely honored to have Dr. Vint Cerf, often called one of
the "Fathers of
the Internet" (due to his work on
the original design of
the TCP/IP protocols) and a recipient of
the Presidential Medal of Freedom, write
the foreword to this book.
Detailed Information About the BookThis book takes a principled approach to helping you design and implement your applications to be
secure from
the ground up, and illustrates these principles using running examples of web applications throughout
the book. Just as you might use object-oriented design principles to achieve extensibility and code-reuse, you need to learn about security design principles, such as
the principle of least privilege, fail-safe stance, and securing
the weakest link to achieve security, all of which is covered in this book. This book does not just focus on merely teaching you "tips" and "tricks" that allow you to "band-aid"
the security of your systems. Instead, it illustrates how security principles can be employed to prevent some of
the most significant, current day attack types such as SQL injection and cross-site scripting (XSS) as well as more traditional attack types such as buffer overflows. We also cover session and password management, and show you how you can use cryptography to help achieve various security goals.
How to Get Your CopyTo help aggressively disseminate knowledge about
the techniques and practices that programmers need to know to achieve security, I have worked with
the publisher to provide this book to
the market at a low price of $40 retail, or only $26 on Amazon. If you are a teacher or an IT decision maker potentially interested in buying copies for your students or your organization, respectively, I would be more than happy to have
the publisher provide you with a free evaluation copy of
the book.
The book's web site (
http://www.learnsecurity.com/ntk) provides slides and source code that you are free to use for your own courses and needs. Also, those who enroll in
the SCPD Advanced Security Certification (
http://scpd.stanford.edu/scpd/courses/proed/CompSecCampus/) will receive
the book for free.
I look forward to your help in making
the Internet more
secure such that it can continue to transform global commerce, communication, and entertainment. Please feel free to let me know if you have any questions or feedback by dropping me an email at
daswani@learnsecurity.com, and I look forward to working together with you to continue to
secure the Internet!
Sincerely,
Neil Daswani, PhD
http://www.neildaswani.com/