Off-late I have been doing an extensive research on application security to to come up with application security guidelines (minimum & most important ones) which could prove very handy and at the same time, very useful for different class of IT professionals including developers, and architects. This is where I have come across some of the following books which has helped me to fulfill my objectives. In one of my later blogs, I shall also list down those basic minimum knowledge that is needed by developers to write secure code. In the meantime, allow me to list down top 4 application security books that, I believe, every developer would want to keep handy and refer on regular basis to gain knowledge in application security and write secure code:
- Writing Secure Code: Practical Strategies and Proven Techniques for Building Secure Applications in a Networked World
The book is authored by Michael Howard and David LeBlanc. This book lists down several secure coding techniques which could prove very useful for the developers while they are developing the code. It has a special chapter for writing secure .NET code. Additionally, it also includes chapter for secured code review and security testing. One very great chapter in this book is around secured coding checklist for developers which you could take a printout and paste it around your working area to make sure you perform minimum check before calling it “DONE”. It also has a security testing checklist for testers which could be kept handy by the testers and used for testing before they call it “DONE” for their testing. If you are a newbie or a junior developer and want to start on application security more related with mastering secured coding practices, this book may serve your need. Personally, this is my one of the favorite ones.
- Building Secure Software: How to Avoid Security Problems the Right Way
The book is authored by John Viega and Gary McGraw. The book talks about guiding principles for software security and provide a detailed description of some of the top security concerns such as buffer overflows, access control, cryptography, password authentication, database security etc. The book is more suited for developers who would want to go deeper and learn about security principles and related details around top most commonly talked about security concerns. This is also very well-suited for wanna-bes security professionals to understand the fundamentals around various commonly talked security concerns. For a developer, “writing secured code” should be first choice rather than this book. That said, this could be read along with the earlier mentioned book but may not be a good book to start.
- Security Engineering: A Guide to Building Dependable Distributed Systems
The book is authored by Ross Anderson. The book talks about various security topics which may be of key interest of security professionals who want to go deeper into security concepts around multilevel security, economics, distributed systems, multilateral security, monitoring & metering, biometrics etc. This may not be a good choice for developers starting on security topics as it talks about application security fundamentals keeping in mind information security professionals. Developers may find themselves lost if they get started with the book.
- Security Patterns in Practice: Designing Secure Architectures Using Software Patterns
The book is authored by Eduardo Fernandez-Buglioni and got published only last year in 2013. The book provides an extensive, up-to-date catalog of security patterns along with sharing some of the useful case studies to demonstrate how and when to use these security patterns. Although this book can be used by developers starting on with application security, it may be most suited for those have learnt the secured coding practices and want to go to next level from the perspective of applying security patterns in architecture and design phase of application development. The book talks about security patterns around topics such as identity management, authentication, access control, process management, file management, networks management, web services, middleware programming etc.
Apart from having the above 4 books handy, developers may want to keep following webpage bookmarked for security references from time-to-time:
- OWASP Cheat Sheets
- Secure Coding Guidelines on Mozilla WIKI
- CERT Coding Standards
- Schneier on Security
- PHP Security
- Security Risks