24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them
by Michael Howard, David Leblanc and John Viega

McGraw-Hill 2010.
ISBN 978-0-07-162675-0. amazon.com USD 31.49

Reviewed by  Richard Austin   1/16/2010 

If a profession as young as information security can be said to have classic literature then the predecessor to this book, "19 Deadly Sins of Software Security," certainly earned that accolade. Published in 2005, it clearly described 19 of the most egregious errors in programming, illustrated them with numerous examples, described the testing techniques that could be used to identify them and provided paths to redemption that would avoid them in the first place.

This set a very high standard for any second edition and I think the authors have succeeded in both updating the content (things have changed in some ways since 2005) and improving the organization of the book.

The sins are now organized into four major categories reflecting the area where the sins occur:

  • Web Application Sins: SQL injection, XSS, etc.
  • Implementation Sins: buffer overflows, etc.
  • Cryptographic sins: weak passwords, the incorrect use of encryption, etc.
  • Networking sins: failing to protect network traffic, using SSL improperly, etc.

    Like its predecessor, each sin has its own chapter that follows a common format. The chapter opens with an overview of the sin that includes the consequences that can follow from its presence in a deployed application (such as failing to meet regulatory compliance mandates). Next, CWE (Common Weakness Enumeration) references are provided and languages which can commit the sin are listed (a welcome feature to counteract the "you can't write vulnerable software in language X" mantra). The sin is then explained in detail with concise illustrations in the various languages.

    With a good grasp of the sin and its manifestations, the discussion then moves to tactics for dealing with it. First, solid guidance is given on how to "spot" the sin by describing the general conditions that must exist in order for the sin to occur. Next, advice is given on identifying the sin during code review (specific things to look for) and testing techniques that can be used to identify the sin's presence. Example CVE references are provided to remind the reader that these sins do manage to creep in to widely used software systems.

    The next section describes the paths to redemption that can prevent the sin from worming its way into your code. The redemptive steps are illustrated in multiple languages.

    The chapter then concludes with an extensive list of references and a concise summary of the chapter.

    Read from cover to cover, this book will give you a good grasp of the common problems in software that generate the vulnerabilities we spend much of our professional lives mitigating. However, as noted in the introduction, the sections (and chapters) are designed to be standalone. So, if you are developing a new web application, you can spend your quality time with just that section. If your application makes use of a SQL database (whose doesn't these days?), you can read just the chapter SQL injection sins.

    This book is a worthy successor to the "19 Deadly Sins", and the authors managed to "top" themselves by writing a better organized and more inclusive book the second time around. Going from 19 to 24 deadly sins might cause some to say we're headed in the wrong direction but a careful reader will note that some of the original 19 sins have disappeared and been replaced. That is cause for hope.

    This is an excellent book to put on your shelf but I hope you won't leave it there. Do share it with software development managers and the software developers (in chapter doses if necessary). If we do this often enough and well enough, maybe the next edition will be the 18 deadly sins and won't include any of the present 24.


    Before beginning life as an itinerant university instructor and security curmudgeon, Richard Austin was the storage network security architect for a Fortune 25 company. He welcomes your thoughts and comments at rausti19 at Kennesaw dot edu