Resources: Helpful References

Resources:

Below is a list of some material that will help programmers and security profressionals learn more about secure programming. Some of the material will also be helpful in preparing for the assessments. This is not intended as a complete list or an endorsement, but simply as a starter for those interested in learning more. If you have found other helpful references, please send a note to spa@sans.org and we'll add to the list.

Book References for Software Security

19 Deadly Sins of Software Security
Michael Howard, David LeBlanc, John Viega
Building Secure Software: How to Avoid Security Problems the Right Way
John Viega, Gary McGraw
Exploiting Software: How to Break Code
Gary McGraw, Greg Hoglund
Foundations of Security: What Every Programmer Needs to Know
Neil Daswani, Christoph Kern, Anita Kesavan
Hacking Exposed: Web Applications
Scambray, Shema, Sima
Introduction to Computer Security
Matt Bishop
J2EE & Java: Developing Secure Web Applications with Java Technology (Hacking Exposed)
Art Taylor, Brian Buege, Randy Layman
Secure Coding in C and C++
Robert Seacord
Secure Coding: Principles and Practices
Ken Van Wyk, Mark Graff
Secure Programming Cookbook for C and C++
John Viega, Matt Messier
Security and Usability
Simson Garfinkel, Lori Faith Cranor
Software Security: Building Security In
Gary McGraw
The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities
Mark Dowd, John McDonald, Justin Schuh
The Security Development Lifecycle
Michael Howard, Steve Lipner
Web Security, Privacy & Commerce, Second Edition
Simson Garfinkel, Gene Spafford
Writing Secure Code, Second Edition
Michael Howard, David C. LeBlanc

Websites & Podcasts for Software Security

CERT - Secure Coding Initiative
http://www.cert.org/secure-coding/
Microsoft Corporation - Security Developer Center
http://msdn2.microsoft.com/en-us/security/aa570401.aspx
MITRE - Common Weakness Enumeration (CWE)
http://cwe.mitre.org/
OWASP - Open Web Application Security Project
http://www.owasp.org/index.php/Main_Page