| Dr. Gary McGraw, a well-known software security expert, said, “First things first—make sure you know how to code, and have been doing so for years. It is better to be a developer (and architect) and then learn about security than to be a security guy and try to learn to code” (McGraw 2004). If you are interested in becoming a security expert, I wholeheartedly agree with him. At the same time, many programmers who just need to get their job done and do not necessarily intend to become security experts also do not necessarily have the luxury of pursuing things in that order. Often, programmers early in their careers are given the responsibility of producing code that is used to conduct real business on the Web, and need to learn security while they are continuing to gain experience with programming. This book is for those programmers—those who may have (at most) just a few years of experience programming. This book makes few assumptions about your background, and does its best to explain as much as it can. It is not necessarily for people who want to become security experts for a living, but it instead helps give a basic introduction to the field with a focus on the essentials of what every programmer needs to know about security.
One might argue that our approach is dangerous, and that we should not attempt to teach programmers about security until they are “mature” enough. One might argue that if they do not know everything they need to know about programming before they learn about security, they might unknowingly write more security vulnerabilities into their code. We argue that if we do not teach programmers something about security, they are going to write vulnerabilities into their code anyway! The hope is that if we teach programmers something about security early in their careers, they will probably write fewer vulnerabilities into their code than they would have otherwise, and they may even develop a “spidey sense” about when to ask security professionals for help instead of writing code in blissful ignorance about security.
That said, the goal of this book is to provide enough background for you to develop a good intuition about what might and might not be secure. We do not attempt to cover every possible software vulnerability in this book. Instead, we sample some of the most frequent types of vulnerabilities seen in the wild, and leave it to you to develop a good intuition about how to write secure code. After all, new types of vulnerabilities are identified every day, and new types of attacks surface every day. Our goal is to arm you with principles about how to reason about threats to your software, give you knowledge about how to use some basic defense mechanisms, and tell you where you can go to learn more. (Hence, we have included many references.) |
