To secure complex enterprise and commercial software systems, developers must evaluate enormous code bases and predict their behavior in a nearly infinite number of configurations. Static source code analysis tools automate much of this checking, acting like spell-checkers to systematically identify bugs. Now, there’s a complete guide to static analysis: how it works, how to integrate it into your software development processes, and how to make the most of it in security code review.



Static analysis experts Brian Chess and Jacob West review the pervasive security flaws impacting large-scale software, as well as problems affecting specific program types and features. Then, using extensive Java and C++ code examples, they show how to use static analysis to rapidly uncover these problems. Coverage includes:



· Why conventional bug-catching often misses security problems

· 100 best practices for designing and writing secure code

· 80 serious security vulnerabilities, with specific solutions

· Handling untrustworthy input

· Eliminating buffer overflows: tactical and strategic approaches

· Avoiding flaws specific to Web applications, services, and HTTP

· Securing software that interfaces with outside systems

· Security-aware logging, debugging, and error/exception handling

· Safely writing programs with different privileges than their users

Whatever your role in building more secure software—developer, security engineer, analyst, or tester—this book will put powerful new tools at your command.



Brian Chess is Founder and Chief Scientist of Fortify Software, where his research focuses on practical methods for creating secure systems. He holds a Ph.D. in Computer Engineering from University of California at Santa Cruz, where he studied the application of static analysis to finding security-related code defects.

Jacob West, Manager of Fortify’s Security Research Group, is responsible for building security knowledge into the company’s products. He brings expertise in multiple programming languages, frameworks, and styles, and deep knowledge about how systems fail. West worked with Professor David Wagner at University of California, Berkeley to develop an advanced static analysis tool for discovering security vulnerabilities.