Further Reading on Creating Secure Software

(Many of the books below are also available in the CERN Bookshop.)

Must-see Documents and Web Sites

• SANS top 25 most dangerous programming errors
  It is not only a list of programming errors, but also ways of avoiding them.
• OWASP Top Ten
  The Open Web Application Security Project list of top ten web application security flaws. In fact, the list applies to (almost) any kind of software, not only web applications.
• Top 10 Secure Coding Practices
• SANS Web Application Checklist

Books on Software Security

• Writing Secure Code
  Michael Howard, David LeBlanc (Microsoft Press 2002)
  A good book on different aspects of producing secure software, interesting also for Unix/Linux platform developers.
• Secure Coding: Principles & Practices (see also here)
  Mark G. Graff, Kenneth R. van Wyk (O'Reilly 2003)
  Excerpt: Chapter 1: No Straight Thing
• Security Engineering
  Ross Anderson (Wiley 2003)
  The whole book contents is available for free download.
• Building Secure Software
  John Viega, Gary McGraw (Addison Wesley 2001)
  This book is relatively old, but it is not obsolete, being more academic than technical.
  Publisher's information: Building Secure Software cuts to the heart of computer security to help students get security right the first time. Bugs in software are a serious problem and students must learn to take that into consideration early on in the software development lifecycle. Building Secure Software provides expert perspectives and techniques to help you ensure the security of essential software. If students learn to consider threats and vulnerabilities early in the development cycle they can build security into the system. With this book students will learn how to determine an acceptable level of risk, develop security tests, and plug security holes before software is even shipped.
  Excerpt: Chapter 1: Introduction to software security
• Practical Unix & Internet Security
  Simson Garfinkel, Gene Spafford, Alan Schwartz (3rd Edition by O'Reilly 2003)
  Excerpts: Chapter 16: Secure Programming Techniques (part 1), (part 2), (part 3), (part 4)

Books on Cryptography

• Applied Cryptography: Protocols, Algorithms, and Source Code in C
  Bruce Schneier (2nd Edition by Wiley 1996)
  A famous book on cryptography: explanations of algorithms and protocols, implementation advice etc.
• Practical Cryptography
  Niels Ferguson, Bruce Schneier (Wiley 2003)
  An update on cryptography.

• Modern Cryptography: Theory and Practice
  Wenbo Mao (Prentice Hall PTR 2003)
  Fine here and independent (and enthusiastic) review of the book.

Other Books

• The Art of Deception
  Kevin D. Mitnick (Wiley 2002)
  A fascinating book on social engineering by a famous hacker
• Security Warrior
  Cyrus Peikari, Anton Chuvakin (O'Reilly 2004)
  Probably more for system administrators, this book is still interesting for software developers.

For All Users
(Experts or Not)

• Seven easy good practises
• Passwords & toothbrushes
• Starting with multi-factor authentication
• Bad mails for you:
  "Phishing", "SPAM" & fraud
• How to identify malicious e-mails and attachments
• How to secure your PC or Mac
• Working remotely
• Connecting to CERN
• Connecting using SSH
• Encrypting Windows PCs/laptops (Bitlocker), Macs (FileVault) and Linux (LUKS)
• More on Windows folders, Mozilla security

For Software Developers

• Good programming in C/C++, Java, Perl, PHP, and Python
• How to keep secrets secret
  (alternatives to passwords)
• Security checklist
• GitLab CI Security Tools
• Securing Web applications
• Static code analysis tools
• Further reading

For System Owners

• Checking for rootkits
• Securing Control Systems (CNIC)
• Securing Containers & Pods
• Security baselines
• The CERN Linux vulnerability FAQ