Media praise for Secure Coding: Principles and Practices

Have a blog? Join our Reader Review Program

"There are some books that I believe should be mandatory reading for any person studying computer science, information technology auditing, or some other related fields, and that should also be on the must read lists of any technology professional. I do not often come across a book like this. Secure Coding: Principles and Practices by Mark C. Graff and Kenneth R. van Wyk, however, meets my 'must-read' criteria and then some."
-Christopher Byrne, The Business Controls Caddy, July 2005

"'Secure Coding: Principle and Practices' is a good supplement for any software engineer. By addressing software security within the development cycle, many security vulnerabilities can be hedged from the beginning and prepared for when they are found in the future...'Secure Coding' makes a prime guide to incorporating security assessment and development with current and future software projects."
--Cedar Valley Linux Users Group, April 2004

"Whatever area of software development you are involved in, if you are at all concerned with the security of the finished product (and if not, you almost certainly should be!), then you will find 'Secure Coding' to be an essential read."
--Jon Allen, Birmingham Perl Mongers, March 2004

"Above and beyond technical aspects of software development, the authors describe how serious security vulnerabilities leak into the software-development process. These include ignorance, psychological issues, and the short time spans allotted to the development process. This book is a sure bet to help developers and project managers create secure software applications without bogging down in specific code."
--Ben Rothke,, January 2004

"Learning how to program alone is a daunting task. Becoming a programmer who can code securely may seem impossible also. A lot of difficult topics and or concepts can be distilled into some simple words though. This books strength's is that it does just that through mistakes the authors themselves have made, and offers expert guidance based on their many years of experience. It is impossible to show every facet of secure coding, however the authors offer a template to follow which will aid one in doing so. It is a timely read in light of the never-ending stream of vulnerabilities out there today. I wish to reiterate though that this book is aimed at the seasoned programmer, however I believe it would serve as an excellent guide as well to the novice coder. This book gets an SFDC 9/10 from me."
--Security Forums Dot Com, December 2003

"This slim book gives the programming world a much-needed heads up on why secure coding practices are needed…and need to be followed resolutely."
--Judith Taylor, Southeast Ohio Macromedia User Group, December 2003

"Written by two eminent software security experts, Mark G. Graff and Kenneth R. van Wyk, "Secure Coding" basically tries to answer the question - 'Why do good people write bad software?', and how can this be corrected... Although it may seem at first as a highly technical book, "Secure Coding" is definitely not one, as it's meant for a much larger readership. This book aims to clarify the issue of secure coding to a broad audience ranging from academics, software developers, down to executives, project managers, other security professionals and why not, software users. And that's the main advantage of the book: because secure software is a goal that requires all parties to be adequately informed."
--Robert Buljevic, Help Net Security, October 2003

"'Graff and van Wyk have compiled a masterpiece in 'Secure Coding: Principles and Practices.' The book is non-technical and relatively short. The lack of technical solutions providing specific code to fix the problems means that this book has value to everyone and not just to programmers using one specific language. This book discusses the concepts of secure coding and common mistakes from a theoretical point of view including many examples and case studies to illustrate the point. This book is a must read for anyone involved in programming."
--Tony Bradley,, September 2003

"The authors of this guide have plenty of experience in trying to produce secure code, and those experiences shine through in the many real-world examples they give and the practical approaches they take in architecture, design, implementation, operations and testing...This is an excellent book to dip into for ideas to improve coding practices in your organization."
--Vince Tuesday, ComputerWorld, August 2003,10801,84007,00.html

"The book provides more than just how-to solutions, it provides a new or more complete vision of the security necessary in today's market...Throughout the book, the authors, both with impressive backgrounds in the computer security field, give insight from years of working with hundreds of systems. Each chapter provides advice, examples, good and bad practices, case studies, and throughts to consider with your own application. Readers can learn from the successes and failures Graff and van Wyk have encountered over the years. I highly recommend this book to anyone involved in the developement process."
--Rosemarie Graham,, July 2003

"What you will find are a number of thought-provoking discussions and valuable insights into the root causes of security vulnerabilities. The authors share useful techniques, guidelines and checklists that they have used to create applications that are 'just secure enough.' They highlight both good and bad practices and present a number of case studies to help bring home important points. Managers, architects, designers, developers and even users will find something useful in this book. 9 out of 10 horseshoes."
--Junilu Lacar,, July 2003

"The same root cause lies beneath an incredible array of information security vulnerabilities: insecure code. But few developers can confidently claim to be writing secure code, because few developers have ever learned how. In 'Secure Coding,' Mark G. Graff and Ken van Wyk present specific techniques for securing code throughout the entire development lifecycle: architecture, design, implementation, testing, and operations...Traditionally, most developers have focused on solving problems, ignoring the other, malicious uses to which their solutions could be put. Read 'Secure Coding,' and you’ll never think about software that way again."
--Bill Camarda, From Our Editors: The Barnes & Noble Review, July 2003

"A *wonderful* book written by people who have been around for a long time :-). Mark and Ken concisely cover the thinking needed behind secure programming, and more importantly *designing* software with security in mind. Plus it's really entertaining to read. I wish it had been available when I was writing parts of Samba. I might not have had the last two security embarrassments to my name. READ this book, keep it handy when designing software and most importantly *remember* what it teaches."
--Jeremy Allison, Co-Author, "Samba"

"Anyone with a sincere desire to develop secure systems must read this book....It is hard to do security right. All too often, efforts to develop secure systems end with systems that are inefficient and difficult to use, or result in security that is weak or nonexistent. This book will help you do it right."
--Joseph A. D'Angelo, Chief Information Officer, Counterpane Internet Security

"This book presents the steps for writing, testing, and deploying good, robust, and security-enhanced code. It is a pleasure to read, with many case studies and examples, and thorough in its coverage. It discusses many problems and common errors, and how to avoid or handle them. It will be a welcome supplement to computer security, programming, and software engineering classes, as well as a useful guide for the practitioner. Well done!"
--Matthew A. Bishop, Ph.D., Associate Professor, Computer security, cryptography, UC Davis

"This book should be read by anyone in the business of designing, implementing or evaluating secure network applications. It combines the correct balance of theory, practice and history of coding securely and will be a relevant source of information for many years to come."
--Ron Gula, CTO of Tenable Network Security and original author of the Dragon intrusion detection system

"Graff and Van Wyk have written an engaging book that will have a profound effect on the security of the Internet and the safety of the people who work and play on it. The more people who read this book, the safer we will all be."
--Dr. John Hamre, President and CEO of the Center for Strategic and International Studies and former U.S. Deputy Secretary of Defense

"This book isn't just about secure design and coding, it's also an excellent synopsis of overall good design and coding practices. ...Secure Coding is very clear in explaining that it's not just about security, it's about managing risk, it's about balancing costs and benefits. I wish I'd had this book years ago as it's taken me years to figure these things out for myself."
--Stephen E. Hansen, Information Security Officer, Google, Inc.

"This one is different! ...Clearly Ken and Mark understand these issues, have a wealth of knowledge and experience and obviously a passion to inform others about how to think about and develop good software from a security perspective....It's hard to imagine how any reader can get very far into this book without reflecting on just how much it has caused them to stop and think about how they approach not just the development of secure code but in general about security and the Internet in general."
--Ed Hart, former Deputy Director for Information Security, U.S. National Security Agency

"Graff and Van Wyk have provided a book which will teach generations the basic principles in designing and writing software code ready for the Internet and its threats. I am reminded of an old saying, 'give a man a fish and feed him for a day; teach a man to fish and feed him for a lifetime.' Basic secure coding practices are not a cut, copy, and paste exercise but, a process with defined fundamentals and principles, that practiced, will result in less security vulnerable software. Professionalshave been waiting years for this book; a must read."
--Mike Higgins, VP, Global Security Practice, Tekmark Global Services and former CEO, Para-Protect Services

"This book provides readers with an overview of the procedures which should have been followed in the development of all too many applications. While it should be read from end to end I find that just jumping in to chapters is also equally enjoyable and worthwhile. The focus is primarily on network facing applications but, as the authors demonstrate, there are many other programs which form that wonderful interdependence we have come to call an Operating System, the many examples show how they too will benefit from this approach"
--Dr. Neil Long, University of Oxford Computing Services & current Chairman of FIRST

"Good programmers write good code, bad programmers write bad code, but all programmers seem to write insecure code. Kudos to Mark and Ken for their explanation of the reasons why it's so hard to write good secure code, and what to do about it!"
--Marcus J. Ranum, principal author of the DEC SEAL firewall, TIS Gauntlet firewall, and the Network Flight Recorder Intrusion Detection System

"It is no longer a luxury to engineer out buffer overflow--it is a duty and responsibility...'Secure Coding' lays down the gauntlet to the software industry. The tenets of solid code are clearly described and explained; it becomes a must-read for the entire industry, from policy makers down to the newest programmer. I plan to include it as required reading in my Information Security Management curriculum."
--Julie J.C.H. Ryan, D.Sc., Assistant Professor, Engineering Management and Systems Engineering, Lead Professor for Information Security Management at GWU SEAS

"...A delightful read filled with useful questions and checklists that achieves a wonderful balance between enjoyable illustrative stories and rubber-hits-the-road techniques for approaching the processes of security...I will definitely give copies of this book to project managers struggling to operate effectively in today's rapid development environment."
--Michael Shaff, QuickTime software developer,

"What a wonderful resource, either as an academic textbook or as an instrument of professional growth! This book is full of sound advice, insightful anecdotes, and delightful bits of history and philosophy. Above all, it presents the reader with directions on how to improve software quality and keep security flaws at bay. This book is a 'must-read' for anyone whose coding might be used someday in a critical application: that is, everyone."
--Dr. Gene H. Spafford, Director CERIAS, Purdue University

"Nowadays we take it for granted that road and rail bridges stay up and are a reliable part of the transport infrastructure. This was not always the case, however, and it has only been through the development of sound engineering principles and practices and learning from the mistakes/disasters of the past that we have come to understand what is really required to develop safe structures. ...By drawing on their hard won experience the authors explore what can go wrong and what needs to be done to address the many complex issues that can give rise to insecure software and systems."
--Alan Stanley, Managing Director, Information Security Forum

"This book goes beyond the usual discussions of software implementation bugs. It teaches the reader how to escape from the mental models that make developers blind for mistakes. The book is a gold mine with its examples of real-life blunders made during each stage of the system life cycle, from requirements, design, and implementation to deployment."
--Dr. Wietse Venema, author of TCP Wrappers and Postfix

"If this book had existed when I was learning C in the early 1980's, then I might not now hold the record for 'most CERT advisories due to a single author' and so I am impressed, and thankful, and grumpy. Anyone who wants a coding job at ISC in the future should be prepared to demonstrate that they have read and understood Secure Coding. Thanks guys."
--Paul Vixie, president of Internet Software Consortium, publisher of BIND and operator of F.ROOT-SERVERS.NET.