The First Expert Guide to Static Analysis for Software Security!

Creating secure code requires more than just good intentions. Programmers need to know that their code will be safe in an almost infinite number of scenarios and configurations. Static source code analysis gives users the ability to review their work with a fine-toothed comb and uncover the kinds of errors that lead directly to security vulnerabilities. Now, there’s a complete guide to static analysis: how it works, how to integrate it into the software development processes, and how to make the most of it during security code review. Static analysis experts Brian Chess and Jacob West look at the most common types of security defects that occur today. They illustrate main points using Java and C code examples taken from real-world security incidents, showing how coding errors are exploited, how they could have been prevented, and how static analysis can rapidly uncover similar mistakes. This book is for everyone concerned with building more secure software: developers, security engineers, analysts, and testers.

Part I: Software Security and Static Analysis 1

1          The Software Security Problem          3

2          Introduction to Static Analysis 21

3          Static Analysis as Part of the Code Review Process    47

4          Static Analysis Internals          71

Part II: Pervasive Problems         115

5          Handling Input 117

6          Buffer Overflow           175

7          Bride of Buffer Overflow         235

8          Errors and Exceptions  265

Part III: Features and Flavors      295

9          Web Applications        297

10         XML and Web Services           349

11         Privacy and Secrets     379

12         Privileged Programs    421

Part IV: Static Analysis in Practice        457

13         Source Code Analysis Exercises for Java        459

14         Source Code Analysis Exercises for C 503

Epilogue          541

References      545

Index   559