Designing Secure Software: A Guide for Developers

Terrific book – for both novices and experts!
Designing Secure Software is an engaging, highly readable book with a very clear message: Software Security matters, and we can – and should – pay attention to it at every stage of the development process. Building on decades of experience in the field, Loren Kohnfelder offers a user-friendly guide for developers and reviewers alike, providing a tremendous resource for all.

Thorough, conceptual, and practical overview
Software security is an important yet neglected issue. Most developers will immediately recognize its importance because, with the Internet, so much of the computing infrastructure (the “surface”) is vulnerable to attack. Yet it’s simultaneously neglected because it relies on mastering the unknown – an unsurmountable topic. Reviewing security issues in one’s own code is often a painful process, much like reading an editor’s notes on one’s own writing. Into this ongoing conversation, Kohnfelder, a developer with around 50 years of experience in computing and (an impressive) 20 focused on cybersecurity, interjects an update that comprehensively covers concepts important for the present and the future.This book indeed mostly addresses ideas and contains few code examples. This correlates with its main contention – that security issues need to be first addressed in the design process. The Internet was designed as an open system for exchange, and security was more of an afterthought. In today’s world, where even computers in our pockets are open to a potentially dangerous web, developers and designers of software need to think through securing software on their own.Kohnfelder divides this book into three sections: Concepts, Design, and Implementation. He deftly moves from the big picture into pragmatics and back again. He discusses the high points of cybersecurity history and their implications for today’s coding efforts. In the conclusion, he even points to important current trends that might have impact in the near future. Only very rarely does he use (C and Python) code to illustrate his points; instead, he relies upon the English language to communicate his concepts.I particularly appreciated the section on encryption. He addresses cryptography in an accessible way. In contrast to many works in the field that focus on mathematics or technical detail, he presents the big picture with keywords that can be researched more in-depth. While completing his PhD from MIT in 1978, he focused his research on RSA cryptography, and his clarity of thought shows well when talking about this subject.Obviously, this book addresses software developers and designers, but it also has potential impact for those involved anywhere in the production of software. IT project managers in particular can benefit from this concept-heavy presentation because they need not wade into the waters of code. It provides a healthy update to the ongoing and unending conversation around cybersecurity. I hope to use some of the insights gleaned from the field of this book into my own software efforts. Upcoming developers would do well to learn from the teachings of this grand master.