Over the years, I have read several books covering software security from a system or programming language perspective. While most of them were outstanding and provided excellent overviews of the security features to be considered when programming in specific programming languages, I was hoping to eventually see a holistic approach to software security. This is the third work of a truly outstanding trilogy [1,2], and is just the kind of book I had in mind. It is one of the best introductions I have seen to the security of software.

Although the book’s content is spread over 400 pages, one phrase summarizes it well: “Software security is not security software.” One of the major errors we make in development is addressing software security by adding additional features; this process is cost efficient in the short term, but raises major issues in the long run. In his book, McGraw shows that security is not a feature that can be added to extend the functionality of software, but an essential building block and key architectural design characteristic of reliable software.

Although the book is written at a high level of abstraction, going beyond simple code vulnerabilities and examples, the multiple sidebars with anecdotes and real stories related to the content of the book provide suggestive illustrations and make the book easy to read. The book begins by defining the discipline, and then introduces the notion of risk management. These topics comprise the first part of the book, which also covers issues like risk mitigation, risk measures, operations, and the major stages of how to apply risk management in practice. The book’s second part covers touch points for software security, and includes chapters on code review, architectural risk analysis, penetration testing, abuse cases, security requirements, security operations, and external analysis.

At first, the content of the book might seem dry and targeted to less technically oriented readers, like project managers or high-level software architects. For those readers who are more interested in technical and programming issues, my favorite chapter is the fourth, addressing automated code review with the Fortify security tool. The author is one of the developers of this tool, and a CD comes with the book that contains a sample scenario to be worked out by the reader. The final part of the book deals with enterprise-level security development cycles, and shows the importance of knowledge-based management schemes for such purposes.

There is a final jewel hidden at the end of the book--an annotated bibliography covering most of the essential readings from academia and industry. In fact, the contents of the book are intrinsically tied to both of these areas, and McGraw manages to provide a common view on software security from both perspectives. I highly recommend this book to all readers wishing to build security into their software.