Security has become a hot topic in both academia and industry. This interest has been encouraged by the high reliance on distributed infrastructures for sharing and accessing data and computing resources. This distribution calls for strong mechanisms to ensure access control, message privacy, and user authentication. While many contributions target security software (tools and frameworks to implement security mechanisms), software security has emerged recently as a complement to security in its broader sense. Software security can be defined as the science of discovering and correcting bugs, defects, and flaws in software applications. Buffer overflow and structured query language (SQL) injection are examples of such errors. Both aspects of security suffer from the fact that they are rarely taken into account during the design and implementation of the initial application. In this book, McGraw aims to define and detail the three pillars for achieving secure software: risk management, touchpoints, and knowledge. Organized into three parts, the content of the book is dedicated to detailing each one of the defined pillars.

Part 1, “Software Security Fundamentals,” comprises the book’s first two chapters. Chapter 1 highlights the growing need for software security, and briefly defines the three pillars for achieving secure software. Risk management is the process of identifying and mitigating potential risks in software. Touchpoints are introduced by the author as a set of software security best practices. Finally, software security knowledge is defined as a catalog of principles, guidelines, rules, vulnerabilities, exploits, attack patterns, and historical risks.

Part 2, “Seven Touchpoints for Software Security,” comprises chapters 3 through 9. This part details the seven touchpoints identified by the author including code review, architectural risk analysis, penetration testing, risk-based security testing, abuse cases, security requirements, and security operation. A chapter is devoted to each one of these touchpoints including details about how to complete them in practice.

Part 3, “Software Security Grows Up,” comprises chapters 10 through 13. In chapter 10, the author points out that the most critical issue facing software security today is the lack of expertise, but at the same time he argues that as the field evolves, best practices can be cataloged and documented in order to provide training support for future software security practitioners. Software security knowledge is obviously essential to develop effective software protection strategies. However, the author highlights the need for managing this knowledge in order to best support the spreading of the discipline of software security (chapter 11). As in any discipline, software security must rely on a taxonomy that identifies the different bugs and flaws. A coding errors taxonomy is presented in chapter 12. Chapter 13 provides an annotated bibliography of software security publications to guide interested readers to the right information quickly.

This book successfully presents software security as an emerging discipline. It presents a structured view of the discipline, with practical examples and investigations of available ancillary tools. The book contains rich information about the subject, covering the historical evolution of software security problems and their corresponding solutions. The author’s expertise and many years of experience in software security are quite evident when reading the book. This book is simply a great reference that also identifies the main research issues faced in the software security area.