If you are a regular reader of this blog you should know I am working on a book for O’Reilly called Practical Software Security. It’s in the early stages and evolving as we start to get into the details. You can sign up to get notifications of progress here.
There are five main sections:
- Introduction
- Security Concepts
- Languages & Frameworks (was called Tools & Technologies)
- Building a Software Security Program
- Engineering Scenarios
In the Security Concepts section we will introduce developers to things like cryptography, authentication, authorization and then in the Languages & Frameworks sections we will cover the security features available and how to use them properly for the popular development technologies. In the engineering scenarios well get to code level guidance of how to pull it all together to solve real world problems that all developers face like securing a REST API or creating a federated authentication system.
I am delighted that we have been able to recruit a fantastic list of subject matter experts to write and review the Languages & Frameworks section of the book. I will be writing the Security Concepts section (and the Ruby on Rails section) and the following folks will be writing or reviewing:
- HTML5 (and friends) – Mark Curphey
- Java – Pravir Chandra
- .NET – David Rook (Security Ninja + Microsoft MVP for Developer Security)
- JavaScript (Client + Node) – Gareth Heyes (The Spanner) with Rey Bango as a core reviewer (JQuery Core Team Member)
- Ruby on Rails – Mark Curphey with Heiko Webers (wrote the official Rails security guide) as a core reviewer
- PHP – Mike DeLibero with Chris Shiflett (wrote the O’Reilly PHP Security book) as a core reviewer
- iOS & Android – Dan Cornell
- Identity – Gunnar Peterson
Note: we will be doing C / C++ as there is still so much being produced but haven’t yet locked on that author and we will be figuring out how to deal with things like Spring or Cake (and where to draw the line).
In the Building a Software Security Program section we organize the section into People, Process & Tools. Justin Collins (author of Brakeman Scanner) is going to write the static code analysis section in Tools and Tasos Laskos (author of Arachni) will write about how dynamic web application scanners work. Many other tools will of course be covered! I will be writing extensively about integrating Agile practices and using TDD / BDD techniques and tools. I probably won’t start on this section until March / April. I am hoping we will have the Security Concepts section and the Languages & Frameworks section complete by the end of February so we can open up a site for a much broader set of reviewers (invite only but register to get on the invite request list here) around March.
OK, now to set up the git repo for the contributing authors, create a README.md for them and kick off the discussion about we want to structure things. Gentlemen start your engines!
Edits : 1/25 – Added HTML5 (and friends), 1/25 – Added Gunnar Peterson to Identity
Mark Curphey 
Best of luck but there are better experts out there in the .net and java space.
Dinis cruz for .net???
Where is your section on HTML, client side security??
Thanks. Dinis is a good friend and very talented but not a great fit for this. If it was a security book for security people interested in breaking .NET then he would be number 1. David is a MSFT MVP for Developer Security and will write from the perspective of a developer. Thats important to get get adoption of developers.
I regard Dinis as a friend but David is a MSFT MVP and so will have more respect from most developers. If the book was about breaking stuff then Dinis would be a great fit but it’s about building secure software. Pravir is a top resource for Java.
HTML5 will be covered in the technologies section.
Cheers!
Hi Jz – I can only say that you should judge me by my results. Wait until you read the book 🙂
Shame its not done yet, I need some update reference material for my Software Security course.
Next year!