Writing Source Code by Micheal Howard | Latest Edition | PDF Free Download

What Is Writing Source Code ?

PUBLISHED BY

Microsoft Press
A Division of Microsoft Corporation
One Microsoft Way
Redmond, Washington 98052-6399
Copyright © 2002 by Microsoft Corporation
All rights reserved. No part of the contents of this book may be reproduced or transmitted in any form or
by any means without the written permission of the publisher.
Library of Congress Cataloging-in-Publication Data
Howard, Michael, 1965
Writing Secure Code / Michael Howard, David LeBlanc.
p. cm.
ISBN 0-7356-1588-8
1. Computer security. 2. Data encryption (Computer science) I. LeBlanc, David, 1960
II. Title.
QA76.9.A25 H698 2001
005.8--dc21 2001044546
Printed and bound in the United States of America.
1 2 3 4 5 6 7 8 9 QWE 6 5 4 3 2
Distributed in Canada by Penguin Books Canada Limited.
A CIP catalogue record for this book is available from the British Library.
Microsoft Press books are available through booksellers and distributors worldwide. For further
information about international editions, contact your local Microsoft Corporation office or contact
Microsoft Press International directly at fax (425) 706-7329. Visit our Web site at
www.microsoft.com/mspress. Send comments to mspinput@microsoft.com.
Active Directory, ActiveX, Authenticode, Hotmail, Jscript, Microsoft, Microsoft Press, MS-DOS,
MSDN, Visual Basic, Visual C++, Visual Studio, Win32, Windows, and Windows NT are either
registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
Other product and company names mentioned herein may be the trademarks of their respective owners.
The example companies, organizations, products, domain names, e-mail addresses, logos, people, places,
and events depicted herein are fictitious. No association with any real company, organization, product,
domain name, e-mail address, logo, person, place, or event is intended or should be inferred.
Acquisitions Editor: Danielle Bird
Project Editor: Devon Musgrave
Technical Editor: Julie Xiao
Dedication
To Blake, God’s little gift to Cheryl and me. To Cheryl, Blake could not ask for a more wonderful mother.

— Michael

To Jennifer, for putting up with many lost weekends when we could have been out horseback riding. —
David
In memory of all those people who needlessly perished on September 11, 2001.

Foreword

Improving security was a major focus while we were developing Windows 2000. At one point, we
decided to run an unusual experiment to test the product’s mettle before we released it. We set up a
Windows 2000 Web server called “Windows2000test.com,” put it out there, and waited to see what
happened. We made no announcement of any kind; we didn’t call any attention to it in any way
whatsoever. Within a couple of hours, hundreds of people were already trying to hack it. Within days, tens
of thousands of people were hammering away.
These days, as soon as a product gets into their hands, hackers begin an intensive effort to find and exploit
security holes. If the product developers don’t make an equally intensive effort to build security into their
code, the hackers will almost surely succeed. A product’s security is every bit as important as its features.
Don’t get me wrong—people would have no reason to buy a product without great features. But while
developers know how to build features, they often don’t know how to design and build security. This
book changes that.
Writing Secure Code offers practical insights into secure design, secure coding, and testing techniques,
many of which are not documented elsewhere. It will give you a richer understanding of what it takes to
build secure applications. Michael and David are, respectively, members of the Secure Windows
Initiative and the Trustworthy Computing Security Team at Microsoft. They have witnessed firsthand the
sometimes basic coding mistakes that undermine product security, and their projects have helped us
significantly improve how we designed and implemented security in products such as Windows 2000 and
Windows XP. Their goal in writing this book is to pass on to you, the developer community, everything
Microsoft has learned.

Brian Valentine

Senior Vice President, Windows Division
Microsoft Corporation
Acknowledgments
When you look at the cover of this book, you see the names of only two authors, but this book would be
nothing if we didn’t get help and input from numerous people. We pestered some people until they were
sick of us, but still they were only too happy to help.
First, we’d like to thank the Microsoft Press folks, including Danielle Bird for agreeing to take on this
book, Devon Musgrave for turning “Geek” into English and managing not to complain too much, and Julie
Xiao for making sure we were not lying. Much thanks also to Elizabeth Hansford for laying out pages,
Rob Nance for the part opener art, and Shawn Peck for copyediting.
Many people answered questions to help make this book as accurate as possible, including the following
from Microsoft: Saji Abraham, Eli Allen, John Biccum, Scott Culp, Thomas Deml, Monica Ene-
Pietrosanu, Sean Finnegan, Tim Fleehart, Damian Haase, David Hubbard, Mike Lai, Louis Lafreniere,
Brian LaMacchia, John Lambert, Lawrence Landauer, Paul Leach, Terry Leeper, Steve Lipner, Rui
Maximo, Daryl Pecelj, Jon Pincus, Fritz Sands, Eric Schultze, Alex Stockton, Matt Thomlinson, Hank
Voight, Chris Walker, Richard Ward, Richard Waymire, Mark Zbikowski, and Mark Zhou.
We’d especially like to thank the following ’softies: Russ Wolfe, who explained numerous Unicode and
UTF-8 issues and wouldn’t shut up until we had the issues documented adequately. Kamen Moutafov, a
genuinely nice guy, who spent numerous hours helping with the RPC section. He’s one of those developers
who answers stupid questions without making you feel dumb. Erik Olsen went to great lengths to make
sure the .NET issues were nailed down. If it weren’t for Erik, Chapter 13 would be tiny. Eric Jarvi read
most all the chapters and helped immensely by offering numerous improvements, most of which started
with, “You really should explain…”
We want to point out that Kamen, Erik, and Eric rock. They diligently reviewed material while they were
in the final stages of shipping their respective products: Windows XP, the .NET Framework, and Visual
Studio .NET. It would have been easy for them to say, “I’m busy, leave me alone,” but they didn’t. They
could see that some short-term time spent getting this book right would have long-term benefits for
themselves (as they won’t have to answer the same questions time and again), for Microsoft, and, most
important, for our shared and valued customers.
Many outside Microsoft gave their time to help us with this book. We’d like to give our greatest thanks to
Rain Forest Puppy for providing first-rate Web security comments. By the way, Mr. Puppy, no offense
taken! John Pescatore of Gartner Inc. for his insightful (and blunt) comments, which helped shape the
early chapters. Professor Jesper Johansson of Boston University, who read every word, sentence,
paragraph, and chapter of the book and had comments on every word, sentence, paragraph, and chapter of
the book! Leslee LaFountain of the NSA for showing such great interest in this book. And, finally, the
Secure Windows Initiative team.


Download Writing Source Code by Micheal Howard