Software Security

From SDQ-Wiki
Jump to: navigation, search

Ongoing projects


  • To Be Announced


Assocations of interest



  • C. Pilder, Meta-Models for Static Analysis of OO-Component Code. DA.

Available books

Our books

  • Gary McGraw. Software Security - Building Security In. Pearson Education, London, January 2006. ISBN-13: 978-0321356703.

Personal books

  • Michael Howard and David LeBlanc. Writing Secure Code, Second Edition. Microsoft Press, Redmond, WA, 2002. ISBN-13: 978-0735617223. (pierre)
  • Greg Hoglund and Gary McGraw. Exploiting Software - How to Break Code. Addison-Wesley, Peason Education Inc., 2004. ISBN-13:978-0201786958. (pierre)

Info Bib

  • Markus Schumacher. Security Engineering With Patterns: Origins, Theoretical Models, and New Applications. LNCS. September 2003. ISBN-13: 978-3540407317.


  • Ken Thompson. Reflection on trusting trust. Communication of the ACM, 27(8):761–763, August 1984 (Turing Award Lecture).
  • Gary McGraw. Software security. IEEE Security & Privacy Magazine, 2(2):80–83, March-April 2004.
  • Algirdas Avizienis, Jean-Claude Laprie, Brian Randell, and Carl Landwehr. Basic concepts and taxonomy of dependable and secure computing. IEEE Transactions on Dependable and Secure Computing, 01(1):11–33, 2004.
  • Jerome H. Saltzer and Michael D. Schroeder. The protection of information in computer systems. In Fourth ACM Symposium on Operating System Principles, October 1973.
  • Katrina Tsipenyuk, Brian Chess, and Gary McGraw. Seven pernicious kingdoms: A taxonomy of software security errors. IEEE Security & Privacy, 3(6):81–84, November/December 2005.
  • Paul E. Black. Software assurance metrics and tool evaluation. In International Conference on Software Engineering Research and Practice (SERP’05), June 2005.
  • Frederick P. Brooks. No silver bullet: Essence and accidents of software engineering. Computer, 20(4):10–19, April 1987.
  • Glenn Brunette. Toward systemically secure IT architectures. Sun BluePrints OnLine, February 2006. Sun Microsystems, Inc.
  • Steven M. Christey. Open letter on the interpretation of "vulnerability statistics". Bugtraq, Full-Disclosure Mailing list, January 2006.
  • Karen M. Goertzel, Thoedore Winograd, Holly L. McKinley, Lyndon Oh, Michael Colon, Thomas Mcibbon, Elaine Fedchak, and Robert Vienneau. Software Security Assurance: a State-of-The-Art Report (SOAR). Information Assurance Technology Analysis Center (IATAC) and Data and Analysis Center for Software (DACS), July 2007.
  • Michael Howard. A process for performing security code reviews. IEEE Security and Privacy, 4(4):74 – 79, July 2006.
  • David Hovemeyer and William Pugh. Finding bugs is easy. In ACM SIGPLAN Notices, volume 39, pages 92 – 106, 2004. COLUMN: OOPSLA onward.
  • Steve Lipner and Michael Howard. The trustworthy computing security development lifecycle. Microsoft Corporation Whitepaper, March 2005. Security Engineering and Communications, Security Business and Technology Unit, Microsoft Corporation.
  • Ulf Lindqvist and Erland Jonsson. How to systematically classify computer security intrusions. In IEEE Symposium on Security and Privacy, pages 154–163, May 1997.
  • OWASP Foundation. Owasp testing guide - V 2, 2007. Creative Commons Attribution-ShareAlike 2.5 License.
  • OWASP Foundation. Owasp code review guide - RC 2, 2008. Creative Commons Attribution-ShareAlike 2.5 License.
  • Software Assurance Forum for Excellence in Code (SAFECode). Software assurance: An overview of current industry best practices. SAFECode Whitepaper, February 2008.
  • John Viega and Gary McGraw. Building Secure Software - How to Avoid Security Problems the Righ Way. Number 528 in Professional Computing Series. Addison-Wesley Professional, 2001. ISBN-13: 978-0201721522.
  • Ivan Victor Krsul. Software Vulnerability Analysis. PhD thesis, Purdue University, May 1998.
  • Joshua Bloch and Neal Gafter. Java Puzzlers - Traps, Pitfalls and CornerCases. Pearson Education, June 2005. ISBN-13: 978-0321336781.
  • Li Gong, Gary Ellison, and Mary Dadgeforde. Inside Java 2 Platform Security - Architecture, API Design, and Implementation, Second Edition. Addison-Wesley, 2003. ISBN-13: 978-0201787917.
  • Fred Long. Software vulnerabilities in Java. Technical Report CMU/SEI-2005-TN-044, Carnegie Mellon University, October 2005.
  • Sun Microsystems Inc. Secure coding guidelines for the Java programming language, version 2.0. Sun Whitepaper, 2007.
  • Pierre Parrend and Stephane Frenot. Classification of component vulnerabilities in Java service oriented programming (SOP) platforms. In Conference on Component-based Software Engineering (CBSE’2008), volume 5282/2008 of LNCS, Karlsruhe, Germany, October 2008. Springer Berlin / Heidelberg.