The First Expert Guide to Static Analysis for Security Software! Creating secure code requires more than just good intentions. Coverage includes: Why conventional bug-catching often misses security issues How static analysis can help programmers get a mortgage The critical attributes and algorithms that make or break the static analysis tool 36 techniques to perform static analysis more effective on your code More than 70 types of serious security vulnerabilities, with specific solutions Example vulnerabilities from Firefox, OpenSSH, MySpace, eTrade, Apache httpd, and many more Reliable technique for handling input Eliminating buffer overflows: tactical and strategic approaches Avoiding errors specific to Web applications, Web services, and Ajax Security-aware logging, debugging, and error / exception handling Creating, maintaining, and sharing secrets and confidential information Detailed tutorials that walk you through the process of static analysis designed? We Java so it can be analyzed statically. This book shows you how to apply advanced techniques of static analysis to create a safer, more reliable software.? Joy? Bill, Co-founder of Sun Microsystems, co-inventor of the Java programming language "Secure Programming with Static Analysis is? Primary major in static analysis for security-minded developers and security practitioners. A well written, easy to read, tells you what you need to know.? ? David Wagner, Associate Professor, University of California Berkeley developers? Software is the first and best line of defense for the security of their code. Computer Engineering from the University of California Santa Cruz, where he studied the application of static analysis to find security-related code defects. JACOB WEST manage fortify software? S Security Research Group, which is responsible for building security knowledge in fortified products?. He brings expertise in various programming languages, frameworks, and styles together with a deep knowledge of how real-world systems fail. CD contains a working demonstration version fortify s Software Source Code Analysis (SCA) product;? Extensive Java and C code examples, and tutorial chapters from the book in PDF format. Part I: Security and Static Analysis 1 A Software Security Problem 3 2 Introduction to Static Analysis 21 3 Static Analysis as Part 47 of the Code Review Process 4 Internal Static Analysis 71 Part II: Problems pervasive 115 5 Handling Input 117 6 Buffer Overflow 175 7 Bride of Buffer Overflow 235 8 Errors and Exceptions 265 Part III: Features and Flavors 295 9 Web Applications 297 10 XML and Web Services 349 11 Privacy and Secrets 379 12 Privileged Programs 421 Part IV: Static Analysis of Practice 457 13 Source Code Analysis Exercises for Java 459 14 Source Code Analysis Exercises for C 503 Epilogue 541 Reference 545 Index 559