High-Assurance Design: Architecting Secure and Reliable Enterprise Applications

I read six books on software security recently, namely "Writing Secure Code, 2nd Ed" by Michael Howard and David LeBlanc; "19 Deadly Sins of Software Security" by Michael Howard, David LeBlanc, and John Viega; "Software Security" by Gary McGraw; "The Security Development Lifecycle" by Michael Howard and Steve Lipner; "High-Assurance Design" by Cliff Berg; and "Security Patterns" by Markus Schumacher, et al. Each book takes a different approach to the software security problem, although the first two focus on coding bugs and flaws; the second two examine development processes; and the last two discuss practices or patterns for improved design and implementation. My favorite of the six is Gary McGraw's, thanks to his clear thinking and logical analysis. The other five are still noteworthy books. All six will contribute to the production of more security software. "High-Assurance Design" (HAD) is the sort of book one should read when sitting down to design decently complex applications. It's not a network architecture book, so you won't read about using router ACLs, firewalls, and host IPS for "defense in depth." Rather, the author is trying to teach what he calls "intrusion-aware design" (p 88). The book contains some real gems, like this principle on p 78: "A system cannot be said to be secure if the design of the actual system cannot be articulated." That is exceptionally accurate. The author explains how developers should "design for verifiability," which really applies to anyone building a complex system. I also bought the idea that reliability is the parent concept, with security as part of reliability (ch 2). For a person who doesn't develop software professionally, I found all of those concepts to be very powerful and helpful. Programmers, especially Java and object-oriented types like Cliff Berg, will probably really enjoy later chapters in HAD like ch 7. (It was too much for me.) In some cases, however, I questioned the utility of the principles in these later sections. For example, p 301 offers this gem: "Run securely." No kidding! This and other non-actionable (or non-demonstrated) principles resulted in my offering four stars instead of five. The author is also a big agile programming fan, especially liking Extreme Programming (XP). XP, however, seems antithetical to many of his recommendations. His attempts to square this circle didn't really convince me, although certain aspects of XP are definitely compelling. I recommend reading HAD to benefit from the wonderful insights found in the first half of the book. You'll find that apply very well to multiple security problem sets -- not just secure software development.

Software architects seeking advanced applications development guides should take a look at Clifford J. Berg's HIGH-ASSURANCE DESIGN: ARCHITECTING SECURE AND RELIABLE ENTERPRISE APPLICATIONS, Many enterprises rely on software which is insecure or fragile and which requires expensive maintenance: here software architect Clifford Berg shows designers that high-assurance applications with proven reliability can be easily built using the same design principles as the less reliable models. Chapters identify key problems in unreliable software, show how to improve it, and tell how to obtain the requirements and systems which meet the goal of reliable design.

I've read this book cover to cover. If you are expecting some "tome of knowledge" that is going to impress people but collect dust, this book is not for you. This is going to be a well worn desk-reference for managers, architects, and software engineers. The book's nineteen chapters cover all the practical elements of assurance that should be expected out of commercial software. Not only has the author covered the issues of what the software has to do, but also has covered the human aspect of fielding the software and the very human aspect of system and application administrators that have to deal with the software in a changing environment. It is obvious that the author has been in each situation that the book describes. Oh yes, and to prove that there are three case studies that show the assurance process in action. This is a must-get book if you are leading a team, work in a corporate environment, or are about to launch you public facing application.

With the amount of money that is spent on software development, you would think that most software developed would be secure, reliable and maintainable. However, many times this is not the case. This books covers the gamut of complex issues to consider when designing reliable applications. For example, issues include application design, security, logging, concurrency, caching, methodology, monitoring, transactional integrity, and much more. The author also adds a couple of case studies to tie the theoretical with the practical. The "lists" in Appendix C, D and E are also very helpful! I'd highly recommend this book to anyone wanting to move up to the next level in his/her software development/architecture career, that is, moving beyond the basics of coding and simple design/architecture.