Today, there are many books on Internet security focusing on administration tasks: setting up firewalls, properly configuring a web server, etc. There is also a growing number of books on emerging security technologies such as PKI. But so far, I haven't seen much hands-on information about secure programming. Which is the reason why I started this book a while ago. Meanwhile, there is a book available about secure programming (XXX: need citation here), and there's also a very good online document by David Wheeler. If I had known his work, I may not have started this project...
This book first evolved from a Tutorial Marcus Meissner and I held at the Linux Kongress 2000 in Erlangen. I kept working on the material after that, but it is far from complete. There are several chapters I would like to see in this document, but haven't had the time to write. If you would like to contribute, you are welcome. Please contact me.
The aim of this book is to give Linux programmers (and non-Linuxers as well) an overview of some common and not-so-common coding mistakes that will lead to security problems, and how they can be avoided.
In my opinion, it is very important to learn how crackers actually exploit security weaknesses in actual programs, because this enables us to deal flexibly with new types of vulnerabilities. Therefore, this book is not structured as a list of rules (aka The 1001 Commandments of Secure Programming); rather, I am trying to give you an idea of common vulnerabilities, how crackers go about exploiting them, and show you how to defend yourself against these.
This book will try to give some hands-on experience on source code auditing, and take a look at some sample exploit programs for known security holes. We will also discuss some advanced concepts for solving design issues that used to lead to creation of "dangerous" code such as huge setuid root applications.