Secure Coding: Principles & Practices
By Mark G. Graff, Kenneth R. van Wyk
200 pages

Despite their myriad manifestations and different targets, nearly all attacks on computer systems have one fundamental cause: the code used to run far too many systems today is not secure. Flaws in its design, implementation, testing, and operations allow attackers all-too-easy access. Secure Coding: Principles & Practices looks at the problem of bad code in a new way. Packed with advice based on the authors' decades of experience in the computer security field, this concise and highly readable book explains why so much code today is filled with vulnerabilities, and tells readers what they must do to avoid writing code that can be exploited by attackers.

Objectives of This Book
Structure of This Book
What This Book Does Not Cover
Conventions Used in This Book
About the Examples
Comments and Questions

Chapter 1. No Straight Thing
Section 1.1. The Vulnerability Cycle
Section 1.2. What Is an Attack?
Section 1.3. Why Good People Write Bad Code
Section 1.4. A Call to Arms
Section 1.5. Summary

Chapter 2. Architecture
Section 2.1. What Is Security Architecture?

Section 2.2. Principles of Security Architecture
Section 2.3. Case Study: The Java Sandbox
Section 2.4. Summary

Chapter 3. Design
Section 3.1. Why Does Good Design Matter?
Section 3.2. Secure Design Steps
Section 3.3. Special Design Issues
Section 3.4. Bad Practices
Section 3.5. Case Studies

Section 3.6. Summary
Chapter 4. Implementation
Section 4.1. Good Practices
Section 4.2. Bad Practices
Section 4.3. Case Studies
Section 4.4. Summary

Chapter 5. Operations
Section 5.1. Security Is Everybody's Problem
Section 5.2. Good Practices
Section 5.3. Bad Practices
Section 5.4. Case Studies
Section 5.5. Summary

Chapter 6. Automation and Testing
Section 6.1. Why Test?
Section 6.2. Good General Practices
Section 6.3. Good Practices Through the Lifecycle
Section 6.4. Risk Assessment Methodologies

Section 6.5. Case Studies
Section 6.6. Summary

Appendix A. Resources
Section A.1. Books
Section A.2. Papers and Articles
Section A.3. Web Sites and Online Resources
Section A.4. A Final Note on Resources

The legendary lena 151 series

I thought I would make this post and point out a few very basic resources which are freely available and which may make starting out in the wide world of Reverse Engineering a little easier. The main problem with reversing is that it is a huge and potentially exceptionally complicated subject. The primary choice is which platform you will place the emphasis upon. As I chose Win32 at the outset my experience of Linux reversing is necessarily limited and for the purposes of this post I refer solely to the Windows environment.

Whilst it is repeated time and again, there really is only one sensible place to start in the world of reversing and that is the Lena151 tutorials. Here we have a sequential set of tutorials, written by the same author with increasingly complex topics covered. They are video tutorials and there are 40 in total covering everything from the very basics on up to exceptionally advanced topics. In all my days in the underground scene (20+ years now), this is the most comprehensive set of tutorials I have seen on any subject. Anyone persevering with these from beginning to end will be a moderately accomplished reverse engineer by the end of it.

There are also a number of other beginners tutorials both written and video. You should try any/all of these. In addition to the Lena tutorials which formed the basis of my RE education, I tried to read as many other documents on the same subjects as I could find. The idea being that whilst Lena tends to explain things well, she does occasionally skip things or presume that we the audience have a more advanced knowledge than might be the actual case. So read read read and more read ... and unfortunately what I have discovered is that the more I read, the more I realize I need to read. If you want a never ending always expanding topic to get into, this is it!

In terms of places of interest on the net obviously there are a number but ...

Firstly, absolutely THE site for all things RE. hxxp:// Tuts4You run by Teddy Rogers (NZ) and the home site of the group Seek N Destroy. This site is, to put it bluntly, absolutely superb. Quite simply, this is the richest and most comprehensive site you are likely to find on any subject, fortunately it just happens to be aimed at Reverse Engineering! Containing tutorials and papers in addition to software, addons plugins .. you name it, Tuts4You has it .. in abundance! If you are looking for OllyDbg or one of the many variants, they will be here. Similarly even plugin for Olly known to man, and probably several that have slipped through time-rifts from the future are collated here. In short if it is Olly related, chances are it`s here. Similarly Immunity and Syser have sections, together with the behemoth of the reversing world, IDA.

Another site which purports to be the (un)official OllyDbg support site is hxxp:// This site once again has an extensive forum and wide array of software including a possibly more diverse set of tools, sorted by application type. Certainly this is worth a look and provides a welcome backup to Tuts4You.

OpenRCE is an interesting site dedicated to the world of software and reverse engineering thereof. This site focuses primarily on talk and blogs all pertaining to RE. There are some seriously hi-brow threads to be found in addition to a number of fascinating forums and blogs. Be warned though, it is often far from easyb reading.

Anyway this covers some of the very basics of what is admittedly an absolutely massive topic (and that`s without even touching upon the *nix side of things).
If you have questions regarding this post or the topic in general please feel free to contact me either through the forum or on IRC and I`ll be more than happy to assist if I can. Just remember whilst I`m pleased to help, this does not extend to doing your job for you or running simple Google queries which you could do yourself

The legendary lena 151 series
all rared into 1 , 40 part tutorial series by Lena151 of the Seek n Destroy cracking team. She does an amazingly good job in explaining Good for people new to reverse engineering.



Visit the Site