Designing Secure Software: A Guide for Developers (Paperback)

Kohnfelder, Loren

  • 出版商: No Starch Press
  • 出版日期: 2021-12-21
  • 定價: $1,750
  • 售價: 9.5$1,663
  • 語言: 英文
  • 頁數: 312
  • 裝訂: Quality Paper - also called trade paper
  • ISBN: 1718501927
  • ISBN-13: 9781718501928
  • 相關分類: 資訊安全
  • 立即出貨



What every software professional should know about security.

Designing Secure Software consolidates Loren Kohnfelder's more than twenty years of experience into a concise, elegant guide to improving the security of technology products. Written for a wide range of software professionals, it emphasizes building security into software design early and involving the entire team in the process.

The book begins with a discussion of core concepts like trust, threats, mitigation, secure design patterns, and cryptography. The second part, perhaps this book's most unique and important contribution to the field, covers the process of designing and reviewing a software design with security considerations in mind. The final section details the most common coding flaws that create vulnerabilities, making copious use of code snippets written in C and Python to illustrate implementation vulnerabilities.

You'll learn how to:

- Identify important assets, the attack surface, and the trust boundaries in a system
- Evaluate the effectiveness of various threat mitigation candidates
- Work with well-known secure coding patterns and libraries
- Understand and prevent vulnerabilities like XSS and CSRF, memory flaws, and more
- Use security testing to proactively identify vulnerabilities introduced into code
- Review a software design for security flaws effectively and without judgment

Kohnfelder's career, spanning decades at Microsoft and Google, introduced numerous software security initiatives, including the co-creation of the STRIDE threat modeling framework used widely today. This book is a modern, pragmatic consolidation of his best practices, insights, and ideas about the future of software.



《設計安全軟體》將Loren Kohnfelder超過二十年的經驗整理成一本簡潔而優雅的指南,旨在提升技術產品的安全性。這本書針對廣泛的軟體專業人士撰寫,強調在軟體設計的早期階段就將安全性納入考量,並讓整個團隊參與其中。


- 辨識系統中重要的資產、攻擊面和信任邊界
- 評估各種威脅緩解候選方案的效果
- 使用眾所周知的安全編碼模式和函式庫
- 理解並預防像XSS和CSRF、記憶體缺陷等漏洞
- 使用安全測試主動識別程式碼中引入的漏洞
- 有效且無偏見地審查軟體設計中的安全缺陷



Loren Kohnfelder has over 20 years of experience working in the security industry for companies like Microsoft and Google. At Microsoft, he was a key contributor to the industry's first formalized proactive security process methodology, and program-managed the .NET platform security effort. He was also a key contributor to the first organized approach to security by any major software platform company. At Google he worked as a software engineer on the Security team and as a founding member of the Privacy team, performing numerous security design reviews of large-scale complex real-world commercial platforms and systems, while working on various projects as a developer. Now retired, Kohnfelder shares his unique experience in industry through this book.


Loren Kohnfelder在安全領域擁有超過20年的經驗,曾在Microsoft和Google等公司工作。在Microsoft,他是業界首個正式的主動安全流程方法論的重要貢獻者,並負責管理.NET平台的安全工作。他也是首個由主要軟體平台公司組織的安全方法的重要貢獻者。在Google,他曾擔任安全團隊的軟體工程師,並是隱私團隊的創始成員之一,對大型複雜現實商業平台和系統進行了多次安全設計審查,同時作為開發人員參與了各種項目。現在已退休的Kohnfelder通過這本書分享他在業界的獨特經驗。