Note: This page is part of the archive.

This document is part of the US-CERT website archive. These documents are no longer updated and may contain outdated information. Links may also no longer function. Please contact if you have any questions about the US-CERT website archive.

Note: This page is part of the archive.

This document is part of the US-CERT website archive. These documents are no longer updated and may contain outdated information. Links may also no longer function. Please contact if you have any questions about the US-CERT website archive.

Code Analysis - References

Author(s): Steven Lavenhar Maturity Levels and Audience Indicators: / E  SDLC Life Cycles: Implementation  Copyright: Copyright © Cigital, Inc. 2005-2007. Cigital retains copyrights to this material.


Content area bibliography.

Aleph One. “Smashing the Stack for Fun and Profit.” Phrack Magazine 7, 49 (1996): File 14 of 16.

Anderson, Robert H. & Hearn, Anthony C. "An Exploration of Cyberspace Security R&D Investment Strategies for DARPA: The Day After... in Cyberspace II." RAND Corporation. MR-797-DARPA (1996): 67.

Anderson, Ross. Security Engineering: A Guide to Building Dependable Distributed Systems, 2nd ed. New York, NY: John Wiley & Sons, 2008.

Australian Computer Emergency Response Team (AUSCERT) & O'Reilly and Associates. A Lab Engineers Check List for Writing Secure Unix Code.

Bellovin, Steven M. Shifting the Odds--Writing (More) Secure Software. Murray Hill, NJ: AT&T Research.

Bishop, Matt and Dilger, M. “Checking for Race Conditions in File Accesses.” The USENIX Association, Computing Systems, Spring 1996: 131–152.

Bishop, Matt. Computer Security: Art and Science. Boston: Addison-Wesley, 2002 (ISBN 0-2014-4099-7).

Boehm, Barry W. “Improving Software Productivity.” Computer 20, 9 (September 1987): 43-57.

Boehm, Barry W. & Papaccio, Philip N. “Understanding and Controlling Software Costs. IEEE Transactions on Software Engineering 14, 10 (October 1988): 1462-1477.

Boehm, Barry W. Software Engineering Economics. Englewood Cliffs, NJ: Prentice-Hall, 1981.

Burch, Hal; Long, Fred; & Seacord, Robert. Specifications for Managed Strings (CMU/SEI-2006-TR-006). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, May 2006.

CERT/CC. CERT Survivability Project Report. CERT Coordination Center, 1996.

Chess, Brian & McGraw, Gary. “Static Analysis for Security.” IEEE Security & Privacy 2, 6 (Nov.-Dec. 2004): 76-79.

Chess, Brian & West, Jacob. Secure Programming with Static Analysis. Boston: Addison-Wesley, 2007.

Clements, Paul; Bachmann, Felix; Bass, Len; Garlan, David; Ivers, James; Little, Reed; Nord, Robert; & Stafford, Judith. Documenting Software Architectures: Views and Beyond. Boston: Addison-Wesley, 2002 (ISBN 0-2017-0372-6).

Cowan, Crispin; Wagle, Perry; Pu, Calton; Beattie, Steve; & Walpole, Jonathan. “Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade,” 119-129. Proceedings of the DARPA Information Survivability Conference and Exposition (DISCEX’00). Hilton Head Island, SC, January 25-27, 2000. Los Alamitos, CA: IEEE Computing Society, 2000.

Cowan, Crispin; Beattie, Steve; Finnin Day, Ryab; Pu, Calton; Wagle, Perry; & Walthinsen, Erik. “Protecting Systems from Stack Smashing Attacks with StackGuard,” 119-129. Proceedings of the 1998 Usenix Security Conference, 1998.

Demarco, Tom & Lister, Timothy. Waltzing With Bears: Managing Risk on Software Projects. New York: Dorset House Publishing Company, 2003 (ISBN 0-9326-3360-9).

Dewhurst, Stephen; Dougherty, Chad; Ito, Yurie; Keaton, David; Saks, Dan; Seacord, Robert C.; Svoboda, David; Taschner, Chris; &Togashi, Kazuya. Evaluation of CERT Secure Coding Rules through Integration with Source Code Analysis Tools (CMU/SEI-2008-TR-014). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, June 2008.

Du, Wenliang. “Categorization of Software Errors That Led to Security Breaches.” Proceedings of the 21st National Information Systems Security Conference. Crystal City, Virginia, Oct. 6-9, 1998.

Fagan, Michael G. “Design and Code Inspections to Reduce Errors in Program Development. IBM Systems Journal 15, 3 (1976).

Garfinkel, Simson; Spafford, Gene; & Schwartz, Alan. Practical Unix & Internet Security, 3rd ed. Sebastopol, CA: O'Reilly & Associates, Inc., 2003 (ISBN 1-56592-323-4).

Gennari, Jeff; Hedrick, Shaun; Long, Fred; Pincar, Justin; & Seacord, Robert C. Ranged Integers for the C Programming Language (CMU/SEI-2007-TN-027). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, September 2007.

Gilb, Tom. Principles of Software Engineering Management. Boston: Addison-Wesley, 1988 (ISBN 0-201-19246-2).

Ghosh, Anup K.; O’Connor, Tom; & McGraw, Gary. “An Automated Approach for Identifying Potential Vulnerabilities in Software,” 104-114. Proceedings of the 1998 IEEE Symposium on Security and Privacy. Oakland, California, May 3-6, 1998. Los Alamitos, CA: IEEE Computer Society Press, 1998.

Goldenson, Dennis R. & Gibson, Diane L. Demonstrating the Impact and Benefits of CMMI: An Update and Preliminary Results (CMU/SEI-2003-SR-009). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, October 2003.

Gong, Li. Inside Java 2 Platform Security Architecture, API Design, and Implementation. Boston: Addison-Wesley, 1999 (ISBN 0-201-31000-7).

Graff, Mark G. & Van Wyk, Kenneth R. Secure Coding: Principles and Practices. Sebastopol, CA: O’Reilly, 2003.

Hoglund, Greg & McGraw, Gary. Exploiting Software : How to Break Code. Boston: Addison-Wesley, 2004 (ISBN 0-2017-8695-8).

Howard, Michael. Designing Secure Web-Based Applications for Microsoft Windows 2000. Redmond, Washington: Microsoft Press, 2000 (ISBN 0-7356-0995-0).

Howard, Michael & LeBlanc, David. Writing Secure Code, 2nd ed. Redmond, WA: Microsoft Press, 2002 (ISBN 0-7356-1722-8).

Howard, Michael & LeBlanc, David. Writing Secure Code for Windows Vista. Redmond, WA: Microsoft Press, 2007.

Howard, Michael & Lipner, Steve. The Security Development Lifecycle. Redmond, WA: Microsoft Press, 2006.

Jones, Capers. Programming Productivity. New York, NY: McGraw-Hill, 1986 (ISBN 0-070-32811-0).

Jones, Capers. Applied Software Measurement: Assuring Productivity and Quality. New York: McGraw-Hill, 1991.

Jones, Capers. Assessment and Control of Software Risks. Englewood Cliffs, NJ: Prentice Hall, 1994.

Kitson, David H. & Masters, Stephen. “An Analysis of SEI Software Process Assessment Results, 1987-1991,” 68-77. Proceedings of the Fifteenth International Conference on Software Engineering. Baltimore, Maryland. May 17-21, 1993. Washington, DC: IEEE Computer Society Press, 1993.

Kuperman, Benjamin A. & Spafford, Eugene. Generation of Application Level Audit Data via Library Interposition. CERIAS Tech Report TR-99-11, 1999.

Maguire, Steve. Writing Solid Code: Microsoft's Techniques for Developing Bug-Free C Programs. Redmond, Washington: Microsoft Press, 1993 (ISBN 1-55615-551-4).

McConnell, Steve. Code Complete: A Practical Handbook of Software Construction. Redmond, Washington: Microsoft Press, 1993 (ISBN 1-55615-484-4).

McGraw, Gary. “Software Security.” IEEE Security and Privacy 2, 2 (March-April 2004): 80-83.

McGraw, Gary. “From the Ground Up: The DIMACS Software Security Workshop.” IEEE Security and Privacy 1, 2 (March-April 2003): 59-66.

McGraw, Gary. “Managing Software Security Risks.” Computer 35, 4 (March 2002): 99-101.

McGraw, Gary & Potter, Bruce. “Software Security Testing.” IEEE Security and Privacy 2, 5 (September-October 2004): 81-85.

McGraw, Gary, & Felten, Edward W. Securing Java: Getting Down to Business with Mobile Code, 2nd ed. New York, NY: John Wiley & Sons, 1999 (ISBN 047131952X).

Miller, Barton P. “An Empirical Study of the Reliability of UNIX Utilities.” Communications of the ACM 33, 12 (1990).

Peikari, Cyrus & Chuvakin, Anton. Security Warrior. Sebastopol, CA: O'Reilly, 2004 (ISBN 0-5960-0545-8).

Saltzer, Jerome H. & Schroeder, Michael D. “The Protection of Information in Computer Systems.” Proceedings of the IEEE 63, 9 (September 1975): 1278-1308.

Seacord, Robert C. & Householder, Allen. A Structured Approach to Classifying Security Vulnerabilities (CMU/SEI-2005-TN-003). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, January 2005.

Seacord, Robert C. Secure Coding in C and C++. Boston: Addison-Wesley, 2005.

Seacord, Robert C. The CERT C Secure Coding Standard. Boston: Addison-Wesley, 2008.

Sessions, Roger. Software Fortresses: Modeling Enterprise Architectures. Boston: Addison-Wesley, 2003 (ISBN 0-3211-6608-6).

Soo Hoo, Kevin; Sudbury, Andrew W.; & Jaquith, Andrew R. “Tangible ROI through Secure Software Engineering.” Secure Business Quarterly 1, 2 (2001).

Spafford, Eugene H. “Crisis and Aftermath.” Communications of the ACM 32, 6 (1989).

Spafford, Eugene H. UNIX and Security: The Influences of History. Information Systems Security. Auerbach Publications, 1995.

SPI Dynamics. “SQL Injection: Are Your Web Applications Vulnerable?” SPI Dynamics Whitepaper, 2002.

Sun Microsystems. Secure Coding Guidelines for the Java Programming Language, version 2.0. (2007).

Swanson, Marianne & Guttman, Barbara. Generally Accepted Principles and Practices for Securing Information Technology Systems. National Institute of Standards and Guidelines Computer Security Special Publication 800-14, 1996.

Swiderski, Frank & Snyder, Window. Threat Modeling. Redmond, WA: Microsoft Press, 2004 (ISBN 0-7356-1991-3).

Thompson, Ken. “Reflections on Trusting Trust.” Communications of the ACM 27, 8 (August 1984).

Viega, John; McGraw, Gary; Mutdoseh, Tom; & Felten, Edward W. “Statically Scanning Java Code: Finding Security Vulnerabilities.” IEEE Software 17, 5 (September-October 2000): 68-77.

Viega, John & McGraw, Gary. Building Secure Software: How to Avoid Security Problems the Right Way. Boston: Addison-Wesley, 2001 (ISBN 0-2017-2152-X).

Viega, John & Messier, Matt. Secure Programming Cookbook for C and C++. Sebastopol, CA: O'Reilly, 2003 (ISBN 0-5960-0394-3).

Voas, Jeffrey & McGraw, Gary. Software Fault Injection: Inoculating Programs Against Errors. New York, NY: John Wiley & Sons, 1997 (ISBN 0-471-18381-4).

Whittaker, J. A. & Thompson, H. H. How to Break Software Security. Reading, MA: Addison Wesley, 2003.

Yoder, Joseph & Barcalow, Jeffrey. “Architectural Patterns for Enabling Application Security.” Proceedings of the 1997 Pattern Languages of Programming Conference. Monticello, Illinois, Sept. 3-5, 1997. Washington University Technical Report (wucs-97-34).(1998).