designing secure software book cover

5 cent review

Mr. Kohnfelder writes clearly and enjoyably about a key topic, maybe THE key topic, for those of us developing and securing applications. Can we design secure software and write secure code?? Yikes.

The “Patterns” chapter and both chapters in “Part II: Designs” stand out for me. Also Appendix A, which has a sample design document we are invited to work through and SDR 1.

What a shame this book is not more popular!

I almost skipped over it myself because it came to me in a “pile” (as part of a Humble Bundle 2), which I purchased primarily to read something else. I happened to peek at the foreword (written by Adam Shostack, and offering a compelling endorsement of its contents) and preface and got serendipitously snagged into reading the whole thing.

Definitely underrated right now, though I expect this will change over time. If you are a developer and want to learn about secure coding, read this book!

– JW

Bonus trivia

A fun tidbit I learned was that Mr. Kohnfelder co-developed the STRIDE threat taxonomy. Yes, that STRIDE.

The original paper, published internally at Microsoft in 1999, is publicly available now, which is a gift for those of us who appreciate history and study its artifacts.

Footnotes

  1. SDR stands for Security Design Review. See https://designingsecuresoftware.com/text/ch7-sdr/

  2. https://www.humblebundle.com/bundles. Can be an economical way to build a digital library, but I have observed that most bundles only have 1-2 books worth reading. I should say that I am sometimes surprised at which those turn out to be. If you are new and want to try: Stick to high-quality publishers