Epilogue

To a large extent, this book is about all of the little things that programmers need to get right in order to create secure code. The devil is in the remarkably long list of details that, if overlooked or misunderstood, give attackers what they need to compromise a system. We’ve looked at endemic problems such as buffer overflow in C and session management with HTTP. We’ve seen numerous cases where security hinges on seemingly unrelated trivia: ignoring error conditions, using the wrong output encoding, or giving away too much information about the system.

Fewer words have gone towards the design decisions that affect software security. Good design and good implementation need each other; one is useless without the other. But design and implementation are intertwined in another way too: An unfortunate design decision is behind every one of the implementation problems we have examined. Buffer overflow has its roots in the design of the C language, but the problem is made much worse by subsequent design decisions related to string representation and manipulation. Cross-site scripting owes its ubiquity both to Web standards that make it easy to mix active and passive content and to server-side frameworks that make output encoding an afterthought. There is a common thread to these design problems. They require programmers to make security-relevant decisions without advertising them as such, or they require programmers to make so many security-relevant decisions that a vulnerability is all but inevitable.