Sponsored links


Valid XHTML 1.0!
Valid CSS!
Product: Book - Paperback
Title: Data Modeler's Workbench: Tools and Techniques for Analysis and Design
Publisher: Wiley
Authors: Steve Hoberman
Rating: 5/5
Customer opinion - 5 stars out of 5
Very Practical


I've read books before on the theory of database design, but this is the first book I've read that focuses on reality. These are practical techniques that are explained with the help of actual examples and at times with humor, making it a very good read. One topic in particular, the Abstraction Safety Guide, I can apply almost immediately to a design I am currently working on.



Product: Book - Paperback
Title: Code Complete, Second Edition
Publisher: Microsoft Press
Authors: Steve McConnell
Rating: 5/5
Customer opinion - 5 stars out of 5
An essential volume for your bookshelf


The original Code Complete has long been regarded by many serious software developers as a "must have" compilation of software construction best practices. CC2 has similar breadth and depth and has been thoroughly updated to include discussion of emerging methodologies as extreme programming and best practices such as refactoring.
Steve McConnell provides a balanced, thoughtful discussion of competing opinions along with a wealth of references to additional materials covering specific topics in more detail. At the same time, McConnell has a clear voice articulating his judgment on various controversial topics.
Overall, CC2 is an essential book to include in your library whether you're just starting out in your career or an old grey hair responsible for mentoring teams. In both cases, CC2 puts a mountain of software construction best practices at your fingertips.



Product: Book - Paperback
Title: MySQL (3rd Edition) (Developer's Library)
Publisher: Sams
Authors: Paul DuBois
Rating: 5/5
Customer opinion - 5 stars out of 5
Outstanding organization and lucid prose


I had little experience with database creation and maintenance prior to my current project. In fact, I had been putting off getting involved in any database projects for fear of the learning curve. I'm midway through the project now, and DuBois' guide has been indespensible throughout.
Highlights:* chapter organization -- starts with a tutorial on basic usage of MySql, and relegates installation guidance to an appendix. Too often such texts mix usage and administation in a chaotic jumble.* comprehensive index -- I've yet to fail in finding a topic at the first entry I've searched.* appendices (MySQL operators and datatypes, SQL, C and Perl api references) -- due to the size of this volume, these handy reference sections can be hard to thumb to, unless you glue in some post-its like I did, but they're worth finding for quick, clear descriptions of total Mysql usage.* prose -- Terse (despite the volumes' 1200 pages), clear, and well-organized. * author's background -- DuBois' close involvment in the ongoing efforts of the MySql project have given him a vast knowledge of the arcane differences in versions and operating systems as well as upcoming features. The 2nd edition is very uptodate at of mid-summer 2003.
MySql, BTW, has not disappointed.



Product: Book - Paperback
Title: Exploiting Software : How to Break Code
Publisher: Addison-Wesley Professional
Authors: Greg Hoglund, Gary McGraw
Rating: 5/5
Customer opinion - 5 stars out of 5
A book that all developers must read


To be useful, software must respond to events in a predictable manner. The results can then be used as a window to the interior workings of the code, revealing some of the mechanisms of operations, which may be used to find ways to make it fail in a dangerous way. To some, the window is as clear as a six inch thick pane of lead, but to those with a high level of understanding it can be clear, or at the very least serve as a keyhole. This is an allusion to the old detective stories where someone looks through the keyhole to see what is behind the door. For these reasons, no software that interacts with humans can ever be considered completely secure, and human error in the development of the software can leave the equivalent of keyholes throughout the code. This book is an explanation of many of the most frequently used attack strategies used by malicious entities to find security flaws in code and exploit them. Chapter two is a list of the most common patterns used in attacking code, and all types of programs, from applications to compilers to network software are examined. In chapter three, the fundamental steps of reverse engineering source code starting with the executable are described in detail. I have had students who work in industry who have argued vehemently that it is not possible to obtain source code from executable. I knew it was possible, but until I read this chapter, I had no idea it was so easy. If you are releasing your programs as executables created directly from the source code, the examples here will very quickly make you reconsider. Without a doubt, you will be convinced that you should perform some form of obfuscation of the source before compiling or perform some type of encryption. Chapters four and five are how to exploit server and client software respectively. From the perspective of the server, every input should be considered suspect, and you cannot assume that any scripting code embedded in the file was run at the client. In many cases, assumptions like this can create problems. People embed hidden fields or Javascript in HTML files and assume that the inputs are then clean, forgetting that all such code is visible to a potential attacker. This is actually worse than nothing, because an attacker can look at the features and get a good idea about what it is you are afraid of receiving. Each chapter has a list of specific strategies that are used in attacks. In chapter six, you get a very brutal lesson in the wisdom of filtering input and never forgetting that characters come in more than one form. Characters such as the slash and backslash are used in representing directory structures. Some code will filter them out, but fail to catch instances where they are sent in their numeric ASCII or Unicode form. One of the classic attempts to beat the filtering is to try the sequence "\/", in the hopes that the first will be considered an escape character, so that the slash can be embedded in a string. If that happens, then the slash could be used in a pathname. Many other possibilities exist to send code that is clearly malicious, but only if it is interpreted the proper way. Chapter six is a complete tour of the most common security weakness found in software, the buffer overflow. It is the simplest problem to understand and one of the most difficult to remove. Every C programmer has had to find and repair a bug due to an off-by-one error, or some other overflow. And yet, despite all this experience, buffer overflows still are prevalent in commercial code. Most of the obvious ones have been removed, so only the very subtle ones remain. Some of these are very hard and very, very subtle. I was amazed in reading the section on format string vulnerabilities. While this bug has largely been repaired, the fact that something as apparently trivial as a format field specifier can be a security problem was a real eye opener. The last chapter was an explanation of rootkits, the software that controls every aspect of the machine. It was also without question the scariest of all the chapters, because in this case, the malicious code could reside in the BIOS, and be largely immune to virus scanning tools. For the first time, we are talking about hardware viruses that can be spread from machine to machine. Some of the attacks are also very simple. Since flash memory can only be rewritten a certain number of times, a virus that simply rewrites it many times can render it worthless. It has been some time since I have written commercial code, most of what I have written recently has been for training purposes. After reading this book, I have begun a crash program of writing code that demonstrates security flaws and have used it in my courses. If I ever go back to managing a coding team, no one will write a line of code before we cover this book in the finest possible detail. Without question it will be on my list of the best books of the year 2004.
Published in the online Journal of Object Technology, reprinted with permission.