| Introduction | xxiii |
| PART I CONTEMPORARY SECURITY | |
| 1 The Need for Secure Systems | 3 |
| Applications on the Wild Wild Web | 5 |
| The Need for Trustworthy Computing | 7 |
| Getting Everyone's Head in the Game | 7 |
| Using Tact to Sell Security to the Organization | 8 |
| Using Subversion | 11 |
| Some Ideas for Instilling a Security Culture | 13 |
| Get the Boss to Send an E-Mail | 14 |
| Nominate a Security Evangelist | 15 |
| The Attacker's Advantage and the Defender's Dilemma | 19 |
| Principle #1: The defender must defend all points; the attacker can choose the weakest point. | 19 |
| Principle #2: The defender can defend only against known attacks; the attacker can probe for unknown vulnerabilities. | 20 |
| Principle #3: The defender must be constantly vigilant; the attacker can strike at will. | 20 |
| Principle #4: The defender must play by the rules; the attacker can play dirty. | 21 |
| Summary | 21 |
| 2 The Proactive Security Development Process | 23 |
| Process Improvements | 25 |
| The Role of Education | 26 |
| Resistance to Mandatory Training | 29 |
| Ongoing Training | 29 |
| Advancing the Science of Security | 29 |
| Education Proves the More Eyes Fallacy | 31 |
| Now the Evidence! | 31 |
| Design Phase | 32 |
| Security Questions During Interviews | 33 |
| Define the Product Security Goals | 34 |
| Security Is a Product Feature | 37 |
| Making Time for Security | 40 |
| Threat Modeling Leads to Secure Design | 41 |
| Build End-of-Life Plans for Insecure Features | 41 |
| Setting the Bug Bar | 41 |
| Security Team Review | 43 |
| Development Phase | 43 |
| Be Hardcore About Who Can Check In New Code (Check-Ins Checked) | 43 |
| Security Peer Review of New Code (Check-Ins Checked) | 44 |
| Define Secure Coding Guidelines | 44 |
| Review Old Defects | 44 |
| External Security Review | 45 |
| Security Push | 45 |
| Be Mindful of Your Bug Counts | 46 |
| Keep Track of Bug Metrics | 46 |
| No Surprises and No Easter Eggs! | 47 |
| Test Phase | 47 |
| Shipping and Maintenance Phases | 47 |
| How Do You Know When You're Done? | 47 |
| Response Process | 48 |
| Accountability | 49 |
| Summary | 49 |
| 3 Security Principles to Live By | 51 |
| SD3: Secure by Design, by Default, and in Deployment | 51 |
| Secure by Design | 51 |
| Secure by Default | 53 |
| Secure in Deployment | 53 |
| Security Principles | 54 |
| Learn from Mistakes | 54 |
| Minimize Your Attack Surface | 57 |
| Employ Secure Defaults | 57 |
| Use Defense in Depth | 59 |
| Use Least Privilege | 60 |
| Backward Compatibility Will Always Give You Grief | 62 |
| Assume External Systems Are Insecure | 63 |
| Plan on Failure | 64 |
| Fail to a Secure Mode | 64 |
| Remember That Security Features != Secure Features | 66 |
| Never Depend on Security Through Obscurity Alone | 66 |
| Don't Mix Code and Data | 67 |
| Fix Security Issues Correctly | 67 |
| Summary | 68 |
| 4 Threat Modeling | 69 |
| Secure Design Through Threat Modeling | 70 |
| Assemble the Threat-Modeling Team | 72 |
| Decompose the Application | 73 |
| Determine the Threats to the System | 83 |
| Rank the Threats by Decreasing Risk | 93 |
| Choose How to Respond to the Threats | 106 |
| Choose Techniques to Mitigate the Threats | 107 |
| Security Techniques | 108 |
| Authentication | 109 |
| Authorization | 114 |
| Tamper-Resistant and Privacy-Enhanced Technologies | 115 |
| Protect Secrets, or Better Yet, Don't Store Secrets | 116 |
| Encryption, Hashes, MACs, and Digital Signatures | 116 |
| Auditing | 117 |
| Filtering, Throttling, and Quality of Service | 118 |
| Least Privilege | 118 |
| Mitigating the Sample Payroll Application Threats | 118 |
| A Cornucopia of Threats and Solutions | 120 |
| Summary | 124 |
| PART II SECURE CODING TECHNIQUES | |
| 5 Public Enemy #1: The Buffer Overrun | 127 |
| Stack Overruns | 129 |
| Heap Overruns | 138 |
| Array Indexing Errors | 144 |
| Format String Bugs | 147 |
| Unicode and ANSI Buffer Size Mismatches | 153 |
| A Real Unicode Bug Example | 154 |
| Preventing Buffer Overruns | 155 |
| Safe String Handling | 156 |
| A Word of Caution About String-Handling Functions | 166 |
| The Visual C++ .NET /GS Option | 167 |
| Summary | 170 |
| 6 Determining Appropriate Access Control | 171 |
| Why ACLs Are Important | 171 |
| A Diversion: Fixing the Registry Code | 173 |
| What Makes Up an ACL? | 175 |
| A Method of Choosing Good ACLs | 178 |
| Effective Deny ACEs | 180 |
| Creating ACLs | 181 |
| Creating ACLs in Windows NT 4 | 181 |
| Creating ACLs in Windows 2000 | 185 |
| Creating ACLs with Active Template Library | 189 |
| Getting the ACE Order Right | 191 |
| Be Wary of the Terminal Server and Remote Desktop SIDs | 193 |
| NULL DACLs and Other Dangerous ACE Types | 195 |
| NULL DACLs and Auditing | 197 |
| Dangerous ACE Types | 197 |
| What If I Can't Change the NULL DACL? | 198 |
| Other Access Control Mechanisms | 199 |
| .NET Framework Roles | 199 |
| COM+ Roles | 201 |
| IP Restrictions | 202 |
| SQL Server Triggers and Permissions | 203 |
| A Medical Example | 203 |
| An Important Note About Access Control Mechanisms | 205 |
| Summary | 206 |
| 7 Running with Least Privilege | 207 |
| Least Privilege in the Real World | 208 |
| Viruses and Trojans | 209 |
| Web Server Defacements | 210 |
| Brief Overview of Access Control | 211 |
| Brief Overview of Privileges | 211 |
| SeBackupPrivilege Issues | 212 |
| SeRestorePrivilege Issues | 215 |
| SeDebugPrivilege Issues | 215 |
| SeTcbPrivilege Issues | 216 |
| SeAssignPrimaryTokenPrivilege and SeIncreaseQuotaPrivilege Issues | 217 |
| SeLoadDriverPrivilege Issues | 217 |
| SeRemoteShutdownPrivilege Issues | 217 |
| SeTakeOwnershipPrivilege Issues | 217 |
| Brief Overview of Tokens | 218 |
| How Tokens, Privileges, SIDs, ACLs, and Processes Relate | 218 |
| SIDs and Access Checks, Privileges and Privilege Checks | 219 |
| Three Reasons Applications Require Elevated Privileges | 220 |
| ACL Issues | 220 |
| Privilege Issue | 221 |
| Using LSA Secrets | 221 |
| Solving the Elevated Privileges Issue | 222 |
| Solving ACL Issues | 222 |
| Solving Privilege Issues | 223 |
| Solving LSA Issues | 223 |
| A Process for Determining Appropriate Privilege | 223 |
| Step 1: Find Resources Used by the Application | 224 |
| Step 2: Find Privileged APIs Used by the Application | 224 |
| Step 3: Which Account Is Required? | 226 |
| Step 4: Get the Token Contents | 226 |
| Step 5: Are All the SIDs and Privileges Required? | 232 |
| Step 6: Adjust the Token | 233 |
| Low-Privilege Service Accounts in Windows XP and Windows .NET Server 2003 | 248 |
| The Impersonate Privilege and Windows .NET Server 2003 | 250 |
| Debugging Least-Privilege Issues | 251 |
| Why Applications Fail as a Normal User | 251 |
| How to Determine Why Applications Fail | 252 |
| Summary | 258 |
| 8 Cryptographic Foibles | 259 |
| Using Poor Random Numbers | 259 |
| The Problem: rand | 260 |
| Cryptographically Random Numbers in Win32 | 262 |
| Cryptographically Random Numbers in Managed Code | 268 |
| Cryptographically Random Numbers in Web Pages | 269 |
| Using Passwords to Derive Cryptographic Keys | 269 |
| Measuring the Effective Bit Size of a Password | 270 |
| Key Management Issues | 272 |
| Long-Term and Short-Term Keys | 274 |
| Use Appropriate Key Lengths to Protect Data | 274 |
| Keep Keys Close to the Source | 276 |
| Key Exchange Issues | 279 |
| Creating Your Own Cryptographic Functions | 281 |
| Using the Same Stream-Cipher Encryption Key | 283 |
| Why People Use Stream Ciphers | 284 |
| The Pitfalls of Stream Ciphers | 284 |
| What If You Must Use the Same Key? | 287 |
| Bit-Flipping Attacks Against Stream Ciphers | 289 |
| Solving Bit-Flipping Attacks | 290 |
| When to Use a Hash, Keyed Hash, or Digital Signature | 290 |
| Reusing a Buffer for Plaintext and Ciphertext | 296 |
| Using Crypto to Mitigate Threats | 297 |
| Document Your Use of Cryptography | 298 |
| 9 Protecting Secret Data | 299 |
| Attacking Secret Data | 300 |
| Sometimes You Don't Need to Store a Secret | 301 |
| Creating a Salted Hash | 302 |
| Using PKCS #5 to Make the Attacker's Job Harder | 303 |
| Getting the Secret from the User | 305 |
| Protecting Secrets in Windows 2000 and Later | 305 |
| A Special Case: Client Credentials in Windows XP | 309 |
| Protecting Secrets in Windows NT 4 | 311 |
| Protecting Secrets in Windows 95, Windows 98, Windows Me, and Windows CE | 315 |
| Getting Device Details Using PnP | 316 |
| Not Opting for a Least Common Denominator Solution | 320 |
| Managing Secrets in Memory | 321 |
| A Compiler Optimization Caveat | 322 |
| Encrypting Secret Data in Memory | 326 |
| Locking Memory to Prevent Paging Sensitive Data | 327 |
| Protecting Secret Data in Managed Code | 329 |
| Managing Secrets in Memory in Managed Code | 335 |
| Raising the Security Bar | 336 |
| Storing the Data in a File on a FAT File System | 337 |
| Using an Embedded Key and XOR to Encode the Data | 337 |
| Using an Embedded Key and 3DES to Encrypt the Data | 337 |
| Using 3DES to Encrypt the Data and Storing a Password in the Registry | 337 |
| Using 3DES to Encrypt the Data and Storing a Strong Key in the Registry | 337 |
| Using 3DES to Encrypt the Data, Storing a Strong Key in the Registry, and ACLing the File and the Registry Key | 338 |
| Using 3DES to Encrypt the Data, Storing a Strong Key in the Registry, Requiring the User to Enter a Password, and ACLing the File and the Registry Key | 338 |
| Trade-Offs When Protecting Secret Data | 338 |
| Summary | 339 |
| 10 All Input Is Evil! | 341 |
| The Issue | 342 |
| Misplaced Trust | 343 |
| A Strategy for Defending Against Input Attacks | 345 |
| How to Check Validity | 347 |
| Tainted Variables in Perl | 349 |
| Using Regular Expressions for Checking Input | 350 |
| Be Careful of What You Find—Did You Mean to Validate? | 352 |
| Regular Expressions and Unicode | 353 |
| A Regular Expression Rosetta Stone | 358 |
| Regular Expressions in Perl | 358 |
| Regular Expressions in Managed Code | 359 |
| Regular Expressions in Script | 360 |
| Regular Expressions in C++ | 360 |
| A Best Practice That Does Not Use Regular Expressions | 361 |
| Summary | 362 |
| 11 Canonical Representation Issues | 363 |
| What Does Canonical Mean, and Why Is It a Problem? | 364 |
| Canonical Filename Issues | 364 |
| Bypassing Napster Name Filtering | 364 |
| Vulnerability in Apple Mac OS X and Apache | 365 |
| DOS Device Names Vulnerability | 365 |
| Sun Microsystems StarOffice /tmp Directory Symbolic-Link Vulnerability | 366 |
| Common Windows Canonical Filename Mistakes | 367 |
| Canonical Web-Based Issues | 373 |
| Bypassing AOL Parental Controls | 373 |
| Bypassing eEye's Security Checks | 374 |
| Zones and the Internet Explorer 4 "Dotless-IP Address" Bug | 374 |
| Internet Information Server 4.0 ::$DATA Vulnerability | 375 |
| When is a Line Really Two Lines? | 377 |
| Yet Another Web Issue—Escaping | 378 |
| Visual Equivalence Attacks and the Homograph Attack | 382 |
| Preventing Canonicalization Mistakes | 383 |
| Don't Make Decisions Based on Names | 383 |
| Use a Regular Expression to Restrict What's Allowed in a Name | 383 |
| Stopping 8.3 Filename Generation | 385 |
| Don't Trust the PATH—Use Full Path Names | 385 |
| Attempt to Canonicalize the Name | 386 |
| Calling CreateFile Safely | 390 |
| Web-Based Canonicalization Remedies | 391 |
| Restrict What Is Valid Input | 391 |
| Be Careful When Dealing with UTF-8 | 391 |
| ISAPIs—Between a Rock and a Hard Place | 392 |
| A Final Thought: Non-File-Based Canonicalization Issues | 393 |
| Server Names | 393 |
| Usernames | 394 |
| Summary | 396 |
| 12 Database Input Issues | 397 |
| The Issue | 398 |
| Pseudoremedy #1: Quoting the Input | 401 |
| Pseudoremedy #2: Use Stored Procedures | 402 |
| Remedy #1: Never Ever Connect as sysadmin | 403 |
| Remedy #2: Building SQL Statements Securely | 404 |
| Building SQL Stored Procedures Securely | 406 |
| An In-Depth Defense in Depth Example | 407 |
| Summary | 411 |
| 13 Web-Specific Input Issues | 413 |
| Cross-Site Scripting: When Output Turns Bad | 413 |
| Sometimes the Attacker Doesn't Need a <SCRIPT> Block | 417 |
| The Attacker Doesn't Need the User to Click a Link! | 418 |
| Other XSS-Related Attacks | 418 |
| XSS Attacks Against Local Files | 418 |
| XSS Attacks Against HTML Resources | 420 |
| XSS Remedies | 421 |
| Encoding Output | 422 |
| Adding Double Quotes Around All Tag Properties | 422 |
| Inserting Data in the innerText Property | 423 |
| Forcing the Codepage | 423 |
| The Internet Explorer 6.0 SP1 HttpOnly Cookie Option | 424 |
| Internet Explorer "Mark of the Web" | 425 |
| Internet Explorer <FRAME SECURITY> Attribute | 426 |
| ASP.NET 1.1 ValidateRequest configuration option | 427 |
| Don't Look for Insecure Constructs | 428 |
| But I Want Users to Post HTML to My Web Site! | 430 |
| How to Review Code for XSS Bugs | 431 |
| Other Web-Based Security Topics | 431 |
| eval() Can Be Bad | 431 |
| HTTP Trust Issues | 432 |
| ISAPI Applications and Filters | 433 |
| Be Wary of "Predictable Cookies" | 436 |
| SSL/TLS Client Issues | 437 |
| Summary | 438 |
| 14 Internationalization Issues | 439 |
| The Golden I18N Security Rules | 440 |
| Use Unicode in Your Application | 440 |
| Prevent I18N Buffer Overruns | 441 |
| Words and Bytes | 442 |
| Validate I18N | 443 |
| Visual Validation | 443 |
| Do Not Validate Strings with LCMapString | 443 |
| Use CreateFile to Validate Filenames | 443 |
| Character Set Conversion Issues | 444 |
| Use MultiByteToWideChar with MB_PRECOMPOSED and MB_ERR_INVALID_CHARS | 444 |
| Use WideCharToMultiByte with WC_NO_BEST_FIT_CHARS | 445 |
| Comparison and Sorting | 448 |
| Unicode Character Properties | 448 |
| Normalization | 450 |
| Summary | 451 |
| PART III EVEN MORE SECURE CODING TECHNIQUES | |
| 15 Socket Security | 455 |
| Avoiding Server Hijacking | 456 |
| TCP Window Attacks | 463 |
| Choosing Server Interfaces | 464 |
| Accepting Connections | 464 |
| Writing Firewall-Friendly Applications | 470 |
| Use One Connection to Do the Job | 471 |
| Don't Require the Server to Connect Back to the Client | 471 |
| Use Connection-Based Protocols | 472 |
| Don't Multiplex Your Application over Another Protocol | 472 |
| Don't Embed Host IP Addresses in Application-Layer Data | 473 |
| Make Your Application Configurable | 473 |
| Spoofing and Host-Based and Port-Based Trust | 473 |
| IPv6 Is Coming! | 474 |
| Summary | 476 |
| 16 Securing RPC, ActiveX Controls, and DCOM | 477 |
| An RPC Primer | 478 |
| What Is RPC? | 478 |
| Creating RPC Applications | 479 |
| How RPC Applications Communicate | 481 |
| Secure RPC Best Practices | 482 |
| Use the /robust MIDL Switch | 483 |
| Use the [range] Attribute | 483 |
| Require Authenticated Connections | 484 |
| Use Packet Privacy and Integrity | 489 |
| Use Strict Context Handles | 491 |
| Don't Rely on Context Handles for Access Checks | 492 |
| Be Wary of NULL Context Handles | 493 |
| Don't Trust Your Peer | 494 |
| Use Security Callbacks | 495 |
| Implications of Multiple RPC Servers in a Single Process | 497 |
| Use Mainstream Protocols | 499 |
| Secure DCOM Best Practices | 499 |
| DCOM Basics | 500 |
| Application-Level Security | 502 |
| DCOM User Contexts | 502 |
| Programmatic Security | 505 |
| Sources and Sinks | 508 |
| An ActiveX Primer | 509 |
| Secure ActiveX Best Practices | 509 |
| What ActiveX Components Are Safe for Initialization and Safe for Scripting? | 510 |
| Best Practices for Safe for Initialization and Scripting | 511 |
| Summary | 515 |
| 17 Protecting Against Denial of Service Attacks | 517 |
| Application Failure Attacks | 517 |
| CPU Starvation Attacks | 521 |
| Memory Starvation Attacks | 529 |
| Resource Starvation Attacks | 530 |
| Network Bandwidth Attacks | 532 |
| Summary | 533 |
| 18 Writing Secure .NET Code | 535 |
| Code Access Security: In Pictures | 537 |
| FxCop: A "Must-Have" Tool | 539 |
| Assemblies Should Be Strong-Named | 540 |
| Strong-Named Assemblies and ASP.NET | 542 |
| Specify Assembly Permission Requirements | 542 |
| Request Minimal Permission Set | 543 |
| Refuse Unneeded Permissions | 544 |
| Request Optional Permissions | 544 |
| Overzealous Use of Assert | 545 |
| Further Information Regarding Demand and Assert | 547 |
| Keep the Assertion Window Small | 549 |
| Demands and Link Demands | 550 |
| An Example LinkDemand Security Bug | 551 |
| Use SuppressUnmanagedCodeSecurityAttribute with Caution | 552 |
| Remoting Demands | 553 |
| Limit Who Uses Your Code | 554 |
| No Sensitive Data in XML or Configuration Files | 555 |
| Review Assemblies That Allow Partial Trust | 556 |
| Check Managed Wrappers to Unmanaged Code for Correctness | 557 |
| Issues with Delegates | 558 |
| Issues with Serialization | 558 |
| The Role of Isolated Storage | 559 |
| Disable Tracing and Debugging Before Deploying ASP.NET Applications | 561 |
| Do Not Issue Verbose Error Information Remotely | 561 |
| Deserializing Data from Untrusted Sources | 562 |
| Don't Tell the Attacker Too Much When You Fail | 562 |
| Summary | 564 |
| PART IV SPECIAL TOPICS | |
| 19 Security Testing | 567 |
| The Role of the Security Tester | 567 |
| Security Testing Is Different | 568 |
| Building Security Test Plans from a Threat Model | 569 |
| Decompose the Application | 570 |
| Identify the Component Interfaces | 570 |
| Rank the Interfaces by Potential Vulnerability | 572 |
| Ascertain the Data Structures Used by Each Interface | 573 |
| Attacking Applications with STRIDE | 573 |
| Attacking with Data Mutation | 575 |
| Before Testing | 587 |
| Building Tools to Find Flaws | 588 |
| Testing Clients with Rogue Servers | 606 |
| Should a User See or Modify That Data? | 607 |
| Testing with Security Templates | 607 |
| When You Find a Bug, You're Not Done! | 609 |
| Test Code Should Be of Great Quality | 610 |
| Test the End-to-End Solution | 611 |
| Determining Attack Surface | 611 |
| Determine Root Attack Vectors | 611 |
| Determine Bias For Attack Vectors | 612 |
| Count the Biased Vectors in the Product | 612 |
| Summary | 613 |
| 20 Performing a Security Code Review | 615 |
| Dealing with Large Applications | 617 |
| A Multiple-Pass Approach | 618 |
| Low-Hanging Fruit | 619 |
| Integer Overflows | 620 |
| A Related Issue: Integer Underflows | 624 |
| Checking Returns | 624 |
| Perform an Extra Review of Pointer Code | 625 |
| Never Trust the Data | 625 |
| Sumary | 626 |
| 21 Secure Software Installation | 627 |
| Principle of Least Privilege | 628 |
| Clean Up After Yourself! | 630 |
| Using the Security Configuration Editor | 630 |
| Low-Level Security APIs | 638 |
| Using the Windows Installer | 638 |
| Summary | 640 |
| 22 Building Privacy into Your Application | 641 |
| Malicious vs. Annoying Invasions of Privacy | 642 |
| Major Privacy Legislation | 643 |
| Personally Identifiable Information | 643 |
| The EU Directives on Data Protection | 643 |
| Safe Harbor Principles | 644 |
| Other Privacy Legislation | 646 |
| Privacy vs. Security | 646 |
| Building a Privacy Infrastructure | 647 |
| The Role of the Chief Privacy Officer | 648 |
| The Role of the Privacy Advocate | 648 |
| Designing Privacy-Aware Applications | 649 |
| Including Privacy in the Development Process | 649 |
| Exploring Privacy Features | 652 |
| Summary | 662 |
| 23 General Good Practices | 663 |
| Don't Tell the Attacker Anything | 663 |
| Service Best Practices | 663 |
| Security, Services, and the Interactive Desktop | 664 |
| Service Account Guidelines | 665 |
| Don't Leak Information in Banner Strings | 667 |
| Be Careful Changing Error Messages in Fixes | 668 |
| Double-Check Your Error Paths | 668 |
| Keep It Turned Off! | 668 |
| Kernel-Mode Mistakes | 668 |
| High-Level Security Issues | 669 |
| Handles | 670 |
| Symbolic Links | 670 |
| Quota | 670 |
| Serialization Primitives | 670 |
| Buffer-Handling Issues | 671 |
| IRP Cancellation | 673 |
| Add Security Comments to Code | 674 |
| Leverage the Operating System | 674 |
| Don't Rely on Users Making Good Decisions | 675 |
| Calling CreateProcess Securely | 675 |
| Do Not Pass NULL for lpApplicationName | 677 |
| Use Quotes Around the Path to Executable in lpCommandLine | 677 |
| Don't Create Shared/Writable Segments | 677 |
| Using Impersonation Functions Correctly | 678 |
| Don't Write User Files to \Program Files | 678 |
| Don't Write User Data to HKLM | 679 |
| Don't Open Objects for FULL_CONTROL or ALL_ACCESS | 679 |
| Object Creation Mistakes | 679 |
| Care and Feeding of CreateFile | 681 |
| Creating Temporary Files Securely | 682 |
| Implications of Setup Programs and EFS | 686 |
| File System Reparse Point Issues | 686 |
| Client-Side Security Is an Oxymoron | 687 |
| Samples Are Templates | 688 |
| Dogfood Your Stuff! | 688 |
| You Owe It to Your Users If. | 689 |
| Determining Access Based on an Administrator SID | 689 |
| Allow Long Passwords | 690 |
| Be Careful with _alloca | 691 |
| ATL Conversion Macros | 691 |
| Don't Embed Corporate Names | 692 |
| Move Strings to a Resource DLL | 693 |
| Application Logging | 693 |
| Migrate Dangerous C/C++ to Managed Code | 694 |
| 24 Writing Security Documentation and Error Messages | 695 |
| Security Issues in Documentation | 695 |
| The Basics | 696 |
| Threat Mitigation Through Documentation | 697 |
| Documenting Security Best Practices | 698 |
| Security Issues in Error Messages | 700 |
| A Typical Security Message | 700 |
| Information Disclosure Issues | 701 |
| Informed Consent | 702 |
| Progressive Disclosure | 704 |
| Be Specific | 705 |
| Consider Not Asking the Question | 706 |
| Usability Test Your Security Messages | 707 |
| A Note When Reviewing Product Specifications | 708 |
| Security Usability | 708 |
| Summary | 709 |
| PART V APPENDIXES | |
| A Dangerous APIs | 713 |
| B Ridiculous Excuses We've Heard | 723 |
| C A Designer's Security Checklist | 729 |
| D A Developer's Security Checklist | 731 |
| E A Tester's Security Checklist | 737 |
| A Final Thought | 739 |
| ANNOTATED BIBLIOGRAPHY | 741 |
| INDEX | 747 |
