For Immediate Release
For more information, a review copy, cover art, or an interview with
the authors, contact:
Kathryn Barrett (707) 827-7094 or

Security Begins with Well-Written Code
O’Reilly Releases “Secure Programming Cookbook for C and C++”

Sebastopol, CA–Over the next three years, private organizations and
government agencies will spend an estimated $21 billion on network
security to fight off password sniffing, spoofing, buffer overflows,
denials of service, viruses, worms, and other attacks. Despite this
tremendous effort, experts including John Viega, coauthor of the
“Secure Programming Cookbook for C and C++” (O’Reilly, US $49.95),
assert that many security problems boil down to one fundamental cause:
poorly written, poorly tested, and insecure code underlying
applications that run the very systems everyone is trying so hard to

That’s not something system administrators can fix at the network
level, Viega explains, but depends on programmers to write code that
attackers cannot exploit. “Writing secure code is difficult, even for
experts,” he points out. “Unfortunately, programmers generally hold a
world view that they write correct code all the time, and only
occasionally do mistakes occur. In reality, mistakes are commonplace in
nearly everyone’s code.” He points to a recent NIST study that
estimates the computer industry in the United States alone spends $60
billion a year patching and customizing poorly written software.

Viega is one of the pioneers in the field of software security who
wrote the first publicly available tool to help programmers find and
fix security vulnerabilities in their own code. His new book,
co-written by Matt Messier, takes the same practical approach to
fortifying code. Rather than recite principals and guidelines, “Secure
Programming Cookbook for C and C++” is a nuts-and-bolts reference that
teaches by example, focusing on two of the most widely used programming
languages available.

“There are already several other books out there on the topic of
writing secure software,” Viega explains. “Many of them are quite good,
but they universally focus on the fundamentals, not code. None of them
show you how to do such things as SSL-enable your applications
properly, which can be surprisingly difficult.”

The book shows how to eliminate common problems by providing code
solutions that programmers can insert directly into their applications,
along with explanations of why and how the code samples work. Viega and
Messier cover a wide range of security topics, including cryptography
(both symmetric and public key), random numbers, safe initialization,
input validation, networking, authentication, access control, email,
and anti-tampering. Altogether, there are more than 200 recipes to help
programmers secure the C and C++ programs they write for both Unix
(including Linux) and Windows environments.

Viega assumes that programmers who pick up “Secure Programming Cookbook
for C and C++” already understand security basics, but that “strangely
enough, programmers make the same mistakes over and over again,” he
says. “Most security problems have been seen before. It’s rare to
actually see a new one. We give people the tools they haven’t had
before, so they have a fighting chance.”

Additional Resources:

Chapter 11, “Random Numbers,” is available free online at:

For more information about the book, including Table of Contents,
index, author bios, and samples, see:

For a cover graphic in JPEG format, go to:

Secure Programming Cookbook for C and C++
John Viega and Matt Messier
ISBN 0-596-00394-3, 790 pages, $49.95 US, $77.95 CA, 35.50 UK

About O’Reilly
O’Reilly & Associates is the premier information source for
leading-edge computer technologies. The company’s books, conferences,
and web sites bring to light the knowledge of technology innovators.
O’Reilly books, known for the animals on their covers, occupy a
treasured place on the shelves of the developers building the next
generation of software. O’Reilly conferences and summits bring alpha
geeks and forward-thinking business leaders together to shape the
revolutionary ideas that spark new industries. From the Internet to
XML, open source, .NET, Java, and web services, O’Reilly puts
technologies on the map. For more information: