1580 lines
34 KiB
HTML
1580 lines
34 KiB
HTML
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>Bibliography</TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
|
|
REL="HOME"
|
|
TITLE="Secure Programming for Linux and Unix HOWTO"
|
|
HREF="index.html"><LINK
|
|
REL="PREVIOUS"
|
|
TITLE="Conclusion"
|
|
HREF="conclusion.html"><LINK
|
|
REL="NEXT"
|
|
TITLE="History"
|
|
HREF="document-history.html"></HEAD
|
|
><BODY
|
|
CLASS="CHAPTER"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="NAVHEADER"
|
|
><TABLE
|
|
SUMMARY="Header navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TH
|
|
COLSPAN="3"
|
|
ALIGN="center"
|
|
>Secure Programming for Linux and Unix HOWTO</TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="left"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="conclusion.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="80%"
|
|
ALIGN="center"
|
|
VALIGN="bottom"
|
|
></TD
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="right"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="document-history.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"></DIV
|
|
><DIV
|
|
CLASS="CHAPTER"
|
|
><H1
|
|
><A
|
|
NAME="BIBLIOGRAPHY"
|
|
></A
|
|
>Chapter 13. Bibliography</H1
|
|
><TABLE
|
|
BORDER="0"
|
|
WIDTH="100%"
|
|
CELLSPACING="0"
|
|
CELLPADDING="0"
|
|
CLASS="EPIGRAPH"
|
|
><TR
|
|
><TD
|
|
WIDTH="45%"
|
|
> </TD
|
|
><TD
|
|
WIDTH="45%"
|
|
ALIGN="LEFT"
|
|
VALIGN="TOP"
|
|
><I
|
|
><P
|
|
><I
|
|
>The words of the wise are like goads, their collected sayings like
|
|
firmly embedded nails--given by one Shepherd.
|
|
Be warned, my son, of anything in addition to them.
|
|
Of making many books there is no end, and much study wearies the body.</I
|
|
></P
|
|
></I
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="45%"
|
|
> </TD
|
|
><TD
|
|
WIDTH="45%"
|
|
ALIGN="RIGHT"
|
|
VALIGN="TOP"
|
|
><I
|
|
><SPAN
|
|
CLASS="ATTRIBUTION"
|
|
>Ecclesiastes 12:11-12 (NIV)</SPAN
|
|
></I
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><P
|
|
><EM
|
|
>Note that there is a heavy
|
|
emphasis on technical articles available on the web, since this is where
|
|
most of this kind of technical information is available.</EM
|
|
></P
|
|
><P
|
|
>[Advosys 2000]
|
|
Advosys Consulting
|
|
(formerly named Webber Technical Services).
|
|
<EM
|
|
>Writing Secure Web Applications</EM
|
|
>.
|
|
<A
|
|
HREF="http://advosys.ca/tips/web-security.html"
|
|
TARGET="_top"
|
|
>http://advosys.ca/tips/web-security.html</A
|
|
></P
|
|
><P
|
|
>[Al-Herbish 1999]
|
|
Al-Herbish, Thamer.
|
|
1999.
|
|
<EM
|
|
>Secure Unix Programming FAQ</EM
|
|
>.
|
|
<A
|
|
HREF="http://www.whitefang.com/sup"
|
|
TARGET="_top"
|
|
>http://www.whitefang.com/sup</A
|
|
>.</P
|
|
><P
|
|
>[Aleph1 1996]
|
|
Aleph1.
|
|
November 8, 1996.
|
|
``Smashing The Stack For Fun And Profit''.
|
|
<EM
|
|
>Phrack Magazine</EM
|
|
>.
|
|
Issue 49, Article 14.
|
|
<A
|
|
HREF="http://www.phrack.com/search.phtml?view&article=p49-14"
|
|
TARGET="_top"
|
|
>http://www.phrack.com/search.phtml?view&article=p49-14</A
|
|
>
|
|
or alternatively
|
|
<A
|
|
HREF="http://www.2600.net/phrack/p49-14.html"
|
|
TARGET="_top"
|
|
>http://www.2600.net/phrack/p49-14.html</A
|
|
>.</P
|
|
><P
|
|
>[Anonymous 1999]
|
|
Anonymous.
|
|
October 1999.
|
|
Maximum Linux Security:
|
|
A Hacker's Guide to Protecting Your Linux Server and Workstation
|
|
Sams.
|
|
ISBN: 0672316706.</P
|
|
><P
|
|
>[Anonymous 1998]
|
|
Anonymous.
|
|
September 1998.
|
|
Maximum Security : A Hacker's Guide to Protecting Your
|
|
Internet Site and Network.
|
|
Sams.
|
|
Second Edition.
|
|
ISBN: 0672313413.</P
|
|
><P
|
|
>[Anonymous Phrack 2001]
|
|
Anonymous.
|
|
August 11, 2001.
|
|
Once upon a free().
|
|
Phrack, Volume 0x0b, Issue 0x39, Phile #0x09 of 0x12.
|
|
<A
|
|
HREF="http://phrack.org/show.php?p=57&a=9"
|
|
TARGET="_top"
|
|
>http://phrack.org/show.php?p=57&a=9</A
|
|
></P
|
|
><P
|
|
>[AUSCERT 1996]
|
|
Australian Computer Emergency Response Team (AUSCERT) and O'Reilly.
|
|
May 23, 1996 (rev 3C).
|
|
<EM
|
|
>A Lab Engineers Check List for Writing Secure Unix Code</EM
|
|
>.
|
|
<A
|
|
HREF="ftp://ftp.auscert.org.au/pub/auscert/papers/secure_programming_checklist"
|
|
TARGET="_top"
|
|
>ftp://ftp.auscert.org.au/pub/auscert/papers/secure_programming_checklist</A
|
|
></P
|
|
><P
|
|
>[Bach 1986]
|
|
Bach, Maurice J.
|
|
1986.
|
|
<EM
|
|
>The Design of the Unix Operating System</EM
|
|
>.
|
|
Englewood Cliffs, NJ: Prentice-Hall, Inc.
|
|
ISBN 0-13-201799-7 025.</P
|
|
><P
|
|
>[Beattie 2002]
|
|
Beattie, Steve, Seth Arnold, Crispin Cowan, Perry Wagle, Chris Wright,
|
|
Adam Shostack.
|
|
November 2002.
|
|
Timing the Application of Security Patches for Optimal Uptime.
|
|
2002 LISA XVI, November 3-8, 2002, Philadelphia, PA.</P
|
|
><P
|
|
>[Bellovin 1989]
|
|
Bellovin, Steven M.
|
|
April 1989.
|
|
"Security Problems in the TCP/IP Protocol Suite"
|
|
Computer Communications Review 2:19, pp. 32-48.
|
|
<A
|
|
HREF="http://www.research.att.com/~smb/papers/ipext.pdf"
|
|
TARGET="_top"
|
|
>http://www.research.att.com/~smb/papers/ipext.pdf</A
|
|
></P
|
|
><P
|
|
>[Bellovin 1994]
|
|
Bellovin, Steven M.
|
|
December 1994.
|
|
<EM
|
|
>Shifting the Odds -- Writing (More) Secure Software</EM
|
|
>.
|
|
Murray Hill, NJ: AT&T Research.
|
|
<A
|
|
HREF="http://www.research.att.com/~smb/talks"
|
|
TARGET="_top"
|
|
>http://www.research.att.com/~smb/talks</A
|
|
></P
|
|
><P
|
|
>[Bishop 1996]
|
|
Bishop, Matt.
|
|
May 1996.
|
|
``UNIX Security: Security in Programming''.
|
|
<EM
|
|
>SANS '96</EM
|
|
>. Washington DC (May 1996).
|
|
<A
|
|
HREF="http://olympus.cs.ucdavis.edu/~bishop/secprog.html"
|
|
TARGET="_top"
|
|
>http://olympus.cs.ucdavis.edu/~bishop/secprog.html</A
|
|
></P
|
|
><P
|
|
>[Bishop 1997]
|
|
Bishop, Matt.
|
|
October 1997.
|
|
``Writing Safe Privileged Programs''.
|
|
<EM
|
|
>Network Security 1997</EM
|
|
>
|
|
New Orleans, LA.
|
|
<A
|
|
HREF="http://olympus.cs.ucdavis.edu/~bishop/secprog.html"
|
|
TARGET="_top"
|
|
>http://olympus.cs.ucdavis.edu/~bishop/secprog.html</A
|
|
></P
|
|
><P
|
|
>[Blaze 1996]
|
|
Blaze, Matt, Whitfield Diffie, Ronald L. Rivest, Bruce Schneier,
|
|
Tsutomu Shimomura, Eric Thompson, and Michael Wiener.
|
|
January 1996.
|
|
``Minimal Key Lengths for Symmetric Ciphers to Provide
|
|
Adequate Commercial Security:
|
|
A Report by an Ad Hoc Group of Cryptographers and Computer Scientists.''
|
|
<A
|
|
HREF="ftp://ftp.research.att.com/dist/mab/keylength.txt"
|
|
TARGET="_top"
|
|
>ftp://ftp.research.att.com/dist/mab/keylength.txt</A
|
|
> and
|
|
<A
|
|
HREF="ftp://ftp.research.att.com/dist/mab/keylength.ps"
|
|
TARGET="_top"
|
|
>ftp://ftp.research.att.com/dist/mab/keylength.ps</A
|
|
>.</P
|
|
><P
|
|
>[CC 1999]
|
|
<EM
|
|
>The Common Criteria for Information Technology Security Evaluation
|
|
(CC)</EM
|
|
>.
|
|
August 1999.
|
|
Version 2.1.
|
|
Technically identical to International Standard ISO/IEC 15408:1999.
|
|
<A
|
|
HREF="http://csrc.nist.gov/cc/ccv20/ccv2list.htm"
|
|
TARGET="_top"
|
|
>http://csrc.nist.gov/cc/ccv20/ccv2list.htm</A
|
|
></P
|
|
><P
|
|
>[CERT 1998]
|
|
Computer Emergency Response Team (CERT) Coordination Center (CERT/CC).
|
|
February 13, 1998.
|
|
<EM
|
|
>Sanitizing User-Supplied Data in CGI Scripts</EM
|
|
>.
|
|
CERT Advisory CA-97.25.CGI_metachar.
|
|
<A
|
|
HREF="http://www.cert.org/advisories/CA-97.25.CGI_metachar.html"
|
|
TARGET="_top"
|
|
>http://www.cert.org/advisories/CA-97.25.CGI_metachar.html</A
|
|
>.</P
|
|
><P
|
|
>[Cheswick 1994]
|
|
Cheswick, William R. and Steven M. Bellovin.
|
|
Firewalls and Internet Security: Repelling the Wily Hacker.
|
|
Full text at
|
|
<A
|
|
HREF="http://www.wilyhacker.com"
|
|
TARGET="_top"
|
|
>http://www.wilyhacker.com</A
|
|
>.</P
|
|
><P
|
|
>[Clowes 2001]
|
|
Clowes, Shaun.
|
|
2001.
|
|
``A Study In Scarlet - Exploiting Common Vulnerabilities in PHP''
|
|
<A
|
|
HREF="http://www.securereality.com.au/archives.html"
|
|
TARGET="_top"
|
|
>http://www.securereality.com.au/archives.html</A
|
|
></P
|
|
><P
|
|
>[CMU 1998]
|
|
Carnegie Mellon University (CMU).
|
|
February 13, 1998
|
|
Version 1.4.
|
|
``How To Remove Meta-characters From User-Supplied Data In CGI Scripts''.
|
|
<A
|
|
HREF="ftp://ftp.cert.org/pub/tech_tips/cgi_metacharacters"
|
|
TARGET="_top"
|
|
>ftp://ftp.cert.org/pub/tech_tips/cgi_metacharacters</A
|
|
>.</P
|
|
><P
|
|
>[Cowan 1999]
|
|
Cowan, Crispin, Perry Wagle, Calton Pu, Steve Beattie, and
|
|
Jonathan Walpole.
|
|
``Buffer Overflows: Attacks and Defenses for the Vulnerability
|
|
of the Decade''.
|
|
Proceedings of DARPA Information Survivability Conference and Expo (DISCEX),
|
|
<A
|
|
HREF="http://schafercorp-ballston.com/discex"
|
|
TARGET="_top"
|
|
>http://schafercorp-ballston.com/discex</A
|
|
>
|
|
SANS 2000.
|
|
<A
|
|
HREF="http://www.sans.org/newlook/events/sans2000.htm"
|
|
TARGET="_top"
|
|
>http://www.sans.org/newlook/events/sans2000.htm</A
|
|
>.
|
|
For a copy, see
|
|
<A
|
|
HREF="http://immunix.org/documentation.html"
|
|
TARGET="_top"
|
|
>http://immunix.org/documentation.html</A
|
|
>.</P
|
|
><P
|
|
>[Cox 2000]
|
|
Cox, Philip.
|
|
March 30, 2001.
|
|
Hardening Windows 2000.
|
|
<A
|
|
HREF="http://www.systemexperts.com/win2k/hardenW2K11.pdf"
|
|
TARGET="_top"
|
|
>http://www.systemexperts.com/win2k/hardenW2K11.pdf</A
|
|
>.</P
|
|
><P
|
|
>[Dobbertin 1996].
|
|
Dobbertin, H.
|
|
1996.
|
|
The Status of MD5 After a Recent Attack.
|
|
RSA Laboratories' CryptoBytes.
|
|
Vol. 2, No. 2.</P
|
|
><P
|
|
>[Felten 1997]
|
|
Edward W. Felten, Dirk Balfanz, Drew Dean, and Dan S. Wallach.
|
|
Web Spoofing: An Internet Con Game
|
|
Technical Report 540-96 (revised Feb. 1997)
|
|
Department of Computer Science, Princeton University
|
|
<A
|
|
HREF="http://www.cs.princeton.edu/sip/pub/spoofing.pdf"
|
|
TARGET="_top"
|
|
>http://www.cs.princeton.edu/sip/pub/spoofing.pdf</A
|
|
></P
|
|
><P
|
|
>[Fenzi 1999]
|
|
Fenzi, Kevin, and Dave Wrenski.
|
|
April 25, 1999.
|
|
<EM
|
|
>Linux Security HOWTO</EM
|
|
>.
|
|
Version 1.0.2.
|
|
<A
|
|
HREF="http://www.tldp.org/HOWTO/Security-HOWTO.html"
|
|
TARGET="_top"
|
|
>http://www.tldp.org/HOWTO/Security-HOWTO.html</A
|
|
></P
|
|
><P
|
|
>[FHS 1997]
|
|
Filesystem Hierarchy Standard (FHS 2.0).
|
|
October 26, 1997.
|
|
Filesystem Hierarchy Standard Group, edited by Daniel Quinlan.
|
|
Version 2.0.
|
|
<A
|
|
HREF="http://www.pathname.com/fhs"
|
|
TARGET="_top"
|
|
>http://www.pathname.com/fhs</A
|
|
>.</P
|
|
><P
|
|
>[Filipski 1986]
|
|
Filipski, Alan and James Hanko.
|
|
April 1986.
|
|
``Making Unix Secure.''
|
|
Byte (Magazine).
|
|
Peterborough, NH: McGraw-Hill Inc.
|
|
Vol. 11, No. 4.
|
|
ISSN 0360-5280.
|
|
pp. 113-128.</P
|
|
><P
|
|
>[Flake 2001]
|
|
Flake, Havlar.
|
|
Auditing Binaries for Security Vulnerabilities.
|
|
<A
|
|
HREF="http://www.blackhat.com/html/win-usa-01/win-usa-01-speakers.html"
|
|
TARGET="_top"
|
|
>http://www.blackhat.com/html/win-usa-01/win-usa-01-speakers.html</A
|
|
>.</P
|
|
><P
|
|
>[FOLDOC]
|
|
Free On-Line Dictionary of Computing.
|
|
<A
|
|
HREF="http://foldoc.doc.ic.ac.uk/foldoc/index.html"
|
|
TARGET="_top"
|
|
>http://foldoc.doc.ic.ac.uk/foldoc/index.html</A
|
|
>.</P
|
|
><P
|
|
>[Forristal 2001]
|
|
Forristal, Jeff, and Greg Shipley.
|
|
January 8, 2001.
|
|
Vulnerability Assessment Scanners.
|
|
Network Computing.
|
|
<A
|
|
HREF="http://www.nwc.com/1201/1201f1b1.html"
|
|
TARGET="_top"
|
|
>http://www.nwc.com/1201/1201f1b1.html</A
|
|
></P
|
|
><P
|
|
>[FreeBSD 1999]
|
|
FreeBSD, Inc.
|
|
1999.
|
|
``Secure Programming Guidelines''.
|
|
<EM
|
|
>FreeBSD Security Information</EM
|
|
>.
|
|
<A
|
|
HREF="http://www.freebsd.org/security/security.html"
|
|
TARGET="_top"
|
|
>http://www.freebsd.org/security/security.html</A
|
|
></P
|
|
><P
|
|
>[Friedl 1997]
|
|
Friedl, Jeffrey E. F.
|
|
1997.
|
|
Mastering Regular Expressions.
|
|
O'Reilly.
|
|
ISBN 1-56592-257-3.</P
|
|
><P
|
|
>[FSF 1998]
|
|
Free Software Foundation.
|
|
December 17, 1999.
|
|
<EM
|
|
>Overview of the GNU Project</EM
|
|
>.
|
|
<A
|
|
HREF="http://www.gnu.ai.mit.edu/gnu/gnu-history.html"
|
|
TARGET="_top"
|
|
>http://www.gnu.ai.mit.edu/gnu/gnu-history.html</A
|
|
></P
|
|
><P
|
|
>[FSF 1999]
|
|
Free Software Foundation.
|
|
January 11, 1999.
|
|
<EM
|
|
>The GNU C Library Reference Manual</EM
|
|
>.
|
|
Edition 0.08 DRAFT, for Version 2.1 Beta of the GNU C Library.
|
|
Available at, for example,
|
|
<A
|
|
HREF="http://www.netppl.fi/~pp/glibc21/libc_toc.html"
|
|
TARGET="_top"
|
|
>http://www.netppl.fi/~pp/glibc21/libc_toc.html</A
|
|
></P
|
|
><P
|
|
>[Fu 2001]
|
|
Fu, Kevin, Emil Sit, Kendra Smith, and Nick Feamster.
|
|
August 2001.
|
|
``Dos and Don'ts of Client Authentication on the Web''.
|
|
Proceedings of the 10th USENIX Security Symposium,
|
|
Washington, D.C., August 2001.
|
|
<A
|
|
HREF="http://cookies.lcs.mit.edu/pubs/webauth.html"
|
|
TARGET="_top"
|
|
>http://cookies.lcs.mit.edu/pubs/webauth.html</A
|
|
>.</P
|
|
><P
|
|
>[Gabrilovich 2002]
|
|
Gabrilovich, Evgeniy, and Alex Gontmakher.
|
|
February 2002.
|
|
``Inside Risks: The Homograph Attack''.
|
|
Communications of the ACM.
|
|
Volume 45, Number 2.
|
|
Page 128. </P
|
|
><P
|
|
>[Galvin 1998a]
|
|
Galvin, Peter.
|
|
April 1998.
|
|
``Designing Secure Software''.
|
|
<EM
|
|
>Sunworld</EM
|
|
>.
|
|
<A
|
|
HREF="http://www.sunworld.com/swol-04-1998/swol-04-security.html"
|
|
TARGET="_top"
|
|
>http://www.sunworld.com/swol-04-1998/swol-04-security.html</A
|
|
>.</P
|
|
><P
|
|
>[Galvin 1998b]
|
|
Galvin, Peter.
|
|
August 1998.
|
|
``The Unix Secure Programming FAQ''.
|
|
<EM
|
|
>Sunworld</EM
|
|
>.
|
|
<A
|
|
HREF="http://www.sunworld.com/sunworldonline/swol-08-1998/swol-08-security.html"
|
|
TARGET="_top"
|
|
>http://www.sunworld.com/sunworldonline/swol-08-1998/swol-08-security.html</A
|
|
></P
|
|
><P
|
|
>[Garfinkel 1996]
|
|
Garfinkel, Simson and Gene Spafford.
|
|
April 1996.
|
|
<EM
|
|
>Practical UNIX & Internet Security, 2nd Edition</EM
|
|
>.
|
|
ISBN 1-56592-148-8.
|
|
Sebastopol, CA: O'Reilly & Associates, Inc.
|
|
<A
|
|
HREF="http://www.oreilly.com/catalog/puis"
|
|
TARGET="_top"
|
|
>http://www.oreilly.com/catalog/puis</A
|
|
></P
|
|
><P
|
|
>[Garfinkle 1997]
|
|
Garfinkle, Simson.
|
|
August 8, 1997.
|
|
21 Rules for Writing Secure CGI Programs.
|
|
<A
|
|
HREF="http://webreview.com/wr/pub/97/08/08/bookshelf"
|
|
TARGET="_top"
|
|
>http://webreview.com/wr/pub/97/08/08/bookshelf</A
|
|
></P
|
|
><P
|
|
>[Gay 2000]
|
|
Gay, Warren W.
|
|
October 2000.
|
|
Advanced Unix Programming.
|
|
Indianapolis, Indiana: Sams Publishing.
|
|
ISBN 0-67231-990-X.</P
|
|
><P
|
|
>[Geodsoft 2001]
|
|
Geodsoft.
|
|
February 7, 2001.
|
|
Hardening OpenBSD Internet Servers.
|
|
<A
|
|
HREF="http://www.geodsoft.com/howto/harden"
|
|
TARGET="_top"
|
|
>http://www.geodsoft.com/howto/harden</A
|
|
>.</P
|
|
><P
|
|
>[Graham 1999]
|
|
Graham, Jeff.
|
|
May 4, 1999.
|
|
<EM
|
|
>Security-Audit's Frequently Asked Questions (FAQ)</EM
|
|
>.
|
|
<A
|
|
HREF="http://lsap.org/faq.txt"
|
|
TARGET="_top"
|
|
>http://lsap.org/faq.txt</A
|
|
></P
|
|
><P
|
|
>[Gong 1999]
|
|
Gong, Li.
|
|
June 1999.
|
|
<EM
|
|
>Inside Java 2 Platform Security</EM
|
|
>.
|
|
Reading, MA: Addison Wesley Longman, Inc.
|
|
ISBN 0-201-31000-7.</P
|
|
><P
|
|
>[Gundavaram Unknown]
|
|
Gundavaram, Shishir, and Tom Christiansen.
|
|
Date Unknown.
|
|
<EM
|
|
>Perl CGI Programming FAQ</EM
|
|
>.
|
|
<A
|
|
HREF="http://language.perl.com/CPAN/doc/FAQs/cgi/perl-cgi-faq.html"
|
|
TARGET="_top"
|
|
>http://language.perl.com/CPAN/doc/FAQs/cgi/perl-cgi-faq.html</A
|
|
></P
|
|
><P
|
|
>[Hall 1999]
|
|
Hall, Brian "Beej".
|
|
Beej's Guide to Network Programming Using Internet Sockets.
|
|
13-Jan-1999.
|
|
Version 1.5.5.
|
|
<A
|
|
HREF="http://www.ecst.csuchico.edu/~beej/guide/net"
|
|
TARGET="_top"
|
|
>http://www.ecst.csuchico.edu/~beej/guide/net</A
|
|
></P
|
|
><P
|
|
>[Howard 2002]
|
|
Howard, Michael and David LeBlanc.
|
|
2002.
|
|
Writing Secure Code.
|
|
Redmond, Washington: Microsoft Press.
|
|
ISBN 0-7356-1588-8.</P
|
|
><P
|
|
>[ISO 12207]
|
|
International Organization for Standardization (ISO).
|
|
1995.
|
|
Information technology -- Software life cycle processes
|
|
ISO/IEC 12207:1995.</P
|
|
><P
|
|
>[ISO 13335]
|
|
International Organization for Standardization (ISO).
|
|
ISO/IEC TR 13335.
|
|
Guidelines for the Management of IT Security (GMITS).
|
|
Note that this is a five-part technical report (not a standard); see also
|
|
ISO/IEC 17799:2000.
|
|
It includes:
|
|
<P
|
|
></P
|
|
><UL
|
|
><LI
|
|
><P
|
|
> ISO 13335-1: Concepts and Models for IT Security</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> ISO 13335-2: Managing and Planning IT Security</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> ISO 13335-3: Techniques for the Management of IT Security</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> ISO 13335-4: Selection of Safeguards</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> ISO 13335-5: Safeguards for External Connections</P
|
|
></LI
|
|
></UL
|
|
></P
|
|
><P
|
|
>[ISO 17799]
|
|
International Organization for Standardization (ISO).
|
|
December 2000.
|
|
Code of Practice for Information Security Management.
|
|
ISO/IEC 17799:2000.</P
|
|
><P
|
|
>[ISO 9000]
|
|
International Organization for Standardization (ISO).
|
|
2000.
|
|
Quality management systems - Fundamentals and vocabulary.
|
|
ISO 9000:2000.
|
|
See
|
|
<A
|
|
HREF="http://www.iso.ch/iso/en/iso9000-14000/iso9000/selection_use/iso9000family.html"
|
|
TARGET="_top"
|
|
>http://www.iso.ch/iso/en/iso9000-14000/iso9000/selection_use/iso9000family.html</A
|
|
></P
|
|
><P
|
|
>[ISO 9001]
|
|
International Organization for Standardization (ISO).
|
|
2000.
|
|
Quality management systems - Requirements
|
|
ISO 9001:2000</P
|
|
><P
|
|
>[Jones 2000]
|
|
Jones, Jennifer.
|
|
October 30, 2000.
|
|
``Banking on Privacy''.
|
|
InfoWorld, Volume 22, Issue 44.
|
|
San Mateo, CA: International Data Group (IDG).
|
|
pp. 1-12.</P
|
|
><P
|
|
>[Kelsey 1998]
|
|
Kelsey, J., B. Schneier, D. Wagner, and C. Hall.
|
|
March 1998.
|
|
"Cryptanalytic Attacks on Pseudorandom Number Generators."
|
|
Fast Software Encryption, Fifth International Workshop Proceedings
|
|
(March 1998), Springer-Verlag, 1998, pp. 168-188.
|
|
<A
|
|
HREF="http://www.counterpane.com/pseudorandom_number.html"
|
|
TARGET="_top"
|
|
>http://www.counterpane.com/pseudorandom_number.html</A
|
|
>.</P
|
|
><P
|
|
>[Kernighan 1988]
|
|
Kernighan, Brian W., and Dennis M. Ritchie.
|
|
1988.
|
|
<EM
|
|
>The C Programming Language</EM
|
|
>.
|
|
Second Edition.
|
|
Englewood Cliffs, NJ: Prentice-Hall.
|
|
ISBN 0-13-110362-8.</P
|
|
><P
|
|
>[Kim 1996]
|
|
Kim, Eugene Eric.
|
|
1996.
|
|
<EM
|
|
>CGI Developer's Guide</EM
|
|
>.
|
|
SAMS.net Publishing.
|
|
ISBN: 1-57521-087-8
|
|
<A
|
|
HREF="http://www.eekim.com/pubs/cgibook"
|
|
TARGET="_top"
|
|
>http://www.eekim.com/pubs/cgibook</A
|
|
></P
|
|
><P
|
|
>Kolsek [2002]
|
|
Kolsek, Mitja. December 2002.
|
|
Session Fixation Vulnerability in Web-based Applications
|
|
<A
|
|
HREF="http://www.acros.si/papers/session_fixation.pdf"
|
|
TARGET="_top"
|
|
>http://www.acros.si/papers/session_fixation.pdf</A
|
|
>.</P
|
|
><P
|
|
>[Kuchling 2000].
|
|
Kuchling, A.M.
|
|
2000.
|
|
Restricted Execution HOWTO.
|
|
<A
|
|
HREF="http://www.python.org/doc/howto/rexec/rexec.html"
|
|
TARGET="_top"
|
|
>http://www.python.org/doc/howto/rexec/rexec.html</A
|
|
></P
|
|
><P
|
|
>[Kuhn 2002]
|
|
Kuhn, Markus G.
|
|
Optical Time-Domain Eavesdropping Risks
|
|
of CRT displays.
|
|
Proceedings of the 2002 IEEE Symposium on Security and Privacy,
|
|
Oakland, CA, May 12-15, 2002.
|
|
<A
|
|
HREF="http://www.cl.cam.ac.uk/~mgk25/ieee02-optical.pdf"
|
|
TARGET="_top"
|
|
>http://www.cl.cam.ac.uk/~mgk25/ieee02-optical.pdf</A
|
|
></P
|
|
><P
|
|
>[LSD 2001]
|
|
The Last Stage of Delirium.
|
|
July 4, 2001.
|
|
<EM
|
|
>UNIX Assembly Codes Development
|
|
for Vulnerabilities Illustration Purposes.</EM
|
|
>
|
|
<A
|
|
HREF="http://lsd-pl.net/papers.html#assembly"
|
|
TARGET="_top"
|
|
>http://lsd-pl.net/papers.html#assembly</A
|
|
>.</P
|
|
><P
|
|
>[McClure 1999]
|
|
McClure, Stuart, Joel Scambray, and George Kurtz.
|
|
1999.
|
|
<EM
|
|
>Hacking Exposed: Network Security Secrets and Solutions</EM
|
|
>.
|
|
Berkeley, CA: Osbourne/McGraw-Hill.
|
|
ISBN 0-07-212127-0.</P
|
|
><P
|
|
>[McKusick 1999]
|
|
McKusick, Marshall Kirk.
|
|
January 1999.
|
|
``Twenty Years of Berkeley Unix: From AT&T-Owned to
|
|
Freely Redistributable.''
|
|
<EM
|
|
>Open Sources: Voices from the Open Source Revolution</EM
|
|
>.
|
|
<A
|
|
HREF="http://www.oreilly.com/catalog/opensources/book/kirkmck.html"
|
|
TARGET="_top"
|
|
>http://www.oreilly.com/catalog/opensources/book/kirkmck.html</A
|
|
>.</P
|
|
><P
|
|
>[McGraw 1999]
|
|
McGraw, Gary, and Edward W. Felten.
|
|
December 1998.
|
|
Twelve Rules for developing more secure Java code.
|
|
Javaworld.
|
|
<A
|
|
HREF="http://www.javaworld.com/javaworld/jw-12-1998/jw-12-securityrules.html"
|
|
TARGET="_top"
|
|
>http://www.javaworld.com/javaworld/jw-12-1998/jw-12-securityrules.html</A
|
|
>.</P
|
|
><P
|
|
>[McGraw 1999]
|
|
McGraw, Gary, and Edward W. Felten.
|
|
January 25, 1999.
|
|
Securing Java: Getting Down to Business with Mobile Code, 2nd Edition
|
|
John Wiley & Sons.
|
|
ISBN 047131952X.
|
|
<A
|
|
HREF="http://www.securingjava.com"
|
|
TARGET="_top"
|
|
>http://www.securingjava.com</A
|
|
>.</P
|
|
><P
|
|
>[McGraw 2000a]
|
|
McGraw, Gary and John Viega.
|
|
March 1, 2000.
|
|
Make Your Software Behave: Learning the Basics of Buffer Overflows.
|
|
<A
|
|
HREF="http://www-4.ibm.com/software/developer/library/overflows/index.html"
|
|
TARGET="_top"
|
|
>http://www-4.ibm.com/software/developer/library/overflows/index.html</A
|
|
>.</P
|
|
><P
|
|
>[McGraw 2000b]
|
|
McGraw, Gary and John Viega.
|
|
April 18, 2000.
|
|
Make Your Software Behave: Software strategies
|
|
In the absence of hardware,
|
|
you can devise a reasonably secure random number generator through software.
|
|
<A
|
|
HREF="http://www-106.ibm.com/developerworks/library/randomsoft/index.html?dwzone=security"
|
|
TARGET="_top"
|
|
>http://www-106.ibm.com/developerworks/library/randomsoft/index.html?dwzone=security</A
|
|
>.</P
|
|
><P
|
|
>[Miller 1995]
|
|
Miller, Barton P.,
|
|
David Koski, Cjin Pheow Lee, Vivekananda Maganty,
|
|
Ravi Murthy, Ajitkumar Natarajan, and Jeff Steidl.
|
|
1995.
|
|
Fuzz Revisited: A Re-examination of the Reliability of
|
|
UNIX Utilities and Services.
|
|
<A
|
|
HREF="ftp://grilled.cs.wisc.edu/technical_papers/fuzz-revisited.pdf"
|
|
TARGET="_top"
|
|
>ftp://grilled.cs.wisc.edu/technical_papers/fuzz-revisited.pdf</A
|
|
>.</P
|
|
><P
|
|
>[Miller 1999]
|
|
Miller, Todd C. and Theo de Raadt.
|
|
``strlcpy and strlcat -- Consistent, Safe, String Copy and Concatenation''
|
|
<EM
|
|
>Proceedings of Usenix '99</EM
|
|
>.
|
|
<A
|
|
HREF="http://www.usenix.org/events/usenix99/millert.html"
|
|
TARGET="_top"
|
|
>http://www.usenix.org/events/usenix99/millert.html</A
|
|
> and
|
|
<A
|
|
HREF="http://www.usenix.org/events/usenix99/full_papers/millert/PACKING_LIST"
|
|
TARGET="_top"
|
|
>http://www.usenix.org/events/usenix99/full_papers/millert/PACKING_LIST</A
|
|
></P
|
|
><P
|
|
>[Mookhey 2002]
|
|
Mookhey, K. K.
|
|
The Unix Auditor's Practical Handbook.
|
|
<A
|
|
HREF="http://www.nii.co.in/tuaph.html"
|
|
TARGET="_top"
|
|
>http://www.nii.co.in/tuaph.html</A
|
|
>.</P
|
|
><P
|
|
>[Mudge 1995]
|
|
Mudge.
|
|
October 20, 1995.
|
|
<EM
|
|
>How to write Buffer Overflows</EM
|
|
>.
|
|
l0pht advisories.
|
|
<A
|
|
HREF="http://www.l0pht.com/advisories/bufero.html"
|
|
TARGET="_top"
|
|
>http://www.l0pht.com/advisories/bufero.html</A
|
|
>.</P
|
|
><P
|
|
>[Murhammer 1998]
|
|
Murhammer, Martin W., Orcun Atakan, Stefan Bretz,
|
|
Larry R. Pugh, Kazunari Suzuki, and David H. Wood.
|
|
October 1998.
|
|
TCP/IP Tutorial and Technical Overview
|
|
IBM International Technical Support Organization.
|
|
<A
|
|
HREF="http://www.redbooks.ibm.com/pubs/pdfs/redbooks/gg243376.pdf"
|
|
TARGET="_top"
|
|
>http://www.redbooks.ibm.com/pubs/pdfs/redbooks/gg243376.pdf</A
|
|
></P
|
|
><P
|
|
>[NCSA]
|
|
NCSA Secure Programming Guidelines.
|
|
<A
|
|
HREF="http://www.ncsa.uiuc.edu/General/Grid/ACES/security/programming"
|
|
TARGET="_top"
|
|
>http://www.ncsa.uiuc.edu/General/Grid/ACES/security/programming</A
|
|
>.</P
|
|
><P
|
|
>[Neumann 2000]
|
|
Neumann, Peter.
|
|
2000.
|
|
"Robust Nonproprietary Software."
|
|
Proceedings of the 2000 IEEE Symposium on Security and Privacy
|
|
(the ``Oakland Conference''), May 14-17, 2000, Berkeley, CA.
|
|
Los Alamitos, CA: IEEE Computer Society.
|
|
pp.122-123.</P
|
|
><P
|
|
>[NSA 2000]
|
|
National Security Agency (NSA).
|
|
September 2000.
|
|
Information Assurance Technical Framework (IATF).
|
|
<A
|
|
HREF="http://www.iatf.net"
|
|
TARGET="_top"
|
|
>http://www.iatf.net</A
|
|
>.</P
|
|
><P
|
|
>[Open Group 1997]
|
|
The Open Group.
|
|
1997.
|
|
<EM
|
|
>Single UNIX Specification, Version 2 (UNIX 98)</EM
|
|
>.
|
|
<A
|
|
HREF="http://www.opengroup.org/online-pubs?DOC=007908799"
|
|
TARGET="_top"
|
|
>http://www.opengroup.org/online-pubs?DOC=007908799</A
|
|
>.</P
|
|
><P
|
|
>[OSI 1999]
|
|
Open Source Initiative.
|
|
1999.
|
|
<EM
|
|
>The Open Source Definition</EM
|
|
>.
|
|
<A
|
|
HREF="http://www.opensource.org/osd.html"
|
|
TARGET="_top"
|
|
>http://www.opensource.org/osd.html</A
|
|
>.</P
|
|
><P
|
|
>[Opplinger 1998]
|
|
Oppliger, Rolf.
|
|
1998.
|
|
Internet and Intranet Security.
|
|
Norwood, MA: Artech House.
|
|
ISBN 0-89006-829-1.</P
|
|
><P
|
|
>[Paulk 1993a]
|
|
Mark C. Paulk, Bill Curtis, Mary Beth Chrissis, and Charles V. Weber.
|
|
Capability Maturity Model for Software, Version 1.1.
|
|
Software Engineering Institute, CMU/SEI-93-TR-24.
|
|
DTIC Number ADA263403, February 1993.
|
|
<A
|
|
HREF="http://www.sei.cmu.edu/activities/cmm/obtain.cmm.html"
|
|
TARGET="_top"
|
|
>http://www.sei.cmu.edu/activities/cmm/obtain.cmm.html</A
|
|
>.</P
|
|
><P
|
|
>[Paulk 1993b]
|
|
Mark C. Paulk, Charles V. Weber, Suzanne M. Garcia, Mary Beth Chrissis, and Marilyn W. Bush.
|
|
Key Practices of the Capability Maturity Model, Version 1.1.
|
|
Software Engineering Institute.
|
|
CMU/SEI-93-TR-25, DTIC Number ADA263432, February 1993. </P
|
|
><P
|
|
>[Peteanu 2000]
|
|
Peteanu, Razvan.
|
|
July 18, 2000.
|
|
Best Practices for Secure Web Development.
|
|
<A
|
|
HREF="http://members.home.net/razvan.peteanu"
|
|
TARGET="_top"
|
|
>http://members.home.net/razvan.peteanu</A
|
|
></P
|
|
><P
|
|
>[Pfleeger 1997]
|
|
Pfleeger, Charles P.
|
|
1997.
|
|
<EM
|
|
>Security in Computing.</EM
|
|
>
|
|
Upper Saddle River, NJ: Prentice-Hall PTR.
|
|
ISBN 0-13-337486-6.</P
|
|
><P
|
|
>[Phillips 1995]
|
|
Phillips, Paul.
|
|
September 3, 1995.
|
|
<EM
|
|
>Safe CGI Programming</EM
|
|
>.
|
|
<A
|
|
HREF="http://www.go2net.com/people/paulp/cgi-security/safe-cgi.txt"
|
|
TARGET="_top"
|
|
>http://www.go2net.com/people/paulp/cgi-security/safe-cgi.txt</A
|
|
></P
|
|
><P
|
|
>[Quintero 1999]
|
|
Quintero, Federico Mena,
|
|
Miguel de Icaza, and Morten Welinder
|
|
GNOME Programming Guidelines
|
|
<A
|
|
HREF="http://developer.gnome.org/doc/guides/programming-guidelines/book1.html"
|
|
TARGET="_top"
|
|
>http://developer.gnome.org/doc/guides/programming-guidelines/book1.html</A
|
|
></P
|
|
><P
|
|
>[Raymond 1997]
|
|
Raymond, Eric.
|
|
1997.
|
|
<EM
|
|
>The Cathedral and the Bazaar</EM
|
|
>.
|
|
<A
|
|
HREF="http://www.catb.org/~esr/writings/cathedral-bazaar"
|
|
TARGET="_top"
|
|
>http://www.catb.org/~esr/writings/cathedral-bazaar</A
|
|
></P
|
|
><P
|
|
>[Raymond 1998]
|
|
Raymond, Eric.
|
|
April 1998.
|
|
<EM
|
|
>Homesteading the Noosphere</EM
|
|
>.
|
|
<A
|
|
HREF="http://www.catb.org/~esr/writings/homesteading/homesteading.html"
|
|
TARGET="_top"
|
|
>http://www.catb.org/~esr/writings/homesteading/homesteading.html</A
|
|
></P
|
|
><P
|
|
>[Ranum 1998]
|
|
Ranum, Marcus J.
|
|
1998.
|
|
<EM
|
|
>Security-critical coding for programmers -
|
|
a C and UNIX-centric full-day tutorial</EM
|
|
>.
|
|
<A
|
|
HREF="http://www.clark.net/pub/mjr/pubs/pdf/"
|
|
TARGET="_top"
|
|
>http://www.clark.net/pub/mjr/pubs/pdf/</A
|
|
>.</P
|
|
><P
|
|
>[RFC 822]
|
|
August 13, 1982
|
|
<EM
|
|
>Standard for the Format of ARPA Internet Text Messages</EM
|
|
>.
|
|
IETF RFC 822.
|
|
<A
|
|
HREF="http://www.ietf.org/rfc/rfc0822.txt"
|
|
TARGET="_top"
|
|
>http://www.ietf.org/rfc/rfc0822.txt</A
|
|
>.</P
|
|
><P
|
|
>[rfp 1999]
|
|
rain.forest.puppy.
|
|
1999.
|
|
``Perl CGI problems''.
|
|
<EM
|
|
>Phrack Magazine</EM
|
|
>.
|
|
Issue 55, Article 07.
|
|
<A
|
|
HREF="http://www.phrack.com/search.phtml?view&article=p55-7"
|
|
TARGET="_top"
|
|
>http://www.phrack.com/search.phtml?view&article=p55-7</A
|
|
> or
|
|
<A
|
|
HREF="http://www.insecure.org/news/P55-07.txt"
|
|
TARGET="_top"
|
|
>http://www.insecure.org/news/P55-07.txt</A
|
|
>.</P
|
|
><P
|
|
>[Rijmen 2000]
|
|
Rijmen, Vincent.
|
|
"LinuxSecurity.com Speaks With AES Winner".
|
|
<A
|
|
HREF="http://www.linuxsecurity.com/feature_stories/interview-aes-3.html"
|
|
TARGET="_top"
|
|
>http://www.linuxsecurity.com/feature_stories/interview-aes-3.html</A
|
|
>.</P
|
|
><P
|
|
>[Rochkind 1985].
|
|
Rochkind, Marc J.
|
|
<EM
|
|
>Advanced Unix Programming</EM
|
|
>.
|
|
Englewood Cliffs, NJ: Prentice-Hall, Inc.
|
|
ISBN 0-13-011818-4.</P
|
|
><P
|
|
>[Sahu 2002]
|
|
Sahu, Bijaya Nanda,
|
|
Srinivasan S. Muthuswamy,
|
|
Satya Nanaji Rao Mallampalli, and
|
|
Venkata R. Bonam.
|
|
July 2002
|
|
``Is your Java code secure -- or exposed?
|
|
Build safer applications now to avoid trouble later''
|
|
<A
|
|
HREF="http://www-106.ibm.com/developerworks/java/library/j-staticsec.html?loc=dwmain"
|
|
TARGET="_top"
|
|
>http://www-106.ibm.com/developerworks/java/library/j-staticsec.html?loc=dwmain</A
|
|
></P
|
|
><P
|
|
>[St. Laurent 2000]
|
|
St. Laurent, Simon.
|
|
February 2000.
|
|
<EM
|
|
>XTech 2000 Conference Reports</EM
|
|
>.
|
|
``When XML Gets Ugly''.
|
|
<A
|
|
HREF="http://www.xml.com/pub/2000/02/xtech/megginson.html"
|
|
TARGET="_top"
|
|
>http://www.xml.com/pub/2000/02/xtech/megginson.html</A
|
|
>.</P
|
|
><P
|
|
>[Saltzer 1974]
|
|
Saltzer, J.
|
|
July 1974.
|
|
``Protection and the Control of Information Sharing in MULTICS''.
|
|
<EM
|
|
>Communications of the ACM</EM
|
|
>.
|
|
v17 n7.
|
|
pp. 388-402.</P
|
|
><P
|
|
>[Saltzer 1975]
|
|
Saltzer, J., and M. Schroeder.
|
|
September 1975.
|
|
``The Protection of Information in Computing Systems''.
|
|
<EM
|
|
>Proceedings of the IEEE</EM
|
|
>.
|
|
v63 n9.
|
|
pp. 1278-1308.
|
|
<A
|
|
HREF="http://www.mediacity.com/~norm/CapTheory/ProtInf"
|
|
TARGET="_top"
|
|
>http://www.mediacity.com/~norm/CapTheory/ProtInf</A
|
|
>.
|
|
Summarized in [Pfleeger 1997, 286].</P
|
|
><P
|
|
>[Schneider 2000]
|
|
Schneider, Fred B.
|
|
2000.
|
|
"Open Source in Security: Visting the Bizarre."
|
|
Proceedings of the 2000 IEEE Symposium on Security and Privacy
|
|
(the ``Oakland Conference''), May 14-17, 2000, Berkeley, CA.
|
|
Los Alamitos, CA: IEEE Computer Society.
|
|
pp.126-127.</P
|
|
><P
|
|
>[Schneier 1996]
|
|
Schneier, Bruce.
|
|
1996.
|
|
<EM
|
|
>Applied Cryptography, Second Edition:
|
|
Protocols, Algorithms, and Source Code in C</EM
|
|
>.
|
|
New York: John Wiley and Sons.
|
|
ISBN 0-471-12845-7.</P
|
|
><P
|
|
>[Schneier 1998]
|
|
Schneier, Bruce and Mudge.
|
|
November 1998.
|
|
<EM
|
|
>Cryptanalysis of Microsoft's Point-to-Point Tunneling Protocol (PPTP)</EM
|
|
>
|
|
Proceedings of the 5th ACM Conference on Communications and Computer Security,
|
|
ACM Press.
|
|
<A
|
|
HREF="http://www.counterpane.com/pptp.html"
|
|
TARGET="_top"
|
|
>http://www.counterpane.com/pptp.html</A
|
|
>.</P
|
|
><P
|
|
>[Schneier 1999]
|
|
Schneier, Bruce.
|
|
September 15, 1999.
|
|
``Open Source and Security''.
|
|
<EM
|
|
>Crypto-Gram</EM
|
|
>.
|
|
Counterpane Internet Security, Inc.
|
|
<A
|
|
HREF="http://www.counterpane.com/crypto-gram-9909.html"
|
|
TARGET="_top"
|
|
>http://www.counterpane.com/crypto-gram-9909.html</A
|
|
></P
|
|
><P
|
|
>[Seifried 1999]
|
|
Seifried, Kurt.
|
|
October 9, 1999.
|
|
<EM
|
|
>Linux Administrator's Security Guide</EM
|
|
>.
|
|
<A
|
|
HREF="http://www.securityportal.com/lasg"
|
|
TARGET="_top"
|
|
>http://www.securityportal.com/lasg</A
|
|
>.</P
|
|
><P
|
|
>[Seifried 2001]
|
|
Seifried, Kurt.
|
|
September 2, 2001.
|
|
WWW Authentication
|
|
<A
|
|
HREF="http://www.seifried.org/security/www-auth/index.html"
|
|
TARGET="_top"
|
|
>http://www.seifried.org/security/www-auth/index.html</A
|
|
>.</P
|
|
><P
|
|
>[Shankland 2000]
|
|
Shankland, Stephen.
|
|
``Linux poses increasing threat to Windows 2000''.
|
|
CNET.
|
|
<A
|
|
HREF="http://news.cnet.com/news/0-1003-200-1549312.html"
|
|
TARGET="_top"
|
|
>http://news.cnet.com/news/0-1003-200-1549312.html</A
|
|
></P
|
|
><P
|
|
>[Shostack 1999]
|
|
Shostack, Adam.
|
|
June 1, 1999.
|
|
<EM
|
|
>Security Code Review Guidelines</EM
|
|
>.
|
|
<A
|
|
HREF="http://www.homeport.org/~adam/review.html"
|
|
TARGET="_top"
|
|
>http://www.homeport.org/~adam/review.html</A
|
|
>.</P
|
|
><P
|
|
>[Sibert 1996]
|
|
Sibert, W. Olin.
|
|
Malicious Data and Computer Security.
|
|
(NIST) NISSC '96.
|
|
<A
|
|
HREF="http://www.fish.com/security/maldata.html"
|
|
TARGET="_top"
|
|
>http://www.fish.com/security/maldata.html</A
|
|
></P
|
|
><P
|
|
>[Sitaker 1999]
|
|
Sitaker, Kragen.
|
|
Feb 26, 1999.
|
|
<EM
|
|
>How to Find Security Holes</EM
|
|
>
|
|
<A
|
|
HREF="http://www.pobox.com/~kragen/security-holes.html"
|
|
TARGET="_top"
|
|
>http://www.pobox.com/~kragen/security-holes.html</A
|
|
> and
|
|
<A
|
|
HREF="http://www.dnaco.net/~kragen/security-holes.html"
|
|
TARGET="_top"
|
|
>http://www.dnaco.net/~kragen/security-holes.html</A
|
|
></P
|
|
><P
|
|
>[SSE-CMM 1999]
|
|
SSE-CMM Project.
|
|
April 1999.
|
|
<EM
|
|
>Systems Security Engineering Capability Maturity Model (SSE CMM)
|
|
Model Description Document</EM
|
|
>.
|
|
Version 2.0.
|
|
<A
|
|
HREF="http://www.sse-cmm.org"
|
|
TARGET="_top"
|
|
>http://www.sse-cmm.org</A
|
|
></P
|
|
><P
|
|
>[Stallings 1996]
|
|
Stallings, William.
|
|
Practical Cryptography for Data Internetworks.
|
|
Los Alamitos, CA: IEEE Computer Society Press.
|
|
ISBN 0-8186-7140-8.</P
|
|
><P
|
|
>[Stein 1999].
|
|
Stein, Lincoln D.
|
|
September 13, 1999.
|
|
<EM
|
|
>The World Wide Web Security FAQ</EM
|
|
>.
|
|
Version 2.0.1
|
|
<A
|
|
HREF="http://www.w3.org/Security/Faq/www-security-faq.html"
|
|
TARGET="_top"
|
|
>http://www.w3.org/Security/Faq/www-security-faq.html</A
|
|
></P
|
|
><P
|
|
>[Swan 2001]
|
|
Swan, Daniel.
|
|
January 6, 2001.
|
|
comp.os.linux.security FAQ.
|
|
Version 1.0.
|
|
<A
|
|
HREF="http://www.linuxsecurity.com/docs/colsfaq.html"
|
|
TARGET="_top"
|
|
>http://www.linuxsecurity.com/docs/colsfaq.html</A
|
|
>.</P
|
|
><P
|
|
>[Swanson 1996]
|
|
Swanson, Marianne, and Barbara Guttman.
|
|
September 1996.
|
|
Generally Accepted Principles and Practices for Securing
|
|
Information Technology Systems.
|
|
NIST Computer Security Special Publication (SP) 800-14.
|
|
<A
|
|
HREF="http://csrc.nist.gov/publications/nistpubs/index.html"
|
|
TARGET="_top"
|
|
>http://csrc.nist.gov/publications/nistpubs/index.html</A
|
|
>.</P
|
|
><P
|
|
>[Thompson 1974]
|
|
Thompson, K. and D.M. Richie.
|
|
July 1974.
|
|
``The UNIX Time-Sharing System''.
|
|
<EM
|
|
>Communications of the ACM</EM
|
|
>
|
|
Vol. 17, No. 7.
|
|
pp. 365-375.</P
|
|
><P
|
|
>[Torvalds 1999]
|
|
Torvalds, Linus.
|
|
February 1999.
|
|
``The Story of the Linux Kernel''.
|
|
<EM
|
|
>Open Sources: Voices from the Open Source Revolution</EM
|
|
>.
|
|
Edited by Chris Dibona, Mark Stone, and Sam Ockman.
|
|
O'Reilly and Associates.
|
|
ISBN 1565925823.
|
|
<A
|
|
HREF="http://www.oreilly.com/catalog/opensources/book/linus.html"
|
|
TARGET="_top"
|
|
>http://www.oreilly.com/catalog/opensources/book/linus.html</A
|
|
></P
|
|
><P
|
|
>[TruSecure 2001]
|
|
TruSecure.
|
|
August 2001.
|
|
Open Source Security: A Look at the Security Benefits of Source Code Access.
|
|
<A
|
|
HREF="http://www.trusecure.com/html/tspub/whitepapers/open_source_security5.pdf"
|
|
TARGET="_top"
|
|
>http://www.trusecure.com/html/tspub/whitepapers/open_source_security5.pdf</A
|
|
></P
|
|
><P
|
|
>[Unknown]
|
|
<EM
|
|
>SETUID(7)</EM
|
|
>
|
|
<A
|
|
HREF="http://www.homeport.org/~adam/setuid.7.html"
|
|
TARGET="_top"
|
|
>http://www.homeport.org/~adam/setuid.7.html</A
|
|
>.</P
|
|
><P
|
|
>[Van Biesbrouck 1996]
|
|
Van Biesbrouck, Michael.
|
|
April 19, 1996.
|
|
<A
|
|
HREF="http://www.csclub.uwaterloo.ca/u/mlvanbie/cgisec"
|
|
TARGET="_top"
|
|
>http://www.csclub.uwaterloo.ca/u/mlvanbie/cgisec</A
|
|
>.</P
|
|
><P
|
|
>[van Oorschot 1994]
|
|
van Oorschot, P. and M. Wiener.
|
|
November 1994.
|
|
``Parallel Collision Search with Applications to Hash Functions
|
|
and Discrete Logarithms.''
|
|
Proceedings of ACM Conference on Computer and Communications Security.</P
|
|
><P
|
|
>[Venema 1996]
|
|
Venema, Wietse.
|
|
1996.
|
|
Murphy's law and computer security.
|
|
<A
|
|
HREF="http://www.fish.com/security/murphy.html"
|
|
TARGET="_top"
|
|
>http://www.fish.com/security/murphy.html</A
|
|
></P
|
|
><P
|
|
>[Viega 2002]
|
|
Viega, John, and Gary McGraw.
|
|
2002.
|
|
Building Secure Software.
|
|
Addison-Wesley.
|
|
ISBN 0201-72152-X.</P
|
|
><P
|
|
>[Watters 1996]
|
|
Watters, Arron, Guido van Rossum, James C. Ahlstrom.
|
|
1996.
|
|
Internet Programming with Python.
|
|
NY, NY: Henry Hold and Company, Inc.</P
|
|
><P
|
|
>[Wheeler 1996]
|
|
Wheeler, David A., Bill Brykczynski, and Reginald N. Meeson, Jr.
|
|
Software Inspection: An Industry Best Practice.
|
|
1996.
|
|
Los Alamitos, CA: IEEE Computer Society Press.
|
|
IEEE Copmuter Society Press Order Number BP07340.
|
|
Library of Congress Number 95-41054.
|
|
ISBN 0-8186-7340-0.</P
|
|
><P
|
|
>[Witten 2001]
|
|
September/October 2001.
|
|
Witten, Brian, Carl Landwehr, and Michael Caloyannides.
|
|
``Does Open Source Improve System Security?''
|
|
IEEE Software.
|
|
pp. 57-61.
|
|
<A
|
|
HREF="http://www.computer.org/software"
|
|
TARGET="_top"
|
|
>http://www.computer.org/software</A
|
|
> </P
|
|
><P
|
|
>[Wood 1985]
|
|
Wood, Patrick H. and Stephen G. Kochan.
|
|
1985.
|
|
<EM
|
|
>Unix System Security</EM
|
|
>.
|
|
Indianapolis, Indiana: Hayden Books.
|
|
ISBN 0-8104-6267-2.</P
|
|
><P
|
|
>[Wreski 1998]
|
|
Wreski, Dave.
|
|
August 22, 1998.
|
|
<EM
|
|
>Linux Security Administrator's Guide</EM
|
|
>.
|
|
Version 0.98.
|
|
<A
|
|
HREF="http://www.nic.com/~dave/SecurityAdminGuide/index.html"
|
|
TARGET="_top"
|
|
>http://www.nic.com/~dave/SecurityAdminGuide/index.html</A
|
|
></P
|
|
><P
|
|
>[Yoder 1998]
|
|
Yoder, Joseph and Jeffrey Barcalow.
|
|
1998.
|
|
Architectural Patterns for Enabling Application Security.
|
|
PLoP '97
|
|
<A
|
|
HREF="http://st-www.cs.uiuc.edu/~hanmer/PLoP-97/Proceedings/yoder.pdf"
|
|
TARGET="_top"
|
|
>http://st-www.cs.uiuc.edu/~hanmer/PLoP-97/Proceedings/yoder.pdf</A
|
|
></P
|
|
><P
|
|
>[Zalewski 2001]
|
|
Zalewski, Michael.
|
|
May 16-17, 2001.
|
|
Delivering Signals for Fun and Profit:
|
|
Understanding, exploiting and preventing signal-handling related
|
|
vulnerabilities.
|
|
Bindview Corporation.
|
|
<A
|
|
HREF="http://razor.bindview.com/publish/papers/signals.txt"
|
|
TARGET="_top"
|
|
>http://razor.bindview.com/publish/papers/signals.txt</A
|
|
></P
|
|
><P
|
|
>[Zoebelein 1999]
|
|
Zoebelein, Hans U.
|
|
April 1999.
|
|
The Internet Operating System Counter.
|
|
<A
|
|
HREF="http://www.leb.net/hzo/ioscount"
|
|
TARGET="_top"
|
|
>http://www.leb.net/hzo/ioscount</A
|
|
>.</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
SUMMARY="Footer navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="conclusion.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="index.html"
|
|
ACCESSKEY="H"
|
|
>Home</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="document-history.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
>Conclusion</TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
> </TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
>History</TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |