Last time I reviewed one of two books on security that I had recently read. This time I'll review the other book - Secure Coding: Princeiples & Practices by Mark G. Graff and Kenneth R. van Wyk (and published by O'Reilly which puts out excellent books in general).

This is a great book which I would recommend developers, testers and managers read. Even operations folks could get something out of this book. It's a different book from the Security Development Lifecycle in many ways. It's shorter and doesn't provide the step-by-step methods that SDL does. It is very easy reading, with just a few coding samples. It provides some great real-life examples of security flaws and some creative solutions.

Graff and van Wyk give you a lot of things to think about and some problems to avoid and ways to do things right.

One of their better suggestions is to come up with a metaphor of your application (or a particular feature) when you are designing the architecture. Rather than thinking about people making seat reservations (for an on-line ticketing system, for example) come up with a different model and think about how someone might attack that. Because, they point out, someone attacking you isn't necessarily following your model and architectural security flaws are the most difficult to solve.

This is another book I'd suggest you read and have on your shelf.