One question I’ve been asked is “why did you write this book”? Here’s my answer: Over the last several years I’ve noticed that many application developers seem to keep falling into the same security pitfalls, again and again. Auditors were slowly catching problems, but it would have been better if the problems weren’t put into the code in the first place. I believe that part of the problem was that there wasn’t a single, obvious place where developers could go and get information on how to avoid known pitfalls. The information was publicly available, but it was often hard to find, out-of-date, incomplete, or had other problems. Most such information didn’t particularly discuss Linux at all, even though it was becoming widely used! That leads up to the answer: I developed this book in the hope that future software developers won’t repeat past mistakes, resulting in more secure systems. You can see a larger discussion of this at http://www.linuxsecurity.com/feature_stories/feature_story-6.html.
A related question that could be asked is “why did you write your own book instead of just referring to other documents”? There are several answers:
Much of this information was scattered about; placing the critical information in one organized document makes it easier to use.
Some of this information is not written for the programmer, but is written for an administrator or user.
Much of the available information emphasizes portable constructs (constructs that work on all Unix-like systems), and failed to discuss Linux at all. It’s often best to avoid Linux-unique abilities for portability’s sake, but sometimes the Linux-unique abilities can really aid security. Even if non-Linux portability is desired, you may want to support the Linux-unique abilities when running on Linux. And, by emphasizing Linux, I can include references to information that is helpful to someone targeting Linux that is not necessarily true for others.