Average Reviews:
(More customer reviews)This is a good "short" version of "The Art of Software Security Assessment" by Dowd. For a security book its short, at 250 pages. The book contains useful information but not enough to be an expert at anything. This is definitely one of those mile wide, inch deep books and not a one stop shop as it says in the preface. It covers topics in enough detail to have heard of the issue and some of the chapters give you some links to further information but you wont come away with enough knowledge to actually do many of the attacks talked about.
It does hit the major attack vectors; Ch6 Generic Network Fault Injection, Ch7 Web Applications: Session Attacks, Ch8 Web Applications: Common Issues, Ch9 Web Proxies: Using WebScarab, Ch10 Implementing a Custom Fuzz Utility, and Ch11 Local Fault Injection. So thats a plus. The first part of the book on Secure Software Development Lifecycle was good, but again, not really enough information to be the only book you need on the subject. The third part of the book on analysis, Ch12 Determining Exploitability, was really not useful to me its way too short and tries to cram exploit development into 25 pages which just isn't possible. It shows you some diagrams of the stack and heap then some winDbg screen shots of nameless programs crashing and overwriting EIP (stack) and EAX (heap) and a null dereference. Fairly anti-climatic and doesn't dispel the "magic" of writing exploits.
Things I liked; the WebScarab chapter (Ch9) was good, that can be a tough tool to get up and running with all of its options. The Web Application chapters (Ch 7 & Ch8) are pretty good overviews. Part 1 of the book on the SSDL, overview of how vulnerabilities get into code, and risk-based security testing was useful to me and serves as a good into to the Dowd book.
Things I didn't like; Chapter 12 on Determining Exploitability was too short and not enough information, no code for the custom web application they use for examples for SQL Injection. I'm very much a "have to do it" guy and not having the code was a disappointment and lastly the book's website seems to have never been updated after first standing it up.
I'd recommend the book to people who need to get an idea of security flaws, how they get into code and some visual examples of those flaws. But only if they needed either a high level overview or they need an initiation to the topic. For people who need a deep knowledge I'd refer them to the Dowd book.
Click Here to see more reviews about: The Art of Software Security Testing: Identifying Software Security Flaws
Risk-based security testing, the important subject of this book, is one of seven software security touchpoints introduced in my book, Software Security: Building Security In. This book takes the basic idea several steps forward. Written by masters of software exploit, this book describes in very basic terms how security testing differs from standard software testing as practiced by QA groups everywhere. It unifies in one place ideas from Michael Howard, David Litchfield, Greg Hoglund, and me into a concise introductory package. Improve your security testing by reading this book today.” –Gary McGraw, Ph.D., CTO, Cigital; Author, Software Security, Exploiting Software, Building Secure Software, and Software Fault Injection; www.cigital.com/~gem “As 2006 closes out, we will see over 5,000 software vulnerabilities announced to the public. Many of these vulnerabilities were, or will be, found in enterprise applications from companies who are staffed with large, professional, QA teams. How then can it be that these flaws consistently continue to escape even well-structured diligent testing? The answer, in part, is that testing still by and large only scratches the surface when validating the presence of security flaws. Books such as this hopefully will start to bring a more thorough level of understanding to the arena of security testing and make us all a little safer over time.” –Alfred Huger, Senior Director, Development, Symantec Corporation “Software security testing may indeed be an art, but this book provides the paint-by-numbers to perform good, solid, and appropriately destructive security testing: proof that an ounce of creative destruction is worth a pound of patching later. If understanding how software can be broken is step one in every programmers’ twelve-step program to defensible, secure, robust software, then knowledgeable security testing comprises at least steps two through six.” –Mary Ann Davidson, Chief Security Officer, Oracle“Over the past few years, several excellent books have come out teaching developers how to write more secure software by describing common security failure patterns. However, none of these books have targeted the tester whose job it is to find the security problems before they make it out of the R&D lab and into customer hands. Into this void comes The Art of Software Security Testing: Identifying Software Security Flaws. The authors, all of whom have extensive experience in security testing, explain how to use free tools to find the problems in software, giving plenty of examples of what a software flaw looks like when it shows up in the test tool. The reader learns why security flaws are different from other types of bugs (we want to know not only that ‘the program does what it’s supposed to,’ but also that ‘the program doesn’t do that which it’s not supposed to’), and how to use the tools to find them. Examples are primarily based on C code, but some description of Java, C#, and scripting languages help for those environments. The authors cover both Windows and UNIX-based test tools, with plenty of screenshots to see what to expect. Anyone who’s doing QA testing on software should read this book, whether as a refresher for finding security problems, or as a starting point for QA people who have focused on testing functionality.” –Jeremy Epstein, WebMethodsState-of-the-Art Software Security Testing: Expert, Up to Date, and ComprehensiveThe Art of Software Security Testing delivers in-depth, up-to-date, battle-tested techniques for anticipating and identifying software security problems before the “bad guys” do.Drawing on decades of experience in application and penetration testing, this book’s authors can help you transform your approach from mere “verification” to proactive “attack.” The authors begin by systematically reviewing the design and coding vulnerabilities that can arise in software, and offering realistic guidance in avoiding them. Next, they show you ways to customize software debugging tools to test the unique aspects of any program and then analyze the results to identify exploitable vulnerabilities. Coverage includesTips on how to think the way software attackers think to strengthen your defense strategyCost-effectively integrating security testing into your development lifecycleUsing threat modeling to prioritize testing based on your top areas of riskBuilding testing labs for performing white-, grey-, and black-box software testingChoosing and using the right tools for each testing projectExecuting today’s leading attacks, from fault injection to buffer overflowsDetermining which flaws are most likely to be exploited by real-world attackersThis book is indispensable for every technical professional responsible for software security: testers, QA specialists, security professionals, developers, and more. For IT managers and leaders, it offers a proven blueprint for implementing effective security testing or strengthening existing processes.Foreword xiiiPreface xviiAcknowledgments xxixAbout the Authors xxxiPart I: IntroductionChapter 1: Case Your Own Joint: A Paradigm Shift from Traditional Software Testing 3Chapter 2: How Vulnerabilities Get Into All Software 19Chapter 3: The Secure Software Development Lifecycle 55Chapter 4: Risk-Based Security Testing: Prioritizing Security Testing with Threat Modeling 73Chapter 5: Shades of Analysis: White, Gray, and Black Box Testing 93Part II: Performing the AttacksChapter 6: Generic Network Fault Injection 107Chapter 7: Web Applications: Session Attacks 125Chapter 8: Web Applications: Common Issues 141Chapter 9: Web Proxies: Using WebScarab 169Chapter 10: Implementing a Custom Fuzz Utility 185Chapter 11: Local Fault Injection 201Part III: AnalysisChapter 12: Determining Exploitability 233Index 251
Get 21% OFF
Buy cheap The Art of Software Security Testing: Identifying Software Security Flaws now.
No comments:
Post a Comment