Exploiting Software: How to Break Code (Addison-Wesley Software Security Series)

Author - Gary McGraw ... [Goo?] [Posters]
Author - Greg Hoglund ... [Goo?] [Posters]

This Paperback Book item from Addison-Wesley Professional was reviewed on 3-Aug-2008.

Search ISBN:0201786958 offer from Abebooks or used books from Alibris. Exploiting Software: How to Break Code (Addison-Wesley Software Security Series) Reference Book. Classifications : Encryption Security & Encryption Web Development Computers & Internet Subjects Books Privacy Business & Culture Computers & Internet Subjects Books Hacking Business & Culture Computers & Internet Subj . Click the following link to view the cover of Exploiting Software: How to Break Code (Addison-Wesley Software Security Series).

Related topics: Encryption. Web Development. Subjects. Books. Privacy. Business & Culture. Subjects. Books. Hacking. Business & Culture.

1) Paperback Book Exploiting Software: How to Break Code (Addison-Wesley Software Security Series) by Addison-Wesley Professional. Nutshell review - You must read this book if you have anything to do with building software, from developer to development manager. Hoglund and McGraw are required reading.
¤

2) Paperback Book Exploiting Software: How to Break Code (Addison-Wesley Software Security Series) by Addison-Wesley Professional. This book is a great review of software security and deserves to be on any security professional´s bookshelf. The chapter on Rootkits (Chapter 8) is well worth the price of the book. While the book isn´t too long (at just over 400 pages) it does deliver in a concise, easy to read format that makes the book a rewarding read.¤

3) Paperback Book Exploiting Software: How to Break Code (Addison-Wesley Software Security Series) by Addison-Wesley Professional. I read Exploiting Software (ES) last year but realized I hadn´t reviewed it yet. Having read other books by these authors, like McGraw´s Software Security and Hoglund´s Rootkits, I realized ES was not as good as those newer books. At the time ES was published (2004) it continued to define the software exploitation genre begun in Building Secure Software. However, I don´t think it´s necessary to pay close attention to ES when newer books by McGraw and Hoglund are now available.

On the positive side, I appreciate three aspects of ES. First, I like the attention paid to attack patterns. This concept makes sense and should be used by other authors who want to describe a means to exploit a target. Second, I am impressed that ES features a whole chapter (5) on attacking client software. When ES was published, client-side attacks were just becoming popular. Discussing this problem shows great insights on the part of the authors. Third, several of the examples in ES are great case studies on exploiting software. When explained in sufficient detail they make for educational reading.

On the down side, I agree with several other reviewers that the book seems somewhat erratic. Attack patterns that are two sentences long are probably candidates for inclusion in a chart, not listed in the main text. I don´t think the predictions found in ch 1 were necessary, and I think some of the criticism of detection methods in ch 6 border on the ignorant. I agree that perfect detection is impossible, but there are plenty of methods that work in the real world. They may not be real-time, but no intruder is perfectly stealthy in all aspects of an attack.

Regarding chapters 7 and 8, on buffer overflows and rootkits -- at 170 pages, those could almost have been their own book. The material doesn´t seem to match the rest of the book, and it´s obviously Hoglund´s work. Add in a like-minded chapter on reverse engineering (3) at 74 pages and you definitely have a stand-alone book!

It´s probably sufficient to read Building Secure Software, Software Security, and Rookits if you like the McGraw/Hoglund approach to attacking and defending software. Take a quick look at the attack pattern material to get a feel for that concept.¤

4) Paperback Book Exploiting Software: How to Break Code (Addison-Wesley Software Security Series) by Addison-Wesley Professional. One of the authors here.

Thinking carefully about how things break is a good idea. You should read this book and you should also read the Shellcoder´s Handbook" by Litchfield et al. Pretend security nonsense crumbles under the weight of real attacks.

However, if you´re interested in fixing the problem, get "Software Security: Building Security In". It´s time to DO software security!

On the other hand, if you´re looking for the ultimate weapon in the attacker´s toolkit, go get "Rootkits."

In the end, the only smart move is a combo package of "think like and attacker" and "build like a pro." For your best all around bargain, get "The Software Security Library."¤

5) Paperback Book Exploiting Software: How to Break Code (Addison-Wesley Software Security Series) by Addison-Wesley Professional. The one major strength of this book, from a computer science viewpoint, is its emphasis on "attack patterns". This systemization of these issues really differentiates this book from many of its competitors (which tend to be either the latest 500 hacks or descriptions of standards). Put simply CS is the study of algorithms, and this book fits nicely into that tradition.¤

6) Paperback Book Exploiting Software: How to Break Code (Addison-Wesley Software Security Series) by Addison-Wesley Professional. Computing hardware would have no value without software; software tells hardware what to do. Software therefore must have special authority within computing systems. All computer security problems stem from that fact, and Exploiting Software: How to Break Code shows you how to design your software so it´s as resistant as possible to attack. Sure, everything´s phrased in offensive terms (as instructions for the attacker, that is), but this book has at least as much value in showing designers what sorts of attacks their software will face (the book could serve as a checklist for part of a pre-release testing regimen). Plus, the clever reverse-engineering strategies that Greg Hoglund and Gary McGraw teach will be useful in many legitimate software projects. Consider this a recipe book for mayhem, or a compendium of lessons learned by others. It depends on your situation.

PHP programmers will take issue with the authors´ blanket assessment of their language ("PHP is a study in bad security"), much of which seems based on older versions of the language that had some risky default behaviors--but those programmers will also double-check their servers´ register_globals settings. Users of insufficiently patched Microsoft and Oracle products will worry about the detailed attack instructions this book contains. Responsible programmers and administrators will appreciate what amounts to documentation of attackers´ rootkits for various operating systems, and will raise their eyebrows at the techniques for writing malicious code to unused EEPROM chips in target systems. --David Wall

Topics covered: How to make software fail, either by doing something it wasn´t designed to do, or by denying its use to its rightful users. Techniques--including reverse engineering, buffer overflow, and particularly provision of unexpected input--are covered along with the tools needed to carry them out. A section on hardware viruses is detailed and frightening.¤

Page Updated: Robert N. Goolsby, 31-Aug-2008, 0201786958785342786958, 580-190-050-3X0-170-411-8

Exploiting Software: How to Break Code (Addison-Wesley Software Security Series), Book, Image © Addison-Wesley Professional

Search: Addison-Wesley Professional, Book Posters, Book Art