Buy The Art of Software Security Testing: Identifying Software Security Flaws (Symantec Press) with
US $ | UK £ | CA $
DE € | FR € | JP ¥ |
This Paperback Book item from Addison-Wesley Professional was reviewed on 12-Dec-2008.
Search ISBN:0321304861 offer from Abebooks or used books from Alibris. The Art of Software Security Testing: Identifying Software Security Flaws (Symantec Press) Reference Book. Classifications : Software Design & Engineering Computer Science New & Used Textbooks Custom Stores Specialty Stores Books General AAS Computer Science New & Used Textbooks Custom Stores Specialty Stores Books General . Click the following link to view the cover of The Art of Software Security Testing: Identifying Software Security Flaws (Symantec Press). Related topics: Computer Science. Custom Stores. Specialty Stores. Books. General AAS. Computer Science. Custom Stores. Specialty Stores. Books. General AAS. requestid: 1268fca8-2eaa-47bb-9f3d-fbc50344a260
requestprocessingtime: 0.1362130000000000
salesrank: 138440
edition: 1
numberofitems: 1
packagedimensions: 90910120680
1) Paperback Book The Art of Software Security Testing: Identifying Software Security Flaws (Symantec Press) by Addison-Wesley Professional. This is a good "short" version of "The Art of Software Security Assessment" by Dowd. For a security book its short, at 250 pages. The book contains useful information but not enough to be an expert at anything. This is definitely one of those mile wide, inch deep books and not a one stop shop as it says in the preface. It covers topics in enough detail to have heard of the issue and some of the chapters give you some links to further information but you wont come away with enough knowledge to actually do many of the attacks talked about.
It does hit the major attack vectors; Ch6 Generic Network Fault Injection, Ch7 Web Applications: Session Attacks, Ch8 Web Applications: Common Issues, Ch9 Web Proxies: Using WebScarab, Ch10 Implementing a Custom Fuzz Utility, and Ch11 Local Fault Injection. So thats a plus. The first part of the book on Secure Software Development Lifecycle was good, but again, not really enough information to be the only book you need on the subject. The third part of the book on analysis, Ch12 Determining Exploitability, was really not useful to me its way too short and tries to cram exploit development into 25 pages which just isn´t possible. It shows you some diagrams of the stack and heap then some winDbg screen shots of nameless programs crashing and overwriting EIP (stack) and EAX (heap) and a null dereference. Fairly anti-climatic and doesn´t dispel the "magic" of writing exploits.
Things I liked; the WebScarab chapter (Ch9) was good, that can be a tough tool to get up and running with all of its options. The Web Application chapters (Ch 7 & Ch8) are pretty good overviews. Part 1 of the book on the SSDL, overview of how vulnerabilities get into code, and risk-based security testing was useful to me and serves as a good into to the Dowd book.
Things I didn´t like; Chapter 12 on Determining Exploitability was too short and not enough information, no code for the custom web application they use for examples for SQL Injection. I´m very much a "have to do it" guy and not having the code was a disappointment and lastly the book´s website seems to have never been updated after first standing it up.
I´d recommend the book to people who need to get an idea of security flaws, how they get into code and some visual examples of those flaws. But only if they needed either a high level overview or they need an initiation to the topic. For people who need a deep knowledge I´d refer them to the Dowd book.¤ 2) Paperback Book The Art of Software Security Testing: Identifying Software Security Flaws (Symantec Press) by Addison-Wesley Professional. This review refers to the 2007 edition of "The Art of Software Security Testing" by Wysopal, Nelson, Zovi, & Dustin.
I highly recommend this as a primer for anyone interested in software security testing.
First, it is up-to-date. In a very useful discussion the book points out that the nature of attacks and attackers have changed considerably in recent years. Methods for protecting oneself must change accordingly.
The book is brief, comprehensive, and generally well written. One finds a goodly amount of practical information to get started. More importantly, one gets a broad understand of the primary areas of interest acting as a guide for further study.
Everything is touched upon in sufficient detail for a book of this type. Part I covers the genesis of security defects, the Secure Software Development Lifecycle (SSDL), and Threat Modeling. Part II covers common types of attacks and how to test for them, including Network Fault Injection, Web Application Session Attacks, and SQL Injection. Part III covers stack and heap overflows and how to assess their exploitability.
Many of the topics covered deserve volumes of their own such as Threat Modeling (Microsoft Professional), Exploiting Software: How to Break Code (Addison-Wesley Software Security Series), and The Security Development Lifecycle. But this book will give you lay of the land and enough knowledge to get started on security testing right away.
The book misses 5 stars because it becomes difficult to follow in places. The book attempts to cover both Windows and UNIX/Linux systems, and occasionally confuses the two, at least in the mind of the reader. One example is the section on "Port Discovery" where the authors discuss similar and completely different UNIX and Windows tools in a confusing interleaved fashion. It would have been wiser to separate the discussion of Windows and UNIX systems into discrete sections.
That said, I highly recommend the book as a primer on security testing for it´s coverage, brevity, and up-to-date information.
¤ 3) Paperback Book The Art of Software Security Testing: Identifying Software Security Flaws (Symantec Press) by Addison-Wesley Professional. I had a need to learn about software security and performed Internet research to see what resources were available. A review somewhere on the Internet about this book stated it was an excellent reference to learn the basics. I placed my order at Amazon as their pricing was outstanding.
If you need to learn the basics ASAP than this book is as good as it gets. It´s great for managers and techies alike.
Highly recommended.¤ 4) Paperback Book The Art of Software Security Testing: Identifying Software Security Flaws (Symantec Press) by Addison-Wesley Professional. This is a highly illustrated book on using tools, hacks, and simple techniques to do the most rudimentary of analysis and testing, such as inspecting process listings, netstat output, using sysinternals utilities, and click-and-go fuzzers/testers. This is basically a phonebook of utilities and tools that other people write, and where to find the ´Go´ button on each one, complete with full-page screenshots that serve to distract from poor authoring.
The author´s commentary of inner-workings of other people´s tools or program output lacks any insight. Their analysis of program output either demonstrates the lack of understanding the authors have about the machine level significance of the topic, or the insulting way in which they spare you such (highly critical) details.
This book is for pointy-haired security ´professionals´ or project managers who ´Never got around to learning C (in 21 days)´. If you are so much as a novice college comp sci student with at least one language under your belt, this book is most likely below you.
I give it 3 stars, however, because this book does have a large audience, and serves it well. There is a lot of money still yet to be made in the computer security field for selling snake-oil solutions and powerpoint-sprinkled application audits.
There is probably a very difficult route to be introduced into software and systems manipulation and analysis, involving a thorough education on the C language, machine architecture, and program dissasembly. There is also probably a very easy route to achieve the same end-goal of working in the computer security field. This is where this book has its position as an intermediate step of the world of "for dummies" and "21 days" books.
I purchased this book because I was so highly impressed with the quality of AW published books on this field, such as The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities. Also, the Amazon ratings up until now are very high. I made a quick buying decision, and my pocket book aches for it. This book should have been published by a second-rate publisher like Syngress, not AW!¤ 5) Paperback Book The Art of Software Security Testing: Identifying Software Security Flaws (Symantec Press) by Addison-Wesley Professional. "The Art of Software Security Testing" is the first security testing book I read that includes a reputable software tester (Elfriede Dustin) among its authors. This should lend the book instant credibility with its main target audience: testers and QA engineers. The security proficient readers will be happy to know that the main author is Chris Wysopal, one of the members of the famous L0pht Heavy Industries security research group who testified before the US Senate that it is possible and indeed within their power to "take down the Internet in 30 minutes".
Most security testing books adopt a black-box approach, detailing security assessment and penetration testing techniques that view the "victim" -- be it a device, an operating system or an application -- as an unknown quantity (or should I say quality, since we´re talking about testing) that is probed and attacked from the outside in. A few books adopt a white-box approach, teaching code inspection and secure coding techniques, viewing the software from the inside out. "The Art of Software Security Testing" is a fortunate blend of the two approaches, teaching its readers how to conduct what is called "gray-box testing", which is of course what you get when you combine black and white.
When it comes to assessing the security of an application, testers have one important advantage over outside attackers: they can collaborate with the designers and developers of the application and get an insider view of what the book repeatedly refers to as "the attack surface", basically the list of all the inputs and resources used by the program under test. Armed with this knowledge, testers can then apply a wealth of techniques that attempt to break the security of the application, and that can be summarized in two words: fault injection. Indeed, the bulk of the book is devoted to the presentation of techniques and tools that assist testers as they try to make the application fail by feeding it various types of inputs (hence the term fault injection). These inputs range from carefully crafted strings used in SQL Injection attacks, to random byte changes in given input files, to random strings fed as command line arguments. Two important classes of fault injection tools discussed throughout the book are proxies (such as WebScarab) which allow the attacker to intercept and modify traffic to and from the application under test, and fuzzers (such as CLI Fuzz) which allow the attacker to inject random inputs into the application. As an aside, I liked the fact that the authors discuss mostly freely available Open Source tools.
If you are a tester trying to assess the security of an application, a developer trying to improve the security of your code, or even if you are a seasoned security practitioner trying to learn new ways to attack software, this book is for you. I, as a tester, found valuable advice right in Chapter 1: act as a detective by applying the fault injection model, think as an attacker, prioritize your work via threat modeling, and rely heavily on automated tools. All this and more in a fairly slim book, whose size and weight make it inappropriate for a door stop -- a use I have been tempted to give to many oversized security books.¤ 6) Paperback Book The Art of Software Security Testing: Identifying Software Security Flaws (Symantec Press) by Addison-Wesley Professional. Risk-based security testing, the important subject of this book, is one of seven software security touchpoints introduced in my book, Software Security: Building Security In. This book takes the basic idea several steps forward. Written by masters of software exploit, this book describes in very basic terms how security testing differs from standard software testing as practiced by QA groups everywhere. It unifies in one place ideas from Michael Howard, David Litchfield, Greg Hoglund, and me into a concise introductory package. Improve your security testing by reading this book today.” –Gary McGraw, Ph.D., CTO, Cigital; Author, Software Security, Exploiting Software, Building Secure Software, and Software Fault Injection; www.cigital.com/~gem “As 2006 closes out, we will see over 5,000 software vulnerabilities announced to the public. Many of these vulnerabilities were, or will be, found in enterprise applications from companies who are staffed with large, professional, QA teams. How then can it be that these flaws consistently continue to escape even well-structured diligent testing? The answer, in part, is that testing still by and large only scratches the surface when validating the presence of security flaws. Books such as this hopefully will start to bring a more thorough level of understanding to the arena of security testing and make us all a little safer over time.” –Alfred Huger, Senior Director, Development, Symantec Corporation “Software security testing may indeed be an art, but this book provides the paint-by-numbers to perform good, solid, and appropriately destructive security testing: proof that an ounce of creative destruction is worth a pound of patching later. If understanding how software can be broken is step one in every programmers’ twelve-step program to defensible, secure, robust software, then knowledgeable security testing comprises at least steps two through six.” –Mary Ann Davidson, Chief Security Officer, Oracle “Over the past few years, several excellent books have come out teaching developers how to write more secure software by describing common security failure patterns. However, none of these books have targeted the tester whose job it is to find the security problems before they make it out of the R&D lab and into customer hands. Into this void comes The Art of Software Security Testing: Identifying Software Security Flaws. The authors, all of whom have extensive experience in security testing, explain how to use free tools to find the problems in software, giving plenty of examples of what a software flaw looks like when it shows up in the test tool. The reader learns why security flaws are different from other types of bugs (we want to know not only that ‘the program does what it’s supposed to,’ but also that ‘the program doesn’t do that which it’s not supposed to’), and how to use the tools to find them. Examples are primarily based on C code, but some description of Java, C#, and scripting languages help for those environments. The authors cover both Windows and UNIX-based test tools, with plenty of screenshots to see what to expect. Anyone who’s doing QA testing on software should read this book, whether as a refresher for finding security problems, or as a starting point for QA people who have focused on testing functionality.” –Jeremy Epstein, WebMethods State-of-the-Art Software Security Testing: Expert, Up to Date, and Comprehensive The Art of Software Security Testing delivers in-depth, up-to-date, battle-tested techniques for anticipating and identifying software security problems before the “bad guys” do. Drawing on decades of experience in application and penetration testing, this book’s authors can help you transform your approach from mere “verification” to proactive “attack.” The authors begin by systematically reviewing the design and coding vulnerabilities that can arise in software, and offering realistic guidance in avoiding them. Next, they show you ways to customize software debugging tools to test the unique aspects of any program and then analyze the results to identify exploitable vulnerabilities. Coverage includes - Tips on how to think the way software attackers think to strengthen your defense strategy
- Cost-effectively integrating security testing into your development lifecycle
- Using threat modeling to prioritize testing based on your top areas of risk
- Building testing labs for performing white-, grey-, and black-box software testing
- Choosing and using the right tools for each testing project
- Executing today’s leading attacks, from fault injection to buffer overflows
- Determining which flaws are most likely to be exploited by real-world attackers
This book is indispensable for every technical professional responsible for software security: testers, QA specialists, security professionals, developers, and more. For IT managers and leaders, it offers a proven blueprint for implementing effective security testing or strengthening existing processes. Foreword xiii Preface xvii Acknowledgments xxix About the Authors xxxi Part I: Introduction Chapter 1: Case Your Own Joint: A Paradigm Shift from Traditional Software Testing 3 Chapter 2: How Vulnerabilities Get Into All Software 19 Chapter 3: The Secure Software Development Lifecycle 55 Chapter 4: Risk-Based Security Testing: Prioritizing Security Testing with Threat Modeling 73 Chapter 5: Shades of Analysis: White, Gray, and Black Box Testing 93 Part II: Performing the Attacks Chapter 6: Generic Network Fault Injection 107 Chapter 7: Web Applications: Session Attacks 125 Chapter 8: Web Applications: Common Issues 141 Chapter 9: Web Proxies: Using WebScarab 169 Chapter 10: Implementing a Custom Fuzz Utility 185 Chapter 11: Local Fault Injection 201 Part III: Analysis Chapter 12: Determining Exploitability 233 Index 251 ¤Page Updated: Robert N. Goolsby, 9-Jan-2009, 03213048619780321304865, 610-890-260-190-780-7X0-8 
The Art of Software Security Testing: Identifying Software Security Flaws (Symantec Press), Book, Image © Addison-Wesley Professional
|
