The Art of Software Security Testing
The Art of Software Security Testing delivers in-depth, up-to-date, battle-tested techniques for anticipating and identifying software security problems before the “bad guys” do.
Drawing on decades of experience in application and penetration testing, this book’s authors can help you transform your approach from mere “verification” to proactive “attack.” The authors begin by systematically reviewing the design and coding vulnerabilities that can arise in software, and offering realistic guidance in avoiding them. Next, they show you ways to customize software debugging tools to test the unique aspects of any program and then analyze the results to identify exploitable vulnerabilities.
Review By: Stephen T. Long
02/18/2008"The Art of Software Security Testing" presents a concise introduction to the area of testing. The key to this book's approach to security testing is "fault injection." The authors cover white, gray, and black box testing but seem to be more concerned overall about bullet-proofing an application under development. For example, they describe detailed techniques an internal tester can use to find holes in the application that might take a hacker longer to find. A large portion of the book describes many ways to identify entry points in the Web interface where faults can be injected to cause buffer overflows and other bad things.
The authors have set up a Web site for the book but additional information to date is still sparse. The "Testing Resources" page is disappointingly "Coming Soon," which I visited hoping to find links to references and tools mentioned in the book's text and endnotes.
The book contains excessive forward referencing with statements like "Chapter x discusses this more detail/great depth" when, in fact, the detail never really shows up. Also, some summary charts have the exact verbiage as the text. The book needed better editing to fix problems like duplicate text and incorrect illustrations.
Other hiccups include a puzzling physical presentation, i.e., the sections and sub-sections are only differentiated by type size with no indentation. It was also occasionally difficult figuring out when a reference to the next section was actually a reference to the next sub-section. Therefore, section/sub-section numbering would have been a great benefit for readers.
Those distractions aside, I did learn from this book. There are some valuable nuggets in the description of the Secure Software Development Lifecycle (SSDL), but I've never worked for a company that followed that process from beginning to end. For testers though, the SSDL contains worthwhile information about developing thorough security test plans. Part II of the book "Performing the Attacks" has the most useful information: network and local fault injection, session attacks, bypassing authorization, and web proxies. Two of these chapters give an overview of useful tools for security testing: Web Scarab and Ethereal. I've used Ethereal in previous jobs to troubleshoot communications protocols, but not for security testing. So, this introduction was enlightening.