Hunting Security Bugs
Your in-depth, hands-on, technical security-testing reference. Written for testers by testers, this guide highlights up-to-date tools, technologies, and techniques for helping find and eliminate security vulnerabilities in software.
From the Publisher:
Key Book Benefits: - Delivers practical, hands-oguidance on security bugs, how to find them, and how to help prevent them Provides specific, actionable technical details about security testing - Covers these subjects, among others: - The thought process behind security testing - Research and experience on how to find security bugs - How to classify the bugs you’ve found - What to do when you’ve found a bug - How to tell if a bug is serious and whether it is a security bug - Use of source code to help in security testing - Ways to spot security design flaws
Review By: Harry Acosta
05/19/2008
During my sophomore year, around 1981, I thought that programming was pretty straightforward. I even tasted what it felt like to program on Pascal, FORTRAN, PL1, Assembler, C++ and Basic. Somehow, chemistry and physics were more attractive to me during those years than programming, so I've become a chemist who thinks of computers and programming on a daily basis.
The book Hunting Security Bugs reminded me that there was a lot hidden under what otherwise looks as common programming. It is an excellent compilation of security threats, how to plan ahead to include code that prevents these threats from being exploited, along with a guide to testing to ensure the code works as intended.
The list of threats is so huge that it increases the amount of coding and testing that must be performed before any given version is released. (No wonder software and its derived consulting services are so expensive nowadays!) Attacks using spoofing, formatted strings, HTML scripting, XML issues, weak permissions, denial of service, SQL injection, and ActiveX repurposing are just a few of the threats that are clearly explained throughout this 500-plus page book.
At first I glanced at this book and was overwhelmed at how many types of attacks are out there and how simple is to exploit them. Once I started looking at the details, I was relieved that the book also provided strategies to prevent their exploitation.
This book will be an excellent addition to the library of every programmer that is genuinely interested in building quality software, not only from the functionality point of view but also from the security perspective. Of special interest to me, being a professional with expertise mostly on systems implementation at the user level rather than system development at the programming level, is the amount of advice that is given throughout the book related to testing code against such attacks.
I recommend this book to those readers in need of guidance on how to code with security in mind, testing, and security maintenance. Project managers could also benefit from properly integrating security testing in every project work breakdown structure.