REVIEW: "The Software Vulnerability Guide", Herbert H. Thompson/Scott G. Chase
- BKSWVLGD.RVW 20051109
"The Software Vulnerability Guide", Herbert H. Thompson/Scott G.
Chase, 2005, 1-58450-358-0, U$49.95/C$64.95
%A Herbert H. Thompson
%A Scott G. Chase
%C 403 VFW Drive, PO Box 417, Rockland, MA 02370
%I Charles River Media
%O U$49.95/C$64.95 800-382-8505 fax 6178714376 info@...
%O Audience a- Tech 2 Writing 1 (see revfaq.htm for explanation)
%P 354 p. + CD-ROM
%T "The Software Vulnerability Guide"
As part one is an introduction to security and vulnerabilities,
chapter one is what would normally be the introduction or preface to
the book. The content is surprisingly vague about the intention of,
and audience for, the text. A few security and network topics make up
chapter two. Miscellaneous security utilities are listed in chapter
Part two looks at system level attacks. Chapter four examines some
issues with access control and privilege. Password strength is the
topic of chapter five, but a lot of space is devoted to code for a
cracking program. Scripts, and some of the ways they can be used
maliciously, are mentioned in chapter six. Chapter seven examines
some of the ways that the use of dynamic link libraries can affect
Part three reviews data parsing. Chapter eight contains a clear
explanation of buffer overflows, although it takes a great deal of
space to convey relatively limited information. An unclear exposition
on proprietary data formats and the corruption of files is in chapter
nine. The material on format strings, in chapter ten, describes one
particular case involving the lack of strong data typing, malformed
input data, and buffer overflows. Chapter eleven remarks that integer
overflows can be prevented by testing values at the extremes of
Part four surveys information disclosure issues. Chapter twelve says
that passwords should not be stored in plain text and notes some
(rather complicated) ways to test for programs that do make this
mistake. Dangers in the sloppy use of temporary files are addressed
in chapter thirteen. The reuse of memory is covered in chapter
fourteen, along with issues of garbage collection. Chapter fifteen is
supposed to deal with finding memory traces left in the swap file, but
really only searches for text from a deleted file on a floppy disk.
Part five looks at network activity. Chapter sixteen discusses
various versions of spoofing. Reducing the amount of information
given in response to probes and errors is suggested in chapter
Part six turns specifically to Web sites. Chapter eighteen outlines
cross-site scripting, although it does not do well at explaining how
the attack would work in the real world. Careless programming of the
Common Gateway Interface (CGI) is deplored in chapter nineteen, and a
few other malicious possibilities are explored in twenty. SQL
injection is outlined in chapter twenty-one. A grab bag of other Web
issues is in chapter twenty-two.
Part seven finishes off with chapter twenty-three encouraging the
reader to learn from the mistakes of others.
The chapters are very short, and so the material is quite terse. It
is also poorly structured, and generally far from complete. In some
cases the content deals at great length with one specific problem in
one specific language, while other more sweeping issues are barely
mentioned. The security literature is certainly deficient in titles
dealing with the practice of secure programming and development, but
this work, even though it does contain any number of valuable tips,
does not deal with the need for application development security in a
complete and straightforward fashion.
copyright Robert M. Slade, 2005 BKSWVLGD.RVW 20051109
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... slade@... rslade@...
Q. What is the difference between a computer salesman and a used
A. A car salesman knows how to drive, and knows when he's lying.
http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade