Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "The Art of Software Security Assessment", Mark Dowd/John McDonald/Justin Schuh

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Ha
    BKTAOSSA.RVW 20061214 The Art of Software Security Assessment , Mark Dowd/John McDonald/Justin Schuh, 2007, 0-321-44442-6, U$54.99/C$68.99 %A Mark Dowd
    Message 1 of 1 , Feb 7, 2007
    • 0 Attachment
      BKTAOSSA.RVW 20061214

      "The Art of Software Security Assessment", Mark Dowd/John
      McDonald/Justin Schuh, 2007, 0-321-44442-6, U$54.99/C$68.99
      %A Mark Dowd http://taossa.com/
      %A John McDonald
      %A Justin Schuh
      %C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8
      %D 2007
      %G 0-321-44442-6
      %I Addison-Wesley Publishing Co.
      %O U$54.99/C$68.99 416-447-5101 fax: 416-443-0948 800-822-6339
      %O http://www.amazon.com/exec/obidos/ASIN/0321444426/robsladesinterne
      http://www.amazon.co.uk/exec/obidos/ASIN/0321444426/robsladesinte-21
      %O http://www.amazon.ca/exec/obidos/ASIN/0321444426/robsladesin03-20
      %O Audience a- Tech 2 Writing 1 (see revfaq.htm for explanation)
      %P 1174 p.
      %T "The Art of Software Security Assessment"

      One of the important parts of a book proposal is a review of the
      literature that might be related to your topic, and how your book
      differs from the competition. The preface states that, unlike other
      software security texts, this one doesn't deal with security design
      and defensive programming, but concentrates on how to find
      vulnerabilities. The authors obviously haven't done their homework:
      there are a number of books that talk about finding weaknesses and
      loopholes in software. There are even books that specialize in
      finding vulnerabilities in specific types of software, such as the
      rather spotty "Database Hacker's Handbook" (cf. BKDBHKHB.RVW) and the
      much superior "How to Break Web Software" by Andrews and Whittaker
      (cf. BKHTBWSW.RVW). And most of them seem to be, like this work,
      directed at consultants, security professionals, developers, and
      quality assurance people.

      "The Art of Software Security Assessment" is somewhat distinctive in
      being particularly directed to programmers. Thus, readers from the
      consulting, security, and quality assurance fields who do not have a
      very strong programming background will probably find themselves at a
      loss to navigate the maze of coding examples.

      Part one is an introduction to software security assessment. Chapter
      one, on software vulnerability fundamentals, starts with a very
      verbose definition of "vulnerability" that seems to boil down to the
      idea that a vulnerability is something that someone can use against
      you. The authors also propose that problems be examined in terms of
      design vulnerabilities (this is what some other software development
      literature describes as flaws), implementation vulnerabilities (bugs),
      and operational vulnerabilities. (The latter seems to be related to
      improper requirements specification, or simply use of a program in the
      wrong situation.) One section runs through the software development
      life cycle (SDLC) noting the types of problems to be addressed in each
      phase, but the material is much less useful than that in Gary McGraw's
      "Software Security: Building Security In" (cf. BKSWSBSI.RVW). A brief
      overview of design review is found in chapter two, along with a larger
      section of miscellaneous security technologies. There is also a more-
      than-usually helpful explanation of threat modeling using data flow
      diagrams and attack trees. Some of the material is idiosyncratic: the
      description of "bait-and-switch" attacks seems to be confused with the
      birthday attack against hash digests. An unstructured collection of
      content about vulnerabilities, more security technologies, and network
      models makes up chapter three. Chapter four titularly talks about the
      application review process. This medley of ideas about ways to check
      code will give you some suggestions if you are starting the operation,
      but there is little in the way of analysis of the recommendations.

      Part two turns to software vulnerabilities. Chapter five provides
      very detailed information about the various types of buffer overflows,
      although the explanations are not always clear unless you already
      understand the concepts. Important facts about the means of data
      representation in the C programming language are listed in chapter
      six, and the abstractions are applicable to other languages. Chapter
      seven suggests reviewing code in terms of function, such as separately
      auditing variable use, procedure calls and returns, and memory
      allocation. Problems with common string-handling (and therefore text-
      related) statements in C are discussed in chapter eight, along with
      the significance of differential handling of not-quite-universal data
      representations by various languages (this commonly results in
      malformed data attacks). Not quite in a separate part to themselves,
      chapters nine through twelve provide internal details of the UNIX and
      Windows privilege and permission functions, as well as process
      handling. Chapter thirteen deals with process state information,
      primarily concerning various race conditions. Unfortunately, the
      outlines given are not as helpful as they could be, due to a reliance
      on code examples at the expense of explanations. The authors would do
      well to emulate the style adopted by Diomidis Spinellis in "Code
      Quality: The Open Source Perspective" (cf. BKCQTOSP.RVW) who also
      stresses the auditing of source code, but provides extensive textual
      background as well.

      Part three looks at software vulnerabilities in practice, although
      limited to network operations. Chapter fourteen provides details of
      many of the basic Internet protocols, noting checks that should be
      made for dangerous conditions. The discussion of firewalls, in
      chapter fifteen, has oddly little material on application-level
      proxies (and only tangential mention of circuit-level proxies),
      concentrating on the examination of packet headers. Miscellaneous
      attacks, with no readily evident theme, are listed in chapter sixteen.
      Chapter seventeen details HTTP (HyperText Transfer Protocol) and other
      Web technologies, catalogues some attacks, and gives a brief set of
      vulnerability checking guidelines. Various vulnerabilities in Web
      scripting and programming languages are noted in chapter eighteen.

      There is a great deal of valuable information within this volume.
      However, there isn't sufficient explanatory content for the work to
      stand as a primer for beginners, and the lack of structure reduces the
      utility as a professional reference. The reliance on code examples is
      reasonable for a work aimed at programmers, but it does limit the
      audience to that group. In addition, the practical parts of the book,
      in particular, greatly emphasize Web applications. As it stands,
      thisinfosecbc@yahoogroups.com

      work has much of value to Web developers and Web software testers, but
      it could have had much broader application with minor improvements.

      copyright Robert M. Slade, 2006 BKTAOSSA.RVW 20061214


      ====================== (quote inserted randomly by Pegasus Mailer)
      rslade@... slade@... rslade@...
      A teacher is one who makes himself progressively unnecessary.
      - Thomas Carruthers
      Dictionary of Information Security www.syngress.com/catalog/?pid=4150
      http://victoria.tc.ca/techrev/rms.htm
    Your message has been successfully submitted and would be delivered to recipients shortly.