"The Art of Software Security Assessment", Mark Dowd/John
McDonald/Justin Schuh, 2007, 0-321-44442-6, U$54.99/C$68.99
%A Mark Dowd http://taossa.com/
%A John McDonald
%A Justin Schuh
%C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8
%I Addison-Wesley Publishing Co.
%O U$54.99/C$68.99 416-447-5101 fax: 416-443-0948 800-822-6339
%O Audience a- Tech 2 Writing 1 (see revfaq.htm for explanation)
%P 1174 p.
%T "The Art of Software Security Assessment"
One of the important parts of a book proposal is a review of the
literature that might be related to your topic, and how your book
differs from the competition. The preface states that, unlike other
software security texts, this one doesn't deal with security design
and defensive programming, but concentrates on how to find
vulnerabilities. The authors obviously haven't done their homework:
there are a number of books that talk about finding weaknesses and
loopholes in software. There are even books that specialize in
finding vulnerabilities in specific types of software, such as the
rather spotty "Database Hacker's Handbook" (cf. BKDBHKHB.RVW) and the
much superior "How to Break Web Software" by Andrews and Whittaker
(cf. BKHTBWSW.RVW). And most of them seem to be, like this work,
directed at consultants, security professionals, developers, and
quality assurance people.
"The Art of Software Security Assessment" is somewhat distinctive in
being particularly directed to programmers. Thus, readers from the
consulting, security, and quality assurance fields who do not have a
very strong programming background will probably find themselves at a
loss to navigate the maze of coding examples.
Part one is an introduction to software security assessment. Chapter
one, on software vulnerability fundamentals, starts with a very
verbose definition of "vulnerability" that seems to boil down to the
idea that a vulnerability is something that someone can use against
you. The authors also propose that problems be examined in terms of
design vulnerabilities (this is what some other software development
literature describes as flaws), implementation vulnerabilities (bugs),
and operational vulnerabilities. (The latter seems to be related to
improper requirements specification, or simply use of a program in the
wrong situation.) One section runs through the software development
life cycle (SDLC) noting the types of problems to be addressed in each
phase, but the material is much less useful than that in Gary McGraw's
"Software Security: Building Security In" (cf. BKSWSBSI.RVW). A brief
overview of design review is found in chapter two, along with a larger
section of miscellaneous security technologies. There is also a more-
than-usually helpful explanation of threat modeling using data flow
diagrams and attack trees. Some of the material is idiosyncratic: the
description of "bait-and-switch" attacks seems to be confused with the
birthday attack against hash digests. An unstructured collection of
content about vulnerabilities, more security technologies, and network
models makes up chapter three. Chapter four titularly talks about the
application review process. This medley of ideas about ways to check
code will give you some suggestions if you are starting the operation,
but there is little in the way of analysis of the recommendations.
Part two turns to software vulnerabilities. Chapter five provides
very detailed information about the various types of buffer overflows,
although the explanations are not always clear unless you already
understand the concepts. Important facts about the means of data
representation in the C programming language are listed in chapter
six, and the abstractions are applicable to other languages. Chapter
seven suggests reviewing code in terms of function, such as separately
auditing variable use, procedure calls and returns, and memory
allocation. Problems with common string-handling (and therefore text-
related) statements in C are discussed in chapter eight, along with
the significance of differential handling of not-quite-universal data
representations by various languages (this commonly results in
malformed data attacks). Not quite in a separate part to themselves,
chapters nine through twelve provide internal details of the UNIX and
Windows privilege and permission functions, as well as process
handling. Chapter thirteen deals with process state information,
primarily concerning various race conditions. Unfortunately, the
outlines given are not as helpful as they could be, due to a reliance
on code examples at the expense of explanations. The authors would do
well to emulate the style adopted by Diomidis Spinellis in "Code
Quality: The Open Source Perspective" (cf. BKCQTOSP.RVW) who also
stresses the auditing of source code, but provides extensive textual
background as well.
Part three looks at software vulnerabilities in practice, although
limited to network operations. Chapter fourteen provides details of
many of the basic Internet protocols, noting checks that should be
made for dangerous conditions. The discussion of firewalls, in
chapter fifteen, has oddly little material on application-level
proxies (and only tangential mention of circuit-level proxies),
concentrating on the examination of packet headers. Miscellaneous
attacks, with no readily evident theme, are listed in chapter sixteen.
Chapter seventeen details HTTP (HyperText Transfer Protocol) and other
Web technologies, catalogues some attacks, and gives a brief set of
vulnerability checking guidelines. Various vulnerabilities in Web
scripting and programming languages are noted in chapter eighteen.
There is a great deal of valuable information within this volume.
However, there isn't sufficient explanatory content for the work to
stand as a primer for beginners, and the lack of structure reduces the
utility as a professional reference. The reliance on code examples is
reasonable for a work aimed at programmers, but it does limit the
audience to that group. In addition, the practical parts of the book,
in particular, greatly emphasize Web applications. As it stands,
work has much of value to Web developers and Web software testers, but
it could have had much broader application with minor improvements.
copyright Robert M. Slade, 2006 BKTAOSSA.RVW 20061214
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... slade@... rslade@...
A teacher is one who makes himself progressively unnecessary.
- Thomas Carruthers
Dictionary of Information Security www.syngress.com/catalog/?pid=4150