Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "The Art of Software Security Testing", Chris Wysopal et al

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Han
    BKASWSCT.RVW 20080512 The Art of Software Security Testing , Chris Wysopal et al, 2007, 0-321-30486-1, U$49.99/C$61.99 %A Chris Wysopal %A Lucas Nelson
    Message 1 of 1 , Aug 21, 2008
    • 0 Attachment
      BKASWSCT.RVW 20080512

      "The Art of Software Security Testing", Chris Wysopal et al, 2007,
      0-321-30486-1, U$49.99/C$61.99
      %A Chris Wysopal
      %A Lucas Nelson
      %A Dino Dai Zovi
      %A Elfriede Dustin
      %C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8
      %D 2007
      %G 0-321-30486-1
      %I Addison-Wesley Publishing Co.
      %O U$49.99/C$61.99 416-447-5101 800-822-6339 bkexpress@...
      %O http://www.amazon.com/exec/obidos/ASIN/0321304861/robsladesinterne
      %O http://www.amazon.ca/exec/obidos/ASIN/0321304861/robsladesin03-20
      %O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
      %P 266 p.
      %T "The Art of Software Security Testing"

      The preface states that the book is directed at developers who need to
      know how to test for vulnerabilities. Once you get into the text it
      is clear that the intent is a bit more specific than that: the work
      promotes the idea of using the same type of vulnerability scanning
      tools that blackhats and intruders will be using against you.

      Part one is an introduction to the basic process of application
      penetration or vulnerability testing. In chapter one the authors seem
      to think the idea of application penetration testing is a radically
      new idea, and that the use of attacker tools will provide much greater
      protection than other methods. (The fact that this only detects
      vulnerabilities that have already been exploited and known is not
      examined.) A laundry list of bad programming practices is provided in
      chapter two, but there is no discussion of which type of testing will
      help against the various problems. The stages of the system
      development life cycle (SDLC) (and secure system development
      lifecycle, or SSDL) are described in chapter three, but there is
      little note of the types of testing relevant to each phase. Chapter
      four outlines threat modelling, but doesn't explain how testing for
      known vulnerabilities assists in the design process. Some components
      for a testing environment are mentioned in chapter five.

      Part two reviews the processes of a few attacks. Chapter six looks at
      the injection of malformed data packets. A few attacks against Web
      sessions are reported in chapter seven. SQL (Structured Query
      Language) attacks are discussed in chapter eight. Chapter nine
      describes the WebScarab Web proxy, and its use in intercepting traffic
      to and from Web sites. Some code that might be used with the SOAPy
      (related to the Simple Object Access Protocol) API (Application
      Programming Interface) to create a tool for fuzzing (submitting semi-
      random data to a program for testing) makes up chapter ten. A few
      other tools are listed in chapter eleven.

      Part three, supposedly about analysis, contains one final chapter with
      a short deliberation on the ability to exploit different

      "How to Break Web Software" (cf. BKHTBWSW.RVW) does a much better job
      of describing not only the attacks against Web applications (the
      primary focus of Wysopal and friends), but also the defensive measures
      that can be taken. (And in fewer pages, too.) "Software Security:
      Building Security In" (cf. BKSWSBSI.RVW) covers a wider range of
      testing, and notes the types appropriate to different stages of the
      development process. This work registers a few tools, but is limited
      and of restricted usefulness.

      copyright Robert M. Slade, 2008 BKASWSCT.RVW 20080512

      ====================== (quote inserted randomly by Pegasus Mailer)
      rslade@... slade@... rslade@...
      My infected haiku
      Jerusalem has added
      more Jerusalem - virus haiku
      victoria.tc.ca/techrev/rms.htm blogs.securiteam.com/index.php/archives/author/p1/
    Your message has been successfully submitted and would be delivered to recipients shortly.