REVIEW: "The Art of Software Security Testing", Chris Wysopal et al
- BKASWSCT.RVW 20080512
"The Art of Software Security Testing", Chris Wysopal et al, 2007,
%A Chris Wysopal
%A Lucas Nelson
%A Dino Dai Zovi
%A Elfriede Dustin
%C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8
%I Addison-Wesley Publishing Co.
%O U$49.99/C$61.99 416-447-5101 800-822-6339 bkexpress@...
%O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P 266 p.
%T "The Art of Software Security Testing"
The preface states that the book is directed at developers who need to
know how to test for vulnerabilities. Once you get into the text it
is clear that the intent is a bit more specific than that: the work
promotes the idea of using the same type of vulnerability scanning
tools that blackhats and intruders will be using against you.
Part one is an introduction to the basic process of application
penetration or vulnerability testing. In chapter one the authors seem
to think the idea of application penetration testing is a radically
new idea, and that the use of attacker tools will provide much greater
protection than other methods. (The fact that this only detects
vulnerabilities that have already been exploited and known is not
examined.) A laundry list of bad programming practices is provided in
chapter two, but there is no discussion of which type of testing will
help against the various problems. The stages of the system
development life cycle (SDLC) (and secure system development
lifecycle, or SSDL) are described in chapter three, but there is
little note of the types of testing relevant to each phase. Chapter
four outlines threat modelling, but doesn't explain how testing for
known vulnerabilities assists in the design process. Some components
for a testing environment are mentioned in chapter five.
Part two reviews the processes of a few attacks. Chapter six looks at
the injection of malformed data packets. A few attacks against Web
sessions are reported in chapter seven. SQL (Structured Query
Language) attacks are discussed in chapter eight. Chapter nine
describes the WebScarab Web proxy, and its use in intercepting traffic
to and from Web sites. Some code that might be used with the SOAPy
(related to the Simple Object Access Protocol) API (Application
Programming Interface) to create a tool for fuzzing (submitting semi-
random data to a program for testing) makes up chapter ten. A few
other tools are listed in chapter eleven.
Part three, supposedly about analysis, contains one final chapter with
a short deliberation on the ability to exploit different
"How to Break Web Software" (cf. BKHTBWSW.RVW) does a much better job
of describing not only the attacks against Web applications (the
primary focus of Wysopal and friends), but also the defensive measures
that can be taken. (And in fewer pages, too.) "Software Security:
Building Security In" (cf. BKSWSBSI.RVW) covers a wider range of
testing, and notes the types appropriate to different stages of the
development process. This work registers a few tools, but is limited
and of restricted usefulness.
copyright Robert M. Slade, 2008 BKASWSCT.RVW 20080512
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... slade@... rslade@...
My infected haiku
Jerusalem has added
more Jerusalem - virus haiku