The Art of Software Security Testing: Identifying Software Security Flaws

The Art of Software Security Testing: Identifying Software Security Flaws

作者: Chris Wysopal Lucas Nelson Dino Dai Zovi Elfriede Dustin
出版社: Addison Wesley
出版在: 2006-11-01
ISBN-13: 9780321304865
ISBN-10: 0321304861
裝訂格式: Paperback
總頁數: 312 頁



Risk-based security testing, the
important subject of this book, is one of seven software security touchpoints
introduced in my book, Software Security: Building Security In. This
book takes the basic idea several steps forward. Written by masters of
software exploit, this book describes in very basic terms how security testing
differs from standard software testing as practiced by QA groups everywhere.
It unifies in one place ideas from Michael Howard, David Litchfield, Greg
Hoglund, and me into a concise introductory package. Improve your security
testing by reading this book today.”
–Gary McGraw, Ph.D., CTO, Cigital; Author, Software
Security, Exploiting Software, Building Secure Software, and Software
Fault Injection;
“As 2006 closes out, we will see
over 5,000 software vulnerabilities announced to the public. Many of these
vulnerabilities were, or will be, found in enterprise applications from
companies who are staffed with large, professional, QA teams. How then can it
be that these flaws consistently continue to escape even well-structured
diligent testing? The answer, in part, is that testing still by and large only
scratches the surface when validating the presence of security flaws. Books
such as this hopefully will start to bring a more thorough level of
understanding to the arena of security testing and make us all a little safer
over time.”
–Alfred Huger, Senior Director, Development, Symantec
“Software security testing may
indeed be an art, but this book provides the paint-by-numbers to perform good,
solid, and appropriately destructive security testing: proof that an ounce of
creative destruction is worth a pound of patching later. If understanding how
software can be broken is step one in every programmers’ twelve-step program
to defensible, secure, robust software, then knowledgeable security testing
comprises at least steps two through six.”
–Mary Ann Davidson, Chief Security Officer,
“Over the past few years, several
excellent books have come out teaching developers how to write more secure
software by describing common security failure patterns. However, none of
these books have targeted the tester whose job it is to find the security
problems before they make it out of the R&D lab and into customer hands.
Into this void comes The Art of Software Security Testing: Identifying
Software Security Flaws. The authors, all of whom have extensive
experience in security testing, explain how to use free tools to find the
problems in software, giving plenty of examples of what a software flaw looks
like when it shows up in the test tool. The reader learns why security flaws
are different from other types of bugs (we want to know not only that ‘the
program does what it’s supposed to,’ but also that ‘the program doesn’t do
that which it’s not supposed to’), and how to use the tools to find them.
Examples are primarily based on C code, but some description of Java, C#, and
scripting languages help for those environments. The authors cover both
Windows and UNIX-based test tools, with plenty of screenshots to see what to
expect. Anyone who’s doing QA testing on software should read this book,
whether as a refresher for finding security problems, or as a starting point
for QA people who have focused on testing functionality.”
–Jeremy Epstein, WebMethods
State-of-the-Art Software
Security Testing: Expert, Up to Date, and Comprehensive
The Art of Software Security
Testing delivers in-depth, up-to-date, battle-tested techniques for
anticipating and identifying software security problems before the “bad guys”
Drawing on decades of experience in
application and penetration testing, this book’s authors can help you
transform your approach from mere “verification” to proactive “attack.” The
authors begin by systematically reviewing the design and coding
vulnerabilities that can arise in software, and offering realistic guidance in
avoiding them. Next, they show you ways to customize software debugging tools
to test the unique aspects of any program and then analyze the results to
identify exploitable vulnerabilities.
Coverage includes

Tips on how to think the way software attackers think
to strengthen your defense strategy
Cost-effectively integrating security testing into
your development lifecycle
Using threat modeling to prioritize testing based on
your top areas of risk
Building testing labs for performing white-, grey-,
and black-box software testing
Choosing and using the right tools for each testing
Executing today’s leading attacks, from fault
injection to buffer overflows
Determining which flaws are most likely to be
exploited by real-world attackers
This book is indispensable for every
technical professional responsible for software security: testers, QA
specialists, security professionals, developers, and more. For IT managers and
leaders, it offers a proven blueprint for implementing effective security
testing or strengthening existing processes.
Table of Contents

Foreword xiii
Preface xvii
Acknowledgments xxix
About the Authors xxxi
Part I:
Chapter 1: Case Your Own Joint: A
Paradigm Shift from Traditional Software Testing  3
Chapter 2: How Vulnerabilities Get
Into All Software  19
Chapter 3: The Secure Software
Development Lifecycle  55
Chapter 4: Risk-Based Security
Testing: Prioritizing Security Testing with Threat Modeling 
Chapter 5: Shades of Analysis:
White, Gray, and Black Box Testing  93
Part II: Performing the
Chapter 6: Generic Network Fault
Injection  107
Chapter 7: Web Applications: Session
Attacks  125
Chapter 8: Web Applications: Common
Issues  141
Chapter 9: Web Proxies: Using
WebScarab  169
Chapter 10: Implementing a Custom
Fuzz Utility  185
Chapter 11: Local Fault
Injection  201
Part III: Analysis
Chapter 12: Determining
Exploitability  233


Kubernetes 網絡權威指南:基礎、原理與實踐

作者 杜軍


Beginning PowerShell for SharePoint 2016: A Guide for Administrators, Developers, and DevOps Engineers

作者 Nikolas Charlebois-Laprade John Edward Naguib


Implementing DevOps on AWS

作者 Veselin Kantsev