BKTAOSSA.RVW 20061214 "The Art of Software Security Assessment", Mark Dowd/John McDonald/Justin Schuh, 2007, 0-321-44442-6, U$54.99/C$68.99 %A Mark Dowd http://taossa.com/ %A John McDonald %A Justin Schuh %C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8 %D 2007 %G 0-321-44442-6 %I Addison-Wesley Publishing Co. %O U$54.99/C$68.99 416-447-5101 fax: 416-443-0948 800-822-6339 %O http://www.amazon.com/exec/obidos/ASIN/0321444426/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0321444426/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0321444426/robsladesin03-20 %O Audience a- Tech 2 Writing 1 (see revfaq.htm for explanation) %P 1174 p. %T "The Art of Software Security Assessment" One of the important parts of a book proposal is a review of the literature that might be related to your topic, and how your book differs from the competition. The preface states that, unlike other software security texts, this one doesn't deal with security design and defensive programming, but concentrates on how to find vulnerabilities. The authors obviously haven't done their homework: there are a number of books that talk about finding weaknesses and loopholes in software. There are even books that specialize in finding vulnerabilities in specific types of software, such as the rather spotty "Database Hacker's Handbook" (cf. BKDBHKHB.RVW) and the much superior "How to Break Web Software" by Andrews and Whittaker (cf. BKHTBWSW.RVW). And most of them seem to be, like this work, directed at consultants, security professionals, developers, and quality assurance people. "The Art of Software Security Assessment" is somewhat distinctive in being particularly directed to programmers. Thus, readers from the consulting, security, and quality assurance fields who do not have a very strong programming background will probably find themselves at a loss to navigate the maze of coding examples. Part one is an introduction to software security assessment. Chapter one, on software vulnerability fundamentals, starts with a very verbose definition of "vulnerability" that seems to boil down to the idea that a vulnerability is something that someone can use against you. The authors also propose that problems be examined in terms of design vulnerabilities (this is what some other software development literature describes as flaws), implementation vulnerabilities (bugs), and operational vulnerabilities. (The latter seems to be related to improper requirements specification, or simply use of a program in the wrong situation.) One section runs through the software development life cycle (SDLC) noting the types of problems to be addressed in each phase, but the material is much less useful than that in Gary McGraw's "Software Security: Building Security In" (cf. BKSWSBSI.RVW). A brief overview of design review is found in chapter two, along with a larger section of miscellaneous security technologies. There is also a more- than-usually helpful explanation of threat modeling using data flow diagrams and attack trees. Some of the material is idiosyncratic: the description of "bait-and-switch" attacks seems to be confused with the birthday attack against hash digests. An unstructured collection of content about vulnerabilities, more security technologies, and network models makes up chapter three. Chapter four titularly talks about the application review process. This medley of ideas about ways to check code will give you some suggestions if you are starting the operation, but there is little in the way of analysis of the recommendations. Part two turns to software vulnerabilities. Chapter five provides very detailed information about the various types of buffer overflows, although the explanations are not always clear unless you already understand the concepts. Important facts about the means of data representation in the C programming language are listed in chapter six, and the abstractions are applicable to other languages. Chapter seven suggests reviewing code in terms of function, such as separately auditing variable use, procedure calls and returns, and memory allocation. Problems with common string-handling (and therefore text- related) statements in C are discussed in chapter eight, along with the significance of differential handling of not-quite-universal data representations by various languages (this commonly results in malformed data attacks). Not quite in a separate part to themselves, chapters nine through twelve provide internal details of the UNIX and Windows privilege and permission functions, as well as process handling. Chapter thirteen deals with process state information, primarily concerning various race conditions. Unfortunately, the outlines given are not as helpful as they could be, due to a reliance on code examples at the expense of explanations. The authors would do well to emulate the style adopted by Diomidis Spinellis in "Code Quality: The Open Source Perspective" (cf. BKCQTOSP.RVW) who also stresses the auditing of source code, but provides extensive textual background as well. Part three looks at software vulnerabilities in practice, although limited to network operations. Chapter fourteen provides details of many of the basic Internet protocols, noting checks that should be made for dangerous conditions. The discussion of firewalls, in chapter fifteen, has oddly little material on application-level proxies (and only tangential mention of circuit-level proxies), concentrating on the examination of packet headers. Miscellaneous attacks, with no readily evident theme, are listed in chapter sixteen. Chapter seventeen details HTTP (HyperText Transfer Protocol) and other Web technologies, catalogues some attacks, and gives a brief set of vulnerability checking guidelines. Various vulnerabilities in Web scripting and programming languages are noted in chapter eighteen. There is a great deal of valuable information within this volume. However, there isn't sufficient explanatory content for the work to stand as a primer for beginners, and the lack of structure reduces the utility as a professional reference. The reliance on code examples is reasonable for a work aimed at programmers, but it does limit the audience to that group. In addition, the practical parts of the book, in particular, greatly emphasize Web applications. As it stands, this work has much of value to Web developers and Web software testers, but it could have had much broader application with minor improvements. copyright Robert M. Slade, 2006 BKTAOSSA.RVW 20061214