Chris Wysopal - The Art of Software Security Testing: Identifying Software Security Flaws

Risk-based security testing, the important subject of this book, is one of seven software security touchpoints introduced in my book, Software Security: Building Security In. This book takes the basic idea several steps forward. Written by masters of software exploit, this book describes in very basic terms how security testing differs from standard software testing as practiced by QA groups everywhere. It unifies in one place ideas from Michael Howard, David Litchfield, Greg Hoglund, and me into a concise introductory package. Improve your security testing by reading this book today.

Gary McGraw, Ph.D., CTO, Cigital; Author, Software Security, Exploiting Software,Building Secure Software, and Software Fault Injection; www.cigital.com/~gem

As 2006 closes out, we will see over 5,000 software vulnerabilities announced to the public. Many of these vulnerabilities were, or will be, found in enterprise applications from companies who are staffed with large, professional, QA teams. How then can it be that these flaws consistently continue to escape even well-structured diligent testing? The answer, in part, is that testing still by and large only scratches the surface when validating the presence of security flaws. Books such as this hopefully will start to bring a more thorough level of understanding to the arena of security testing and make us all a little safer over time.

Alfred Huger, Senior Director, Development, Symantec Corporation

Software security testing may indeed be an art, but this book provides the paint-by-numbers to perform good, solid, and appropriately destructive security testing: proof that an ounce of creative destruction is worth a pound of patching later. If understanding how software can be broken is step one in every programmers twelve-step program to defensible, secure, robust software, then knowledgeable security testing comprises at least steps two through six.

Mary Ann Davidson, Chief Security Officer, Oracle

Over the past few years, several excellent books have come out teaching developers how to write more secure software by describing common security failure patterns. However, none of these books have targeted the tester whose job it is to find the security problems before they make it out of the R&D lab and into customer hands. Into this void comes The Art of Software Security Testing: Identifying Software Security Flaws. The authors, all of whom have extensive experience in security testing, explain how to use free tools to find the problems in software, giving plenty of examples of what a software flaw looks like when it shows up in the test tool. The reader learns why security flaws are different from other types of bugs (we want to know not only that the program does what its supposed to, but also that the program doesnt do that which its not supposed to), and how to use the tools to find them. Examples are primarily based on C code, but some description of Java, C#, and scripting languages help for those environments. The authors cover both Windows and UNIX-based test tools, with plenty of screenshots to see what to expect. Anyone whos doing QA testing on software should read this book, whether as a refresher for finding security problems, or as a starting point for QA people who have focused on testing functionality.

Jeremy Epstein, WebMethods

The Art of Software Security Testing

Identifying Software Security Flaws

Chris Wysopal
Lucas Nelson
Dino Dai Zovi
Elfriede Dustin

Upper Saddle River, NJ Boston Indianapolis San Francisco
New York Toronto Montreal London Munich Paris Madrid
Cape Town Sydney Tokyo Singapore Mexico City

The authors and publisher have taken care in the preparation of this book, but they make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for incidental or consequential damages in connection with or arising from the use of the information or programs contained herein.

Publisher Symantec Press: Michael Hakkert

Editorial Director Symantec Press: Dave Clarke Mora

Editor in Chief: Karen Gettman

Acquisitions Editor: Jessica W. Goldstein

Managing Editor: Gina Kanouse

Cover Designer: Alan Clements

Interior Artists: Stickman Studios

Project Editor: Christy Hackerd

Copy Editor: Gayle Johnson

Senior Indexer: Cheryl Lenser

Proofreader: Chris White

Compositor: codeMantra

Manufacturing Buyer: Dan Uhrig

The publisher offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales, which may include electronic versions and/or custom covers and content particular to your business, training goals, marketing focus, and branding interests. For more information, please contact:

U.S. Corporate and Government Sales
800-382-3419

For sales outside the United States, please contact:

International Sales

Visit us on the Web at www.awprofessional.com

Copyright 2007 Symantec Corporation

All rights reserved. Printed in the United States of America. This publication is protected by copyright, and permission must be obtained from the publisher prior to any prohibited reproduction, storage in a retrieval system, or transmission in any form or by any means, electronic, mechanical, photocopying, recording, or likewise. For information regarding permissions, write to:

Pearson Education, Inc.
Rights and Contracts Department
One Lake Street
Upper Saddle River, NJ 07458
Fax: (201) 236-3290

ISBN 0-321-30486-1

Text printed in the United States on recycled paper at R.R. Donnelley and Sons in Crawfordsville, Indiana.
First printing, November 2006

Library of Congress Cataloging-in-Publication Data

The art of software security testing : identifying software security flaws / Chris Wysopal ... [et al.]. -- 1st ed.
p. cm.
ISBN 0-321-30486-1 (pbk. : alk. paper) 1. Computer security. 2. Computer networks--Security measures.
3. Computer software--Testing. 4. Computer software--Reliability. I. Wysopal, Chris.
QA76.9.A25A795 2006
005.8--dc22
2006027502

Dedication: To our familiesas always thanks for all of your support.

Who can argue with testing things before you allow yourself to depend on them? No one can argue. No one will argue. Therefore, if testing is not done, the reasons have to be something other than a reasoned objection to testing. There seem to be exactly three: I cant afford it, I can get along without it, and I dont know how.

• Not being able to afford itAllowing for economists to disagree over fine points, the cost of anything is the foregone alternative. If you do testing, what didnt you do? If it is to add yet another feature, perhaps you deserve congratulations on choosing a simpler product. Simpler products are in fact easier to test (and for good reason: the chief enemy of security is complexity, and nothing breeds complexity like creeping featuritis). If you didnt do testing, the usual reason given is to get the product out on time. That reason is insufficient if not petulant. The sort of testing taught in this book is about the future even more than getting the product out on time is about the future. Only CEOs intoxicated on visions of wealth are immune to thinking about the future in ways that preclude testing. Testing is about controlling your future rather than allowing it to control you. Testing accelerates the inevitable future failure of products into the present. When William Gibson famously said, The future is already hereits just unevenly distributed, he wasnt thinking of testing as we mean it here. What you explicitly want is to unevenly distribute the future so that your product gets to see its future before your customers (and opponents) do. Since you are reading this paragraph, its pretty likely you are of a testing frame of mind, so well drop the argument and move on.