• Complain

Chris Wysopal - The Art of Software Security Testing: Identifying Software Security Flaws

Here you can read online Chris Wysopal - The Art of Software Security Testing: Identifying Software Security Flaws full text of the book (entire story) in english for free. Download pdf and epub, get meaning, cover and reviews about this ebook. year: 2006, publisher: Addison-Wesley Professional, genre: Politics. Description of the work, (preface) as well as reviews are available. Best literature library LitArk.com created for fans of good reading and offers a wide selection of genres:

Romance novel Science fiction Adventure Detective Science History Home and family Prose Art Politics Computer Non-fiction Religion Business Children Humor

Choose a favorite category and find really read worthwhile books. Enjoy immersion in the world of imagination, feel the emotions of the characters or learn something new for yourself, make an fascinating discovery.

Chris Wysopal The Art of Software Security Testing: Identifying Software Security Flaws

The Art of Software Security Testing: Identifying Software Security Flaws: summary, description and annotation

We offer to read an annotation, description, summary or preface (depends on what the author of the book "The Art of Software Security Testing: Identifying Software Security Flaws" wrote himself). If you haven't found the necessary information about the book — write in the comments, we will try to find it.

Risk-based security testing, the important subject of this book, is one of seven software security touchpoints introduced in my book, Software Security: Building Security In. This book takes the basic idea several steps forward. Written by masters of software exploit, this book describes in very basic terms how security testing differs from standard software testing as practiced by QA groups everywhere. It unifies in one place ideas from Michael Howard, David Litchfield, Greg Hoglund, and me into a concise introductory package. Improve your security testing by reading this book today.

Gary McGraw, Ph.D., CTO, Cigital; Author, Software Security, Exploiting Software, Building Secure Software, and Software Fault Injection; www.cigital.com/~gem

As 2006 closes out, we will see over 5,000 software vulnerabilities announced to the public. Many of these vulnerabilities were, or will be, found in enterprise applications from companies who are staffed with large, professional, QA teams. How then can it be that these flaws consistently continue to escape even well-structured diligent testing? The answer, in part, is that testing still by and large only scratches the surface when validating the presence of security flaws. Books such as this hopefully will start to bring a more thorough level of understanding to the arena of security testing and make us all a little safer over time.

Alfred Huger, Senior Director, Development, Symantec Corporation

Software security testing may indeed be an art, but this book provides the paint-by-numbers to perform good, solid, and appropriately destructive security testing: proof that an ounce of creative destruction is worth a pound of patching later. If understanding how software can be broken is step one in every programmers twelve-step program to defensible, secure, robust software, then knowledgeable security testing comprises at least steps two through six.

Mary Ann Davidson, Chief Security Officer, Oracle

Over the past few years, several excellent books have come out teaching developers how to write more secure software by describing common security failure patterns. However, none of these books have targeted the tester whose job it is to find the security problems before they make it out of the R&D lab and into customer hands. Into this void comes The Art of Software Security Testing: Identifying Software Security Flaws. The authors, all of whom have extensive experience in security testing, explain how to use free tools to find the problems in software, giving plenty of examples of what a software flaw looks like when it shows up in the test tool. The reader learns why security flaws are different from other types of bugs (we want to know not only that the program does what its supposed to, but also that the program doesnt do that which its not supposed to), and how to use the tools to find them. Examples are primarily based on C code, but some description of Java, C#, and scripting languages help for those environments. The authors cover both Windows and UNIX-based test tools, with plenty of screenshots to see what to expect. Anyone whos doing QA testing on software should read this book, whether as a refresher for finding security problems, or as a starting point for QA people who have focused on testing functionality.

Jeremy Epstein, WebMethods

State-of-the-Art Software Security Testing: Expert, Up to Date, and Comprehensive

The Art of Software Security Testing delivers in-depth, up-to-date, battle-tested techniques for anticipating and identifying software security problems before the bad guys do.

Drawing on decades of experience in application and penetration testing, this books authors can help you transform your approach from mere verification to proactive attack. The authors begin by systematically reviewing the design and coding vulnerabilities that can arise in software, and offering realistic guidance in avoiding them. Next, they show you ways to customize software debugging tools to test the unique aspects of any program and then analyze the results to identify exploitable vulnerabilities.

Coverage includes

  • Tips on how to think the way software attackers think to strengthen your defense strategy
  • Cost-effectively integrating security testing into your development lifecycle
  • Using threat modeling to prioritize testing based on your top areas of risk
  • Building testing labs for performing white-, grey-, and black-box software testing
  • Choosing and using the right tools for each testing project
  • Executing todays leading attacks, from fault injection to buffer overflows
  • Determining which flaws are most likely to be exploited by real-world attackers

This book is indispensable for every technical professional responsible for software security: testers, QA specialists, security professionals, developers, and more. For IT managers and leaders, it offers a proven blueprint for implementing effective security testing or strengthening existing processes.

Foreword xiii

Preface xvii

Acknowledgments xxix

About the Authors xxxi

Part I: Introduction

Chapter 1: Case Your Own Joint: A Paradigm Shift from Traditional Software Testing 3

Chapter 2: How Vulnerabilities Get Into All Software 19

Chapter 3: The Secure Software Development Lifecycle 55

Chapter 4: Risk-Based Security Testing: Prioritizing Security Testing with Threat Modeling 73

Chapter 5: Shades of Analysis: White, Gray, and Black Box Testing 93

Part II: Performing the Attacks

Chapter 6: Generic Network Fault Injection 107

Chapter 7: Web Applications: Session Attacks 125

Chapter 8: Web Applications: Common Issues 141

Chapter 9: Web Proxies: Using WebScarab 169

Chapter 10: Implementing a Custom Fuzz Utility 185

Chapter 11: Local Fault Injection 201

Part III: Analysis

Chapter 12: Determining Exploitability 233

Index 251

Chris Wysopal: author's other books


Who wrote The Art of Software Security Testing: Identifying Software Security Flaws? Find out the surname, the name of the author of the book and a list of all author's works by series.

The Art of Software Security Testing: Identifying Software Security Flaws — read online for free the complete book (whole text) full work

Below is the text of the book, divided by pages. System saving the place of the last page read, allows you to conveniently read the book "The Art of Software Security Testing: Identifying Software Security Flaws" online for free, without having to search again every time where you left off. Put a bookmark, and you can go to the page where you finished reading at any time.

Light

Font size:

Reset

Interval:

Bookmark:

Make

Praise for The Art of Software Security Testing Risk-based security testing - photo 1

Praise for The Art of Software Security Testing

Risk-based security testing, the important subject of this book, is one of seven software security touchpoints introduced in my book, Software Security: Building Security In. This book takes the basic idea several steps forward. Written by masters of software exploit, this book describes in very basic terms how security testing differs from standard software testing as practiced by QA groups everywhere. It unifies in one place ideas from Michael Howard, David Litchfield, Greg Hoglund, and me into a concise introductory package. Improve your security testing by reading this book today.

Gary McGraw, Ph.D., CTO, Cigital; Author, Software Security, Exploiting Software,Building Secure Software, and Software Fault Injection; www.cigital.com/~gem

As 2006 closes out, we will see over 5,000 software vulnerabilities announced to the public. Many of these vulnerabilities were, or will be, found in enterprise applications from companies who are staffed with large, professional, QA teams. How then can it be that these flaws consistently continue to escape even well-structured diligent testing? The answer, in part, is that testing still by and large only scratches the surface when validating the presence of security flaws. Books such as this hopefully will start to bring a more thorough level of understanding to the arena of security testing and make us all a little safer over time.

Alfred Huger, Senior Director, Development, Symantec Corporation

Software security testing may indeed be an art, but this book provides the paint-by-numbers to perform good, solid, and appropriately destructive security testing: proof that an ounce of creative destruction is worth a pound of patching later. If understanding how software can be broken is step one in every programmers twelve-step program to defensible, secure, robust software, then knowledgeable security testing comprises at least steps two through six.

Mary Ann Davidson, Chief Security Officer, Oracle

Over the past few years, several excellent books have come out teaching developers how to write more secure software by describing common security failure patterns. However, none of these books have targeted the tester whose job it is to find the security problems before they make it out of the R&D lab and into customer hands. Into this void comes The Art of Software Security Testing: Identifying Software Security Flaws. The authors, all of whom have extensive experience in security testing, explain how to use free tools to find the problems in software, giving plenty of examples of what a software flaw looks like when it shows up in the test tool. The reader learns why security flaws are different from other types of bugs (we want to know not only that the program does what its supposed to, but also that the program doesnt do that which its not supposed to), and how to use the tools to find them. Examples are primarily based on C code, but some description of Java, C#, and scripting languages help for those environments. The authors cover both Windows and UNIX-based test tools, with plenty of screenshots to see what to expect. Anyone whos doing QA testing on software should read this book, whether as a refresher for finding security problems, or as a starting point for QA people who have focused on testing functionality.

Jeremy Epstein, WebMethods

The Art of Software Security Testing

The Art of Software Security Testing

Identifying Software Security Flaws

Chris Wysopal
Lucas Nelson
Dino Dai Zovi
Elfriede Dustin

The Art of Software Security Testing Identifying Software Security Flaws - image 2

Upper Saddle River, NJ Boston Indianapolis San Francisco
New York Toronto Montreal London Munich Paris Madrid
Cape Town Sydney Tokyo Singapore Mexico City

The authors and publisher have taken care in the preparation of this book, but they make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for incidental or consequential damages in connection with or arising from the use of the information or programs contained herein.

Publisher Symantec Press: Michael Hakkert

Editorial Director Symantec Press: Dave Clarke Mora

Editor in Chief: Karen Gettman

Acquisitions Editor: Jessica W. Goldstein

Managing Editor: Gina Kanouse

Cover Designer: Alan Clements

Interior Artists: Stickman Studios

Project Editor: Christy Hackerd

Copy Editor: Gayle Johnson

Senior Indexer: Cheryl Lenser

Proofreader: Chris White

Compositor: codeMantra

Manufacturing Buyer: Dan Uhrig

The publisher offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales, which may include electronic versions and/or custom covers and content particular to your business, training goals, marketing focus, and branding interests. For more information, please contact:

U.S. Corporate and Government Sales
800-382-3419

For sales outside the United States, please contact:

International Sales

Visit us on the Web at www.awprofessional.com

Copyright 2007 Symantec Corporation

All rights reserved. Printed in the United States of America. This publication is protected by copyright, and permission must be obtained from the publisher prior to any prohibited reproduction, storage in a retrieval system, or transmission in any form or by any means, electronic, mechanical, photocopying, recording, or likewise. For information regarding permissions, write to:

Pearson Education, Inc.
Rights and Contracts Department
One Lake Street
Upper Saddle River, NJ 07458
Fax: (201) 236-3290

ISBN 0-321-30486-1

Text printed in the United States on recycled paper at R.R. Donnelley and Sons in Crawfordsville, Indiana.
First printing, November 2006

Library of Congress Cataloging-in-Publication Data

The art of software security testing : identifying software security flaws / Chris Wysopal ... [et al.]. -- 1st ed.
p. cm.
ISBN 0-321-30486-1 (pbk. : alk. paper) 1. Computer security. 2. Computer networks--Security measures.
3. Computer software--Testing. 4. Computer software--Reliability. I. Wysopal, Chris.
QA76.9.A25A795 2006
005.8--dc22
2006027502

Dedication: To our familiesas always thanks for all of your support.

Table of Contents
Foreword

Who can argue with testing things before you allow yourself to depend on them? No one can argue. No one will argue. Therefore, if testing is not done, the reasons have to be something other than a reasoned objection to testing. There seem to be exactly three: I cant afford it, I can get along without it, and I dont know how.

  • Not being able to afford itAllowing for economists to disagree over fine points, the cost of anything is the foregone alternative. If you do testing, what didnt you do? If it is to add yet another feature, perhaps you deserve congratulations on choosing a simpler product. Simpler products are in fact easier to test (and for good reason: the chief enemy of security is complexity, and nothing breeds complexity like creeping featuritis). If you didnt do testing, the usual reason given is to get the product out on time. That reason is insufficient if not petulant. The sort of testing taught in this book is about the future even more than getting the product out on time is about the future. Only CEOs intoxicated on visions of wealth are immune to thinking about the future in ways that preclude testing. Testing is about controlling your future rather than allowing it to control you. Testing accelerates the inevitable future failure of products into the present. When William Gibson famously said, The future is already hereits just unevenly distributed, he wasnt thinking of testing as we mean it here. What you explicitly want is to unevenly distribute the future so that your product gets to see its future before your customers (and opponents) do. Since you are reading this paragraph, its pretty likely you are of a testing frame of mind, so well drop the argument and move on.
Next page
Light

Font size:

Reset

Interval:

Bookmark:

Make

Similar books «The Art of Software Security Testing: Identifying Software Security Flaws»

Look at similar books to The Art of Software Security Testing: Identifying Software Security Flaws. We have selected literature similar in name and meaning in the hope of providing readers with more options to find new, interesting, not yet read works.


Reviews about «The Art of Software Security Testing: Identifying Software Security Flaws»

Discussion, reviews of the book The Art of Software Security Testing: Identifying Software Security Flaws and just readers' own opinions. Leave your comments, write what you think about the work, its meaning or the main characters. Specify what exactly you liked and what you didn't like, and why you think so.