Saturday, January 12, 2008

The Art of Software Security Testing Book Review

Book Review For:

The Art of Software Security Testing: Identifying Software Security Flaws

by Chris Wysopal, Lucas Nelson, Dino Dai Zovi, Elfriede Dustin

Good overview but not a one stop shop

4 stars

This is a good “short” version of "The Art of Software Security Assessment" by Dowd. For a security book its short, at 250 pages. The book contains useful information but not enough to be an expert at anything. This is definitely one of those mile wide, inch deep books and not a one stop shop as it says in the preface. It covers topics in enough detail to have heard of the issue and some of the chapters give you some links to further information but you wont come away with enough knowledge to actually do many of the attacks talked about.

It does hit the major attack vectors; Ch6 Generic Network Fault Injection, Ch7 Web Applications: Session Attacks, Ch8 Web Applications: Common Issues, Ch9 Web Proxies: Using WebScarab, Ch10 Implementing a Custom Fuzz Utility, and Ch11 Local Fault Injection. So thats a plus. The first part of the book on Secure Software Development Lifecycle was good, but again, not really enough information to be the only book you need on the subject. The third part of the book on analysis, Ch12 Determining Exploitability, was really not useful to me its way too short and tries to cram exploit development into 25 pages which just isn't possible. It shows you some diagrams of the stack and heap then some winDbg screen shots of nameless programs crashing and overwriting EIP (stack) and EAX (heap) and a null dereference. Fairly anti-climatic and doesn't dispel the “magic” of writing exploits.

Things I liked; the WebScarab chapter (Ch9) was good, that can be a tough tool to get up and running with all of its options. The Web Application chapters (Ch 7 & Ch8) are pretty good overviews. Part 1 of the book on the SSDL, overview of how vulnerabilities get into code, and risk-based security testing was useful to me and serves as a good into to the Dowd book.

Things I didn't like; Chapter 12 on Determining Exploitability was too short and not enough information, no code for the custom web application they use for examples for SQL Injection. I'm very much a “have to do it” guy and not having the code was a disappointment and lastly the book's website seems to have never been updated after first standing it up.

I'd recommend the book to people who need to get an idea of security flaws, how they get into code and some visual examples of those flaws. But only if they needed either a high level overview or they need an initiation to the topic. For people who need a deep knowledge I'd refer them to the Dowd book.


No comments: