on 31 March 2016
As I work in the software security industry I took it upon myself to get this book and go through it thoroughly, what an experience. This book will both scare you and reassure you. Scare you with just how insecure software can be and the ramifications of such software. Reassure you that it is indeed possible to build robust and secure software, or more secure software :)
If you are in any way linked to the software security industry, i.e. work in it or just have an interest, then I can't recommend this book highly enough, I could go into details of each chapter, but you're better getting it and reading it for yourself. Be warned though, it is a mighty tome and requires time and effort, but you will be richly rewarded and much better off for the experience.
on 20 December 2011
Im not a code auditor. I set myself the challenge of reading this whole book because i was very interested in pursuing this career path. It is very much a reference and has been a struggle for my bedtime reading, on and off, since i got the book in mid 2010.
If you can spare the time, and use a couple of dedicated reference books such as the C Programming Language and Windows Internals you can pretty much learn all of the concepts you need to know about vulnerability research.
Although, saying that, you need to put in the work to find these kinds of bugs yourself.
The book is not written to be read front to back. The clear introductions and explanations about each topic mean you can pick up any chapter without much background.
The C Language and Strings sections alone are worth the cost of the book.
The main skill required for software security assessment is persistence. If you can stick with this book, you can be a software auditor.