FREE Delivery in the UK.
In stock.
Dispatched from and sold by Amazon. Gift-wrap available.
The Art of Software Secur... has been added to your Basket

Dispatch to:
To see addresses, please
Or
Please enter a valid UK postcode.
Or
+ £2.80 UK delivery
Used: Good | Details
Condition: Used: Good
Comment: A good reading copy. May contain markings or be a withdrawn library copy. Expect delivery in 20 days.
Have one to sell?
Flip to back Flip to front
Listen Playing... Paused   You're listening to a sample of the Audible audio edition.
Learn more
See all 2 images

The Art of Software Security Testing: Identifying Software Security Flaws (Symantec Press) Paperback – 17 Nov 2006


See all 3 formats and editions Hide other formats and editions
Amazon Price
New from Used from
Kindle Edition
Paperback
£33.99
£33.99 £22.06
Note: This item is eligible for click and collect. Details
Pick up your parcel at a time and place that suits you.
  • Choose from over 13,000 locations across the UK
  • Prime members get unlimited deliveries at no additional cost
How to order to an Amazon Pickup Location?
  1. Find your preferred location and add it to your address book
  2. Dispatch to this address when you check out
Learn more
click to open popover

Enter your mobile number or email address below and we'll send you a link to download the free Kindle App. Then you can start reading Kindle books on your smartphone, tablet, or computer - no Kindle device required.

  • Apple
  • Android
  • Windows Phone

To get the free app, enter your mobile phone number.



All Amazon Original Books on Sale
Browse a selection of over 160+ Kindle Books currently on sale. Learn more

Product details

  • Paperback: 304 pages
  • Publisher: AddisonWesley Professional; 1 edition (17 Nov. 2006)
  • Language: English
  • ISBN-10: 0321304861
  • ISBN-13: 978-0321304865
  • Product Dimensions: 17.8 x 2 x 23.1 cm
  • Average Customer Review: Be the first to review this item
  • Amazon Bestsellers Rank: 1,177,630 in Books (See Top 100 in Books)
  • Would you like to tell us about a lower price?
    If you are a seller for this product, would you like to suggest updates through seller support?

  • See Complete Table of Contents

Product description

From the Back Cover

Risk-based security testing, the important subject of this book, is one of seven software security touchpoints introduced in my book, Software Security: Building Security In. This book takes the basic idea several steps forward. Written by masters of software exploit, this book describes in very basic terms how security testing differs from standard software testing as practiced by QA groups everywhere. It unifies in one place ideas from Michael Howard, David Litchfield, Greg Hoglund, and me into a concise introductory package. Improve your security testing by reading this book today.”

Gary McGraw, Ph.D., CTO, Cigital; Author, Software Security, Exploiting Software, Building Secure Software, and Software Fault Injection; www.cigital.com/~gem

 

“As 2006 closes out, we will see over 5,000 software vulnerabilities announced to the public. Many of these vulnerabilities were, or will be, found in enterprise applications from companies who are staffed with large, professional, QA teams. How then can it be that these flaws consistently continue to escape even well-structured diligent testing? The answer, in part, is that testing still by and large only scratches the surface when validating the presence of security flaws. Books such as this hopefully will start to bring a more thorough level of understanding to the arena of security testing and make us all a little safer over time.”

Alfred Huger, Senior Director, Development, Symantec Corporation

 

“Software security testing may indeed be an art, but this book provides the paint-by-numbers to perform good, solid, and appropriately destructive security testing: proof that an ounce of creative destruction is worth a pound of patching later. If understanding how software can be broken is step one in every programmers’ twelve-step program to defensible, secure, robust software, then knowledgeable security testing comprises at least steps two through six.”

Mary Ann Davidson, Chief Security Officer, Oracle

 

“Over the past few years, several excellent books have come out teaching developers how to write more secure software by describing common security failure patterns. However, none of these books have targeted the tester whose job it is to find the security problems before they make it out of the R&D lab and into customer hands. Into this void comes The Art of Software Security Testing: Identifying Software Security Flaws. The authors, all of whom have extensive experience in security testing, explain how to use free tools to find the problems in software, giving plenty of examples of what a software flaw looks like when it shows up in the test tool. The reader learns why security flaws are different from other types of bugs (we want to know not only that ‘the program does what it’s supposed to,’ but also that ‘the program doesn’t do that which it’s not supposed to’), and how to use the tools to find them. Examples are primarily based on C code, but some description of Java, C#, and scripting languages help for those environments. The authors cover both Windows and UNIX-based test tools, with plenty of screenshots to see what to expect. Anyone who’s doing QA testing on software should read this book, whether as a refresher for finding security problems, or as a starting point for QA people who have focused on testing functionality.”

Jeremy Epstein, WebMethods

 

State-of-the-Art Software Security Testing: Expert, Up to Date, and Comprehensive

 

The Art of Software Security Testing delivers in-depth, up-to-date, battle-tested techniques for anticipating and identifying software security problems before the “bad guys” do.

 

Drawing on decades of experience in application and penetration testing, this book’s authors can help you transform your approach from mere “verification” to proactive “attack.” The authors begin by systematically reviewing the design and coding vulnerabilities that can arise in software, and offering realistic guidance in avoiding them. Next, they show you ways to customize software debugging tools to test the unique aspects of any program and then analyze the results to identify exploitable vulnerabilities.

 

Coverage includes

  • Tips on how to think the way software attackers think to strengthen your defense strategy
  • Cost-effectively integrating security testing into your development lifecycle
  • Using threat modeling to prioritize testing based on your top areas of risk
  • Building testing labs for performing white-, grey-, and black-box software testing
  • Choosing and using the right tools for each testing project
  • Executing today’s leading attacks, from fault injection to buffer overflows
  • Determining which flaws are most likely to be exploited by real-world attackers

 

This book is indispensable for every technical professional responsible for software security: testers, QA specialists, security professionals, developers, and more. For IT managers and leaders, it offers a proven blueprint for implementing effective security testing or strengthening existing processes.

 

Foreword xiii

Preface xvii

Acknowledgments xxix

About the Authors xxxi

 

Part I: Introduction

Chapter 1: Case Your Own Joint: A Paradigm Shift from Traditional Software Testing  3

Chapter 2: How Vulnerabilities Get Into All Software  19

Chapter 3: The Secure Software Development Lifecycle  55

Chapter 4: Risk-Based Security Testing: Prioritizing Security Testing with Threat Modeling  73

Chapter 5: Shades of Analysis: White, Gray, and Black Box Testing  93

 

Part II: Performing the Attacks

Chapter 6: Generic Network Fault Injection  107

Chapter 7: Web Applications: Session Attacks  125

Chapter 8: Web Applications: Common Issues  141

Chapter 9: Web Proxies: Using WebScarab  169

Chapter 10: Implementing a Custom Fuzz Utility  185

Chapter 11: Local Fault Injection  201

 

Part III: Analysis

Chapter 12: Determining Exploitability  233

 

Index  251

About the Author

Chris Wysopal is cofounder and CTO of Veracode, where he is responsible for the software security analysis capabilities of Veracode’s technology. Previously he was vice president of research and development at @stake. As a member of the groundbreaking security research think tank L0pht Heavy Industries, he and his colleagues testified to the U.S. Senate that they could “take down the Internet in 30 minutes.” They were praised as “modern-day Paul Reveres” by the senators for their research and warnings of computer security weaknesses. Wysopal has also testified to the U.S. House of Representatives and has spoken at the Defense Information Systems Agency (DISA), Black Hat, and West Point. He is coauthor of L0phtCrack, the password auditor used by more than 6,000 government, military, and corporate organizations worldwide. He earned his bachelor of science degree in computer and systems engineering from Rensselaer Polytechnic Institute in Troy, New York.

 

Lucas Nelson is the technical manager for Symantec’s New York region, where he is responsible for all aspects of security consulting services delivery. Within Symantec he also leads the Application Security Center of Excellence, which develops application security practices and guidelines and trains new hires in the methodology of application testing. He has taught a number of classes on both attacking and defending computer systems to several groups, including state governments and large financial institutions. Nelson worked as a developer specializing in security for a number of small startups before joining Symantec/ @stake in 2002. He researched computer security at Purdue University’s CERIAS lab under the guidance of professor Eugene Spafford, graduating with a degree in computer science.

 

Dino A. Dai Zovi is a principal member of Matasano Security, where he performs ShipSafe product penetration tests for software vendors and DeploySafe third-party software penetration tests for enterprise clients. He specializes in product, application, and operating system penetration testing and has done so in his previous roles at Bloomberg, @stake, and Sandia National Laboratories. He is also a frequent speaker on his computer security research, including presentations at the Black Hat Briefings, IEEE Information Assurance Workshop, Microsoft’s internal Blue Hat Security Briefings, CanSecWest, and DEFCON. He graduated with honors with a bachelor of science in computer science and a minor in mathematics from the University of New Mexico.

 

Elfriede Dustin is author of Effective Software Testing and lead author of Automated Software Testing and Quality Web Systems, books that have been translated into various languages and that have sold tens of thousands of copies throughout the world. The Automated Testing Lifecycle Methodology (ATLM) described in Automated Software Testing has been implemented in various companies throughout the world. Dustin has written various white papers on software testing. She teaches various testing tutorials and is a frequent speaker at software testing conferences. In support of software test efforts, Dustin has been responsible for implementing automated test and has acted as the lead consultant/manager guiding the implementation of automated and manual software testing efforts. She is cochair of VERIFY, an annual international software testing conference held in the Washington, DC area. Dustin has a bachelor of science in computer science. She has more than 15 years of IT experience and currently works as an independent consultant in the Washington, DC area. You can reach her via her Web site at www.effectivesoftwaretesting.com.

 


Customer reviews

There are no customer reviews yet.
Share your thoughts with other customers

Most helpful customer reviews on Amazon.com

Amazon.com: 4.3 out of 5 stars 7 reviews
3 people found this helpful.
4.0 out of 5 starsHighly recommended primer
on 19 August 2007 - Published on Amazon.com
Verified Purchase
5.0 out of 5 starsFive Stars
on 26 April 2016 - Published on Amazon.com
Verified Purchase
2 people found this helpful.
5.0 out of 5 starsExcellent for Managers/Executives or Techies New to Security
on 19 August 2007 - Published on Amazon.com
Verified Purchase
10 people found this helpful.
4.0 out of 5 starsGood overview but not a one stop shop
on 12 January 2008 - Published on Amazon.com
Pages with related products. See and discover other items: software testing

Where's My Stuff?

Delivery and Returns

Need Help?