FREE Delivery in the UK.
In stock.
Dispatched from and sold by Amazon. Gift-wrap available.
The Art of Software Secur... has been added to your Basket
Have one to sell?
Flip to back Flip to front
Listen Playing... Paused   You're listening to a sample of the Audible audio edition.
Learn more
See all 3 images

The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities Paperback – 20 Nov 2006

5.0 out of 5 stars 3 customer reviews

See all formats and editions Hide other formats and editions
Amazon Price
New from Used from
Kindle Edition
"Please retry"
"Please retry"
£40.72 £44.98
Note: This item is eligible for click and collect. Details
Pick up your parcel at a time and place that suits you.
  • Choose from over 13,000 locations across the UK
  • Prime members get unlimited deliveries at no additional cost
How to order to an Amazon Pickup Location?
  1. Find your preferred location and add it to your address book
  2. Dispatch to this address when you check out
Learn more

Top Deals in Books
See the latest top deals in Books. Shop now
£49.99 FREE Delivery in the UK. In stock. Dispatched from and sold by Amazon. Gift-wrap available.
click to open popover

Frequently Bought Together

  • The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities
  • +
  • The Hacker Playbook 2: Practical Guide To Penetration Testing
  • +
  • Rtfm: Red Team Field Manual
Total price: £69.90
Buy the selected items together

Enter your mobile number or email address below and we'll send you a link to download the free Kindle App. Then you can start reading Kindle books on your smartphone, tablet, or computer - no Kindle device required.

  • Apple
  • Android
  • Windows Phone

To get the free app, enter your mobile phone number.

Top Deals in Books
See the latest top deals in Books. Shop now

Product details

  • Paperback: 1200 pages
  • Publisher: Addison Wesley; 1 edition (20 Nov. 2006)
  • Language: English
  • ISBN-10: 9780321444424
  • ISBN-13: 978-0321444424
  • ASIN: 0321444426
  • Product Dimensions: 17.8 x 6.1 x 23.1 cm
  • Average Customer Review: 5.0 out of 5 stars  See all reviews (3 customer reviews)
  • Amazon Bestsellers Rank: 617,192 in Books (See Top 100 in Books)
  • See Complete Table of Contents

Product Description

From the Back Cover

“There are a number of secure programming books on the market, but none that go as deep as this one. The depth and detail exceeds all books that I know about by an order of magnitude.”

Halvar Flake, CEO and head of research, SABRE Security GmbH


The Definitive Insider’s Guide to Auditing Software Security


This is one of the most detailed, sophisticated, and useful guides to software security auditing ever written. The authors are leading security consultants and researchers who have personally uncovered vulnerabilities in applications ranging from sendmail to Microsoft Exchange, Check Point VPN to Internet Explorer. Drawing on their extraordinary experience, they introduce a start-to-finish methodology for “ripping apart” applications to reveal even the most subtle and well-hidden security flaws.


The Art of Software Security Assessment covers the full spectrum of software vulnerabilities in both UNIX/Linux and Windows environments. It demonstrates how to audit security in applications of all sizes and functions, including network and Web software. Moreover, it teaches using extensive examples of real code drawn from past flaws in many of the industry's highest-profile applications.


Coverage includes


• Code auditing: theory, practice, proven methodologies, and secrets of the trade

• Bridging the gap between secure software design and post-implementation review

• Performing architectural assessment: design review, threat modeling, and operational review

• Identifying vulnerabilities related to memory management, data types, and malformed data

• UNIX/Linux assessment: privileges, files, and processes

• Windows-specific issues, including objects and the filesystem

• Auditing interprocess communication, synchronization, and state

• Evaluating network software: IP stacks, firewalls, and common application protocols

• Auditing Web applications and technologies


This book is an unprecedented resource for everyone who must deliver secure software or assure the safety of existing software: consultants, security specialists, developers, QA staff, testers, and administrators alike.




PREFACE     xvii


I Introduction to Software Security Assessment





II Software Vulnerabilities










III Software Vulnerabilities in Practice


15 FIREWALLS    891





INDEX     1129

About the Author

Mark Dowd is a principal security architect at McAfee, Inc. and an established expert in the field of application security. His professional experience includes several years as a senior researcher at Internet Security Systems (ISS) X-Force, and the discovery of a number of high-profile vulnerabilities in ubiquitous Internet software. He is responsible for identifying and helping to address critical flaws in Sendmail, Microsoft Exchange Server, OpenSSH, Internet Explorer, Mozilla (Firefox), Checkpoint VPN, and Microsoft’s SSL implementation. In addition to his research work, Mark presents at industry conferences, including Black Hat and RUXCON.


John McDonald is a senior consultant with Neohapsis, where he specializes in advanced application security assessment across a broad range of technologies and platforms. He has an established reputation in software security, including work in security architecture and vulnerability research for NAI (now McAfee), Data Protect GmbH, and Citibank. As a vulnerability researcher, John has identified and helped resolve numerous critical vulnerabilities, including issues in Solaris, BSD, Checkpoint FireWall-1, OpenSSL, and BIND.


Justin Schuh is a senior consultant with Neohapsis, where he leads the Application Security Practice. As a senior consultant and practice lead, he performs software security assessments across a range of systems, from embedded device firmware to distributed enterprise web applications. Prior to his employment with Neohapsis, Justin spent nearly a decade in computer security activities at the Department of Defense (DoD) and related agencies. His government service includes a role as a lead researcher with the National Security Agency (NSA) penetration testing team–the Red Team.

Customer Reviews

5.0 out of 5 stars
5 star
4 star
3 star
2 star
1 star
See all 3 customer reviews
Share your thoughts with other customers

Top Customer Reviews

Format: Kindle Edition Verified Purchase
As I work in the software security industry I took it upon myself to get this book and go through it thoroughly, what an experience. This book will both scare you and reassure you. Scare you with just how insecure software can be and the ramifications of such software. Reassure you that it is indeed possible to build robust and secure software, or more secure software :)
If you are in any way linked to the software security industry, i.e. work in it or just have an interest, then I can't recommend this book highly enough, I could go into details of each chapter, but you're better getting it and reading it for yourself. Be warned though, it is a mighty tome and requires time and effort, but you will be richly rewarded and much better off for the experience.
Comment Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback.
Sorry, we failed to record your vote. Please try again
Report abuse
Format: Paperback
I will keep this review short and to the point. If you are involved into any area of software security, you cannot afford not to own this book. It comes in a whooping 1200 pages but it is worth it.
Comment One person found this helpful. Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback.
Sorry, we failed to record your vote. Please try again
Report abuse
Format: Paperback
Im not a code auditor. I set myself the challenge of reading this whole book because i was very interested in pursuing this career path. It is very much a reference and has been a struggle for my bedtime reading, on and off, since i got the book in mid 2010.

If you can spare the time, and use a couple of dedicated reference books such as the C Programming Language and Windows Internals you can pretty much learn all of the concepts you need to know about vulnerability research.

Although, saying that, you need to put in the work to find these kinds of bugs yourself.

The book is not written to be read front to back. The clear introductions and explanations about each topic mean you can pick up any chapter without much background.

The C Language and Strings sections alone are worth the cost of the book.

The main skill required for software security assessment is persistence. If you can stick with this book, you can be a software auditor.

5 Stars
Comment Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback.
Sorry, we failed to record your vote. Please try again
Report abuse

Most Helpful Customer Reviews on Amazon.com (beta)

Amazon.com: 4.7 out of 5 stars 28 reviews
5.0 out of 5 stars Great book for the right audience 29 Sept. 2016
By John Pierce - Published on Amazon.com
Format: Paperback Verified Purchase
Very interesting text that works through the steps in software vulnerability analysis. Not good for a beginner as it assumes proficiency with programming, but that's to be expected for the subject matter. Having developed code for in-house use, I haven't been too concerned with secure coding in the past. This was very interesting reading, IMO. By the way, I ordered it from Amazon directly first. The recent version is broken up into two volumes of about 600 pages each. I received only volume 2 first round and was told my best option was to return it and buy from another seller as they couldn't ship me just the first volume. Good luck.
5.0 out of 5 stars Excellent, the perfect Soft Sec Assessment's beginner book. 4 July 2016
By Amazon Customer - Published on Amazon.com
Format: Paperback Verified Purchase
This book is by far the most detailed and example heavy book on the topic I've read. The main book is about 1123 pages, but once go get into the meat of the book, there's examples and diagrams on almost every other page, sometimes even every page. The great thing about this is if you're impatient, you could skip examples. However, I wouldn't recommend this because every example goes into some new level of depth, and they often come from real software. The only thing you need to be aware of is you should have moderate understanding of C programming, and basic knowledge of ASM. If you don't, they do a good job to explain it, but it might be difficult to follow.
1 of 1 people found the following review helpful
4.0 out of 5 stars Overwhelming 6 May 2014
By Yoyo - Published on Amazon.com
Format: Paperback Verified Purchase
Quite a book. Not much on web application specifics, but much heavier on C, UNIX, and security of software. It will however serve as a handy reference in the future, as most of this information will not go out of date.
5.0 out of 5 stars Operating Systems! 15 May 2014
By Aspiring Professional - Published on Amazon.com
Format: Paperback Verified Purchase
I was looking for an Addison Wesley book that was technical, but also discusses operating systems from a security assessment prospective. Here it is! Its a huge book, with two chapters dedicated to Unix, two to Windows, and another to interprocess communication. I found the book I was looking for!
5.0 out of 5 stars Buy the paper version 28 Aug. 2013
By Z. Riggle - Published on Amazon.com
Format: Kindle Edition Verified Purchase
I bought the Kindle version of this so that I could read on-the-go, and I have to say that in some places the formatting makes it hard to follow in the examples. The hard copy is much better, although significantly less portable. I'd recommend the hard copy, given the choice between the two.
Were these reviews helpful? Let us know