The Art of Software Security Assessment

["Mark Dowd" <mark.dowd () gmail com>]

Hi,

Justin Schuh, John McDonald and I recently finished a book on software
security assessment. The three of us have put quite a bit of time and effort
into this project; essentially, it's a 1200 page book about how to audit
code to find vulnerabilities, based on our own experience. We present
high-level strategies for performing design and implementation reviews, but
the bulk of the content is dedicated to the technical details of
vulnerabilities and how they appear in real-world applications.

We've attempted to structure this book so it will prove useful for a variety
of audiences: developers assessing their own work (or the work of their
peers), consultants performing professional application security reviews, or
researchers looking to find the showstoppers that will appear in next
month's Patch Tuesday, bringing them one step closer to achieving the
coveted ZDI silver status. ;)

Here are some links:
http://www.amazon.com/gp/product/0321444426/
http://www.awprofessional.com/bookstore/product.asp?isbn=0321444426&rl=1

There's a sample chapter on the AW site that will give you a feel for what
the rest of the book is like. It's our chapter on C language issues, and it
has lots of examples of integer overflows and type conversion flaws, as well
as some fun C puzzles. The book will be hitting stores on November 10th. Any
thoughts/comments would be appreciated, unless they're from Anthony Osborne.
No one likes a show-off, Anthony.

Enjoy!

Mark Dowd*


*

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave