Re: The Art of Software Security Assessment

[Chris Wysopal <weld () vulnwatch org>]

I am looking forward to reading Mark Dowd et al's book. There is no doubt
that these guys are code auditing experts that we can all learn from.
There is another soon to be released book from Addison-Wesley Professional
that may interest readers here. It is "The Art of Software Security
Testing", authored by Lucas Nelson, Dino Dai Zovi, Elfriede Dustin and me.

The book was spawned out of our product security testing experience at
major software vendors (who don't want to be named). I was frustrated with
the fact that many quality assurance teams with expertise in unit testing,
test harnesses, and automation tools still were not doing basic security
testing like fuzzing.  They have so much knowledge and technology at their
disposal. By redirecting their tools and techniques towards an attacker's
perspective, thinking threats not functionality, and tying it together
with threat modeling they have a fighting chance of shipping a secure
product.

The main audience of the book is software developers and testers, but
security consultants, especially those that need to work with software
teams, will benefit from it. There are even some techniques vulnerability
researchers will appreciate.

Some links to the book description:
http://www.awprofessional.com/bookstore/product.asp?isbn=0321304861&rl=1
http://www.amazon.com/gp/product/0321304861/

We don't have a sample chapter up at this time but we are hoping to have
one up soon. The table of contents is available at the AW site.  The book
will be available Nov. 27th.

Cheers,

Chris

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave