Dailydave mailing list archives
Re: Book Review: The Art of Software Security Assessment
From: "Halvar Flake" <halvar () gmx de>
Date: Sat, 2 Dec 2006 16:31:28 +0100
Hey all, I agree with Dave's assessment, but then again I might be somewhat biased ! :) Cheers, Halvar ----- Original Message ----- From: "Dave Aitel" <dave () immunityinc com> To: "dailydave" <dailydave () lists immunitysec com> Sent: Friday, December 01, 2006 9:30 PM Subject: [Dailydave] Book Review: The Art of Software Security Assessment
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Book Review: The Art of Software Security Assessment written by Mark Dowd, John McDonald, Justin Schuh http://www.amazon.com/Art-Software-Security-Assessment-Vulnerabilities/dp/0321444426/ref=pd_bxgy_b_text_b/103-1902494-7928635 Pages: 1200 The temptation with a massive book, such as this one, is to use it as a reference. While no doubt valuable as a quick reference for people looking to know the exact problems with any given C API ("snprintf does what differently on Windows and Unix?"), this book is best read page by page. There are surprises sprinkled throughout. Vulnerable example code is taken from real software applications, such as OpenBSD 3.6, Netscape, and OpenSSH. Of course, more than just a collection of code with mistakes highlighted, this book has a powerful methodology, complete with "Desk-checking", "Scorecards" and other useful tricks. This book is not about binary analysis; assembly language is used only to demonstrate tricky C code. Unlike many books with multiple authors, this is an extremely well put together book that flows naturally from chapter to chapter. The chapters on C auditing are amazing. The chapters on web assessment, while not the most in-depth chapters in the book, still contain a lot of information that is covered nowhere else (servlet race conditions, for example). In fact, almost everything in this book is, if not new, covered more expertly than anywhere I've seen. For anyone doing software security assessment, this book is required reading. All 1200 pages of it. Score: 5/5 - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFFcJDoB8JNm+PA+iURAiq7AJ49uq2jA+1CKtjuGS+iSJOYhZ8bXQCgkHKO +93PGEQ3HWXUw8GKy5s458M= =O+2X -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Book Review: The Art of Software Security Assessment Dave Aitel (Dec 01)
- Re: Book Review: The Art of Software Security Assessment Halvar Flake (Dec 02)