Dailydave mailing list archives

Re: Book Review: The Art of Software Security Assessment

From: "Halvar Flake" <halvar () gmx de>
Date: Sat, 2 Dec 2006 16:31:28 +0100

Hey all,

I agree with Dave's assessment, but then again I might
be somewhat biased ! :)

Cheers,
Halvar
----- Original Message ----- 
From: "Dave Aitel" <dave () immunityinc com>
To: "dailydave" <dailydave () lists immunitysec com>
Sent: Friday, December 01, 2006 9:30 PM
Subject: [Dailydave] Book Review: The Art of Software Security Assessment

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Book Review: The Art of Software Security Assessment
written by Mark Dowd, John McDonald, Justin Schuh
http://www.amazon.com/Art-Software-Security-Assessment-Vulnerabilities/dp/0321444426/ref=pd_bxgy_b_text_b/103-1902494-7928635
Pages: 1200

The temptation with a massive book, such as this one, is to use it as
a reference. While no doubt valuable as a quick reference for people
looking to know the exact problems with any given C API ("snprintf
does what differently on Windows and Unix?"), this book is best read
page by page. There are surprises sprinkled throughout. Vulnerable
example code is taken from real software applications, such as OpenBSD
3.6, Netscape, and OpenSSH. Of course, more than just a collection of
code with mistakes highlighted, this book has a powerful methodology,
complete with "Desk-checking", "Scorecards" and other useful tricks.
This book is not about binary analysis; assembly language is used only
to demonstrate tricky C code.

Unlike many books with multiple authors, this is an extremely well put
together book that flows naturally from chapter to chapter. The
chapters on C auditing are amazing. The chapters on web assessment,
while not the most in-depth chapters in the book, still contain a lot
of information that is covered nowhere else (servlet race conditions,
for example).

In fact, almost everything in this book is, if not new, covered more
expertly than anywhere I've seen. For anyone doing software security
assessment, this book is required reading. All 1200 pages of it.

Score: 5/5

- -dave

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFFcJDoB8JNm+PA+iURAiq7AJ49uq2jA+1CKtjuGS+iSJOYhZ8bXQCgkHKO
+93PGEQ3HWXUw8GKy5s458M=
=O+2X
-----END PGP SIGNATURE-----

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave


_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

Book Review: The Art of Software Security Assessment Dave Aitel (Dec 01)
- Re: Book Review: The Art of Software Security Assessment Halvar Flake (Dec 02)