BKASWSCT.RVW 20080512 "The Art of Software Security Testing", Chris Wysopal et al, 2007, 0-321-30486-1, U$49.99/C$61.99 %A Chris Wysopal %A Lucas Nelson %A Dino Dai Zovi %A Elfriede Dustin %C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8 %D 2007 %G 0-321-30486-1 %I Addison-Wesley Publishing Co. %O U$49.99/C$61.99 416-447-5101 800-822-6339 bkexpress@aw.com %O http://www.amazon.com/exec/obidos/ASIN/0321304861/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0321304861/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0321304861/robsladesin03-20 %O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation) %P 266 p. %T "The Art of Software Security Testing" The preface states that the book is directed at developers who need to know how to test for vulnerabilities. Once you get into the text it is clear that the intent is a bit more specific than that: the work promotes the idea of using the same type of vulnerability scanning tools that blackhats and intruders will be using against you. Part one is an introduction to the basic process of application penetration or vulnerability testing. In chapter one the authors seem to think the idea of application penetration testing is a radically new idea, and that the use of attacker tools will provide much greater protection than other methods. (The fact that this only detects vulnerabilities that have already been exploited and known is not examined.) A laundry list of bad programming practices is provided in chapter two, but there is no discussion of which type of testing will help against the various problems. The stages of the system development life cycle (SDLC) (and secure system development lifecycle, or SSDL) are described in chapter three, but there is little note of the types of testing relevant to each phase. Chapter four outlines threat modelling, but doesn't explain how testing for known vulnerabilities assists in the design process. Some components for a testing environment are mentioned in chapter five. Part two reviews the processes of a few attacks. Chapter six looks at the injection of malformed data packets. A few attacks against Web sessions are reported in chapter seven. SQL (Structured Query Language) attacks are discussed in chapter eight. Chapter nine describes the WebScarab Web proxy, and its use in intercepting traffic to and from Web sites. Some code that might be used with the SOAPy (related to the Simple Object Access Protocol) API (Application Programming Interface) to create a tool for fuzzing (submitting semi- random data to a program for testing) makes up chapter ten. A few other tools are listed in chapter eleven. Part three, supposedly about analysis, contains one final chapter with a short deliberation on the ability to exploit different vulnerabilities. "How to Break Web Software" (cf. BKHTBWSW.RVW) does a much better job of describing not only the attacks against Web applications (the primary focus of Wysopal and friends), but also the defensive measures that can be taken. (And in fewer pages, too.) "Software Security: Building Security In" (cf. BKSWSBSI.RVW) covers a wider range of testing, and notes the types appropriate to different stages of the development process. This work registers a few tools, but is limited and of restricted usefulness. copyright Robert M. Slade, 2008 BKASWSCT.RVW 20080512