BKSWVLGD.RVW 20051109 "The Software Vulnerability Guide", Herbert H. Thompson/Scott G. Chase, 2005, 1-58450-358-0, U$49.95/C$64.95 %A Herbert H. Thompson %A Scott G. Chase %C 403 VFW Drive, PO Box 417, Rockland, MA 02370 %D 2005 %G 1-58450-358-0 %I Charles River Media %O U$49.95/C$64.95 800-382-8505 fax 6178714376 info@charlesriver.com %O http://www.amazon.com/exec/obidos/ASIN/1584503580/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/1584503580/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/1584503580/robsladesin03-20 %O Audience a- Tech 2 Writing 1 (see revfaq.htm for explanation) %P 354 p. + CD-ROM %T "The Software Vulnerability Guide" As part one is an introduction to security and vulnerabilities, chapter one is what would normally be the introduction or preface to the book. The content is surprisingly vague about the intention of, and audience for, the text. A few security and network topics make up chapter two. Miscellaneous security utilities are listed in chapter three. Part two looks at system level attacks. Chapter four examines some issues with access control and privilege. Password strength is the topic of chapter five, but a lot of space is devoted to code for a cracking program. Scripts, and some of the ways they can be used maliciously, are mentioned in chapter six. Chapter seven examines some of the ways that the use of dynamic link libraries can affect security. Part three reviews data parsing. Chapter eight contains a clear explanation of buffer overflows, although it takes a great deal of space to convey relatively limited information. An unclear exposition on proprietary data formats and the corruption of files is in chapter nine. The material on format strings, in chapter ten, describes one particular case involving the lack of strong data typing, malformed input data, and buffer overflows. Chapter eleven remarks that integer overflows can be prevented by testing values at the extremes of expected ranges. Part four surveys information disclosure issues. Chapter twelve says that passwords should not be stored in plain text and notes some (rather complicated) ways to test for programs that do make this mistake. Dangers in the sloppy use of temporary files are addressed in chapter thirteen. The reuse of memory is covered in chapter fourteen, along with issues of garbage collection. Chapter fifteen is supposed to deal with finding memory traces left in the swap file, but really only searches for text from a deleted file on a floppy disk. Part five looks at network activity. Chapter sixteen discusses various versions of spoofing. Reducing the amount of information given in response to probes and errors is suggested in chapter seventeen. Part six turns specifically to Web sites. Chapter eighteen outlines cross-site scripting, although it does not do well at explaining how the attack would work in the real world. Careless programming of the Common Gateway Interface (CGI) is deplored in chapter nineteen, and a few other malicious possibilities are explored in twenty. SQL injection is outlined in chapter twenty-one. A grab bag of other Web issues is in chapter twenty-two. Part seven finishes off with chapter twenty-three encouraging the reader to learn from the mistakes of others. The chapters are very short, and so the material is quite terse. It is also poorly structured, and generally far from complete. In some cases the content deals at great length with one specific problem in one specific language, while other more sweeping issues are barely mentioned. The security literature is certainly deficient in titles dealing with the practice of secure programming and development, but this work, even though it does contain any number of valuable tips, does not deal with the need for application development security in a complete and straightforward fashion. copyright Robert M. Slade, 2005 BKSWVLGD.RVW 20051109