[Dailydave] Book Review: The Art of Software Security Assessment

Halvar Flake halvar at gmx.de
Sat Dec 2 10:31:28 EST 2006 

Hey all,

I agree with Dave's assessment, but then again I might
be somewhat biased ! :)

Cheers,
Halvar
----- Original Message ----- 
From: "Dave Aitel" <dave at immunityinc.com>
To: "dailydave" <dailydave at lists.immunitysec.com>
Sent: Friday, December 01, 2006 9:30 PM
Subject: [Dailydave] Book Review: The Art of Software Security Assessment


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Book Review: The Art of Software Security Assessment
> written by Mark Dowd, John McDonald, Justin Schuh
> http://www.amazon.com/Art-Software-Security-Assessment-Vulnerabilities/dp/0321444426/ref=pd_bxgy_b_text_b/103-1902494-7928635
> Pages: 1200
>
> The temptation with a massive book, such as this one, is to use it as
> a reference. While no doubt valuable as a quick reference for people
> looking to know the exact problems with any given C API ("snprintf
> does what differently on Windows and Unix?"), this book is best read
> page by page. There are surprises sprinkled throughout.  Vulnerable
> example code is taken from real software applications, such as OpenBSD
> 3.6, Netscape, and OpenSSH. Of course, more than just a collection of
> code with mistakes highlighted, this book has a powerful methodology,
> complete with "Desk-checking", "Scorecards" and other useful tricks.
> This book is not about binary analysis; assembly language is used only
> to demonstrate tricky C code.
>
> Unlike many books with multiple authors, this is an extremely well put
> together book that flows naturally from chapter to chapter. The
> chapters on C auditing are amazing. The chapters on web assessment,
> while not the most in-depth chapters in the book, still contain a lot
> of information that is covered nowhere else (servlet race conditions,
> for example).
>
> In fact, almost everything in this book is, if not new, covered more
> expertly than anywhere I've seen. For anyone doing software security
> assessment, this book is required reading. All 1200 pages of it.
>
> Score: 5/5
>
> - -dave
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (GNU/Linux)
>
> iD8DBQFFcJDoB8JNm+PA+iURAiq7AJ49uq2jA+1CKtjuGS+iSJOYhZ8bXQCgkHKO
> +93PGEQ3HWXUw8GKy5s458M=
> =O+2X
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave

More information about the Dailydave mailing list