- Paperback: 208 pages
- Publisher: Addison Wesley (May 19, 2003)
- Language: English
- ISBN-10: 0321194330
- ISBN-13: 978-0321194336
- Product Dimensions: 7 x 0.5 x 9.1 inches
- Shipping Weight: 10.4 ounces (View shipping rates and policies)
- Average Customer Review: 8 customer reviews
- Amazon Best Sellers Rank: #1,070,767 in Books (See Top 100 in Books)
Enter your mobile number or email address below and we'll send you a link to download the free Kindle App. Then you can start reading Kindle books on your smartphone, tablet, or computer - no Kindle device required.
To get the free app, enter your mobile phone number.
How to Break Software Security
Use the Amazon App to scan ISBNs and compare prices.
Fulfillment by Amazon (FBA) is a service we offer sellers that lets them store their products in Amazon's fulfillment centers, and we directly pack, ship, and provide customer service for these products. Something we hope you'll especially enjoy: FBA items qualify for FREE Shipping and Amazon Prime.
If you're a seller, Fulfillment by Amazon can help you increase your sales. We invite you to learn more about Fulfillment by Amazon .
"Warlight" by Michael Ondaatje
A dramatic coming-of-age story set in the decade after World War II, "Warlight" is the mesmerizing new novel from the best-selling author of "The English Patient." Learn more
Frequently bought together
What other items do customers buy after viewing this item?
Top customer reviews
There was a problem filtering reviews right now. Please try again later.
The approach itself is to create a plan, then systematically attack. The areas of vulnerability covered include unanticipated input scenarios (which, even after decades, is still an exposure in too many applications and operating systems), find and attack design flaws and implementation anomalies, and leave no potential vulnerability untested. Among these are the usual exposed ports and default names; however, there are exploits based on data, time stamping and other less common areas that are overlooked by testing professionals - and that is one of the main audiences of this book.
While the techniques and the approach in this book are sound, I would have liked the attacks presented as formal test cases, which would be more meaningful to the testing professionals who will benefit the most from this book. However, the authors do introduce the concept of security testing as an element of QA, adding to the small (but hopefully growing) body of knowledge to be used by QA. I recommend this book, as well as Exploiting Software: How to Break Code as two books that should be read and used by software testing practitioners. The information combined in these books will-if put into practice-significantly improve the quality and security of software that is released into production.
In my opinion, the book is too dependent on the Holodeck 1.3 program provided on the CD. Rather than explaining security testing in a tool agnostic way, the book often simply explains how to use Holodeck to perform an attack. I use Linux and Holodeck is Windows only, so it was useless to me. Reviewer Yvonne Eu said the tool did not work in her test environment. Holodeck is currently maintained by Security Innovation who charge $1495 for a single user license, but they also offer a 30 day evaluation license. If the version on the CD does not work for you, these are your two options. The book is a lot less useful if Holodeck does not work for you, so bear this in mind.
The focus on Holodeck also limits the scope of the book. The use of other types of tools such as web proxies, port scanners and tools to exercise user interfaces is not adequately covered.
Finally, I was disappointed by chapter 6, which looks at security testing three applications: Windows Media Player 9.0, Mozilla 1.2.1 (for Windows), and OpenOffice 1.0.2 (for Linux). This is an ideal opportunity to dive down and show how security testing tools should be applied, common pitfalls, and hands-on techniques for finding security issues. Instead, the chapter only explains how attacks should be planned and goes no deeper.
If you are new to security testing and want an overview of some common types of tests that should be run, this book will be useful. If you are interested in using Holodeck for your testing, this book will also be useful. If you do not fall into these categories, there are other books which are a better fit. If you want more detail, I recommend trying one of the Hacking Exposed series.
There are a lot of security books.
There are a growing number of books about writing secure code.
But `How to Break Software Security' is the first on the topic of testing the software after the programmer has supposedly used secure programming techniques.
The problem is that even if a programmer reads all of the required texts on writing secure code, there are still a number of ways that the application can be broken. The book deals with 19 unique attacks that can be mounted against various software applications.
The book describes attacks that can come from all sides. From attacking the software dependencies, implementation, design, to bogus error messages, fake data sources and more.
Anyone involved with software application security testing should definitely read `How to Break Software Security'.
Once again Whittaker approachs is hands-on examples. Even if some examples don't apply to modern software the idea behind you is to get you thinking. I've applied the techniques in this book with extremely great results.