Author: Chris Wysopal et al
Publisher: Addison Wesley, 2006
Aimed at: Security testers
Pros: Overview of security
Cons: Introductory level
Reviewed by: Dave Wheeler
The back cover of this book states “offers a proven blueprint for implementing effective security testing or strengthening of existing processes.” I must have missed it, because I didn’t find a blueprint for anything. Instead, this book provided a solid enough, but introductory overview of security testing, along with some really practical advice on how to test software for exploits.
Divided into three parts, it first introduces various aspects of the Secure Software Development Lifecycle (SSDL) before examining how to write security tests before concluding with a section on analysis. My feeling is that the first section of the book does not provide enough guidance or detail to materially alter the way that security is considered; even if it did, the level of organisational change that would be involved in most cases cannot be accurately reflected in any book, let alone one that only dedicates only 100 or so pages to this area.
From a developer’s perspective, I found that there was much in this book that has been covered comprehensively elsewhere: all of the usual suspects ranging from the misuse of strcpy() to SQL Injection were present. What I liked about this book, though, was the way that it presented the material from the point of how to actually perform security tests. There’s a lot of coverage of tools and techniques that can be used, although occasionally I found some these to be poorly explained. This makes the second part of the book by far the most valuable to a day-to-day tester or developer.
There was the odd moment of frustration when the book suddenly drew a line under a topic and moved on without really seeing the subject through. To give an example, I was getting excited about how to use “Phase Space Analysis” (PSA) to examine the strength of a session ID. Not really knowing much about PSA, I was expecting some explanation of how it worked... but then there was nothing but a link to an external source. The book had thus showed me how to perform a test, and even shown some results, that I couldn’t interpret the results of and which it didn’t bother to explain. Although I do know that I can make the results look nice by generating a QuickTime movie from them!
I like security books in general, and overall I liked this one as well. However, it’s likely to appeal to testers somewhat more than developers, who would probably be advised to stick with Howard and LeBlanc’s “Writing Secure Code, 2nd Edition”, ISBN: 978-0735617223. My concern is that if you are already a security tester, then you’ll already know what’s in this book. And if you’re looking to really overhaul your organisation’s approach to writing secure code you’ll need a lot more help than this book will provide.
<Reviewed in VSJ>