The Art of Software Security Testing: Identifying Software Security Flaws

4,2 valoración promedio
( 20 valoraciones por GoodReads )
 
9780321304865: The Art of Software Security Testing: Identifying Software Security Flaws
Reseña del editor:

Risk-based security testing, the important subject of this book, is one of seven software security touchpoints introduced in my book, Software Security: Building Security In. This book takes the basic idea several steps forward. Written by masters of software exploit, this book describes in very basic terms how security testing differs from standard software testing as practiced by QA groups everywhere. It unifies in one place ideas from Michael Howard, David Litchfield, Greg Hoglund, and me into a concise introductory package. Improve your security testing by reading this book today." -Gary McGraw, Ph.D., CTO, Cigital; Author, Software Security, Exploiting Software, Building Secure Software, and Software Fault Injection; www.cigital.com/~gem "As 2006 closes out, we will see over 5,000 software vulnerabilities announced to the public. Many of these vulnerabilities were, or will be, found in enterprise applications from companies who are staffed with large, professional, QA teams. How then can it be that these flaws consistently continue to escape even well-structured diligent testing? The answer, in part, is that testing still by and large only scratches the surface when validating the presence of security flaws. Books such as this hopefully will start to bring a more thorough level of understanding to the arena of security testing and make us all a little safer over time." -Alfred Huger, Senior Director, Development, Symantec Corporation "Software security testing may indeed be an art, but this book provides the paint-by-numbers to perform good, solid, and appropriately destructive security testing: proof that an ounce of creative destruction is worth a pound of patching later. If understanding how software can be broken is step one in every programmers' twelve-step program to defensible, secure, robust software, then knowledgeable security testing comprises at least steps two through six." -Mary Ann Davidson, Chief Security Officer, Oracle "Over the past few years, several excellent books have come out teaching developers how to write more secure software by describing common security failure patterns. However, none of these books have targeted the tester whose job it is to find the security problems before they make it out of the R&D lab and into customer hands. Into this void comes The Art of Software Security Testing: Identifying Software Security Flaws. The authors, all of whom have extensive experience in security testing, explain how to use free tools to find the problems in software, giving plenty of examples of what a software flaw looks like when it shows up in the test tool. The reader learns why security flaws are different from other types of bugs (we want to know not only that 'the program does what it's supposed to,' but also that 'the program doesn't do that which it's not supposed to'), and how to use the tools to find them. Examples are primarily based on C code, but some description of Java, C#, and scripting languages help for those environments. The authors cover both Windows and UNIX-based test tools, with plenty of screenshots to see what to expect. Anyone who's doing QA testing on software should read this book, whether as a refresher for finding security problems, or as a starting point for QA people who have focused on testing functionality." -Jeremy Epstein, WebMethods State-of-the-Art Software Security Testing: Expert, Up to Date, and Comprehensive The Art of Software Security Testing delivers in-depth, up-to-date, battle-tested techniques for anticipating and identifying software security problems before the "bad guys" do. Drawing on decades of experience in application and penetration testing, this book's authors can help you transform your approach from mere "verification" to proactive "attack." The authors begin by systematically reviewing the design and coding vulnerabilities that can arise in software, and offering realistic guidance in avoiding them. Next, they show you ways to customize software debugging tools to test the unique aspects of any program and then analyze the results to identify exploitable vulnerabilities. Coverage includes * Tips on how to think the way software attackers think to strengthen your defense strategy * Cost-effectively integrating security testing into your development lifecycle * Using threat modeling to prioritize testing based on your top areas of risk * Building testing labs for performing white-, grey-, and black-box software testing * Choosing and using the right tools for each testing project * Executing today's leading attacks, from fault injection to buffer overflows * Determining which flaws are most likely to be exploited by real-world attackers This book is indispensable for every technical professional responsible for software security: testers, QA specialists, security professionals, developers, and more. For IT managers and leaders, it offers a proven blueprint for implementing effective security testing or strengthening existing processes. Foreword xiii Preface xvii Acknowledgments xxix About the Authors xxxi Part I: Introduction Chapter 1: Case Your Own Joint: A Paradigm Shift from Traditional Software Testing 3 Chapter 2: How Vulnerabilities Get Into All Software 19 Chapter 3: The Secure Software Development Lifecycle 55 Chapter 4: Risk-Based Security Testing: Prioritizing Security Testing with Threat Modeling 73 Chapter 5: Shades of Analysis: White, Gray, and Black Box Testing 93 Part II: Performing the Attacks Chapter 6: Generic Network Fault Injection 107 Chapter 7: Web Applications: Session Attacks 125 Chapter 8: Web Applications: Common Issues 141 Chapter 9: Web Proxies: Using WebScarab 169 Chapter 10: Implementing a Custom Fuzz Utility 185 Chapter 11: Local Fault Injection 201 Part III: Analysis Chapter 12: Determining Exploitability 233 Index 251

Biografía del autor:

Chris Wysopal is cofounder and CTO of Veracode, where he is responsible for the software security analysis capabilities of Veracode's technology. Previously he was vice president of research and development at @stake. As a member of the groundbreaking security research think tank L0pht Heavy Industries, he and his colleagues testified to the U.S. Senate that they could "take down the Internet in 30 minutes." They were praised as "modern-day Paul Reveres" by the senators for their research and warnings of computer security weaknesses. Wysopal has also testified to the U.S. House of Representatives and has spoken at the Defense Information Systems Agency (DISA), Black Hat, and West Point. He is coauthor of L0phtCrack, the password auditor used by more than 6,000 government, military, and corporate organizations worldwide. He earned his bachelor of science degree in computer and systems engineering from Rensselaer Polytechnic Institute in Troy, New York. Lucas Nelson is the technical manager for Symantec's New York region, where he is responsible for all aspects of security consulting services delivery. Within Symantec he also leads the Application Security Center of Excellence, which develops application security practices and guidelines and trains new hires in the methodology of application testing. He has taught a number of classes on both attacking and defending computer systems to several groups, including state governments and large financial institutions. Nelson worked as a developer specializing in security for a number of small startups before joining Symantec/ @stake in 2002. He researched computer security at Purdue University's CERIAS lab under the guidance of professor Eugene Spafford, graduating with a degree in computer science. Dino A. Dai Zovi is a principal member of Matasano Security, where he performs ShipSafe product penetration tests for software vendors and DeploySafe third-party software penetration tests for enterprise clients. He specializes in product, application, and operating system penetration testing and has done so in his previous roles at Bloomberg, @stake, and Sandia National Laboratories. He is also a frequent speaker on his computer security research, including presentations at the Black Hat Briefings, IEEE Information Assurance Workshop, Microsoft's internal Blue Hat Security Briefings, CanSecWest, and DEFCON. He graduated with honors with a bachelor of science in computer science and a minor in mathematics from the University of New Mexico. Elfriede Dustin is author of Effective Software Testing and lead author of Automated Software Testing and Quality Web Systems, books that have been translated into various languages and that have sold tens of thousands of copies throughout the world. The Automated Testing Lifecycle Methodology (ATLM) described in Automated Software Testing has been implemented in various companies throughout the world. Dustin has written various white papers on software testing. She teaches various testing tutorials and is a frequent speaker at software testing conferences. In support of software test efforts, Dustin has been responsible for implementing automated test and has acted as the lead consultant/manager guiding the implementation of automated and manual software testing efforts. She is cochair of VERIFY, an annual international software testing conference held in the Washington, DC area. Dustin has a bachelor of science in computer science. She has more than 15 years of IT experience and currently works as an independent consultant in the Washington, DC area. You can reach her via her Web site at www.effectivesoftwaretesting.com.

"Sobre este título" puede pertenecer a otra edición de este libro.

Los mejores resultados en AbeBooks

1.

Chris WysopalLucas NelsonDino Dai ZoviElfriede Dustin
Editorial: Prentice Hall
ISBN 10: 0321304861 ISBN 13: 9780321304865
Nuevos Cantidad: > 20
Librería
INDOO
(Avenel, NJ, Estados Unidos de America)
Valoración
[?]

Descripción Prentice Hall. Estado de conservación: New. Brand New. Nº de ref. de la librería 0321304861

Más información sobre esta librería | Hacer una pregunta a la librería

Comprar nuevo
EUR 44,01
Convertir moneda

Añadir al carrito

Gastos de envío: EUR 3,25
A Estados Unidos de America
Destinos, gastos y plazos de envío

2.

Chris Wysopal, Lucas Nelson, Shane Macaulay
Editorial: Pearson Education (US), United States (2006)
ISBN 10: 0321304861 ISBN 13: 9780321304865
Nuevos Paperback Cantidad: 1
Librería
The Book Depository US
(London, Reino Unido)
Valoración
[?]

Descripción Pearson Education (US), United States, 2006. Paperback. Estado de conservación: New. 231 x 173 mm. Language: English . Brand New Book. Risk-based security testing, the important subject of this book, is one of seven software security touchpoints introduced in my book, Software Security: Building Security In. This book takes the basic idea several steps forward. Written by masters of software exploit, this book describes in very basic terms how security testing differs from standard software testing as practiced by QA groups everywhere. It unifies in one place ideas from Michael Howard, David Litchfield, Greg Hoglund, and me into a concise introductory package. Improve your security testing by reading this book today. -Gary McGraw, Ph.D., CTO, Cigital; Author, Software Security, Exploiting Software, Building Secure Software, and Software Fault Injection; As 2006 closes out, we will see over 5,000 software vulnerabilities announced to the public. Many of these vulnerabilities were, or will be, found in enterprise applications from companies who are staffed with large, professional, QA teams. How then can it be that these flaws consistently continue to escape even well-structured diligent testing? The answer, in part, is that testing still by and large only scratches the surface when validating the presence of security flaws. Books such as this hopefully will start to bring a more thorough level of understanding to the arena of security testing and make us all a little safer over time. -Alfred Huger, Senior Director, Development, Symantec Corporation Software security testing may indeed be an art, but this book provides the paint-by-numbers to perform good, solid, and appropriately destructive security testing: proof that an ounce of creative destruction is worth a pound of patching later. If understanding how software can be broken is step one in every programmers twelve-step program to defensible, secure, robust software, then knowledgeable security testing comprises at least steps two through six. -Mary Ann Davidson, Chief Security Officer, Oracle Over the past few years, several excellent books have come out teaching developers how to write more secure software by describing common security failure patterns. However, none of these books have targeted the tester whose job it is to find the security problems before they make it out of the RD lab and into customer hands. Into this void comes The Art of Software Security Testing: Identifying Software Security Flaws. The authors, all of whom have extensive experience in security testing, explain how to use free tools to find the problems in software, giving plenty of examples of what a software flaw looks like when it shows up in the test tool. The reader learns why security flaws are different from other types of bugs (we want to know not only that the program does what it s supposed to, but also that the program doesn t do that which it s not supposed to ), and how to use the tools to find them. Examples are primarily based on C code, but some description of Java, C#, and scripting languages help for those environments. The authors cover both Windows and UNIX-based test tools, with plenty of screenshots to see what to expect. Anyone who s doing QA testing on software should read this book, whether as a refresher for finding security problems, or as a starting point for QA people who have focused on testing functionality. -Jeremy Epstein, WebMethods State-of-the-Art Software Security Testing: Expert, Up to Date, and Comprehensive The Art of Software Security Testing delivers in-depth, up-to-date, battle-tested techniques for anticipating and identifying software security problems before the bad guys do. Drawing on decades of experience in application and penetration testing, this book s authors can help you transform your approach from mere verification to proactive attack. The authors begin by systematically reviewing the design and coding vulnerabilities that can arise in software, and offering realistic guidance in avoiding them. Next, they show you ways to customize softwa. Nº de ref. de la librería AAC9780321304865

Más información sobre esta librería | Hacer una pregunta a la librería

Comprar nuevo
EUR 48,25
Convertir moneda

Añadir al carrito

Gastos de envío: GRATIS
De Reino Unido a Estados Unidos de America
Destinos, gastos y plazos de envío

3.

Wysopal, Chris; Nelson, Lucas; Dai Zovi, Dino; Dustin, Elfriede
Editorial: Addison-Wesley Professional
ISBN 10: 0321304861 ISBN 13: 9780321304865
Nuevos PAPERBACK Cantidad: 1
Librería
Cloud 9 Books
(West Palm Beach, FL, Estados Unidos de America)
Valoración
[?]

Descripción Addison-Wesley Professional. PAPERBACK. Estado de conservación: New. 0321304861 New Condition. Nº de ref. de la librería NEW6.0148572

Más información sobre esta librería | Hacer una pregunta a la librería

Comprar nuevo
EUR 47,75
Convertir moneda

Añadir al carrito

Gastos de envío: EUR 4,63
A Estados Unidos de America
Destinos, gastos y plazos de envío

4.

Chris Wysopal
Editorial: Pearson Education (2006)
ISBN 10: 0321304861 ISBN 13: 9780321304865
Nuevos Cantidad: 1
Librería
PBShop
(Wood Dale, IL, Estados Unidos de America)
Valoración
[?]

Descripción Pearson Education, 2006. PAP. Estado de conservación: New. New Book.Shipped from US within 10 to 14 business days. Established seller since 2000. Nº de ref. de la librería IB-9780321304865

Más información sobre esta librería | Hacer una pregunta a la librería

Comprar nuevo
EUR 52,16
Convertir moneda

Añadir al carrito

Gastos de envío: EUR 3,70
A Estados Unidos de America
Destinos, gastos y plazos de envío

5.

Chris Wysopal, Lucas Nelson, Shane Macaulay
Editorial: Pearson Education (US), United States (2006)
ISBN 10: 0321304861 ISBN 13: 9780321304865
Nuevos Paperback Cantidad: 1
Librería
The Book Depository
(London, Reino Unido)
Valoración
[?]

Descripción Pearson Education (US), United States, 2006. Paperback. Estado de conservación: New. 231 x 173 mm. Language: English . Brand New Book. Risk-based security testing, the important subject of this book, is one of seven software security touchpoints introduced in my book, Software Security: Building Security In. This book takes the basic idea several steps forward. Written by masters of software exploit, this book describes in very basic terms how security testing differs from standard software testing as practiced by QA groups everywhere. It unifies in one place ideas from Michael Howard, David Litchfield, Greg Hoglund, and me into a concise introductory package. Improve your security testing by reading this book today. -Gary McGraw, Ph.D., CTO, Cigital; Author, Software Security, Exploiting Software, Building Secure Software, and Software Fault Injection; As 2006 closes out, we will see over 5,000 software vulnerabilities announced to the public. Many of these vulnerabilities were, or will be, found in enterprise applications from companies who are staffed with large, professional, QA teams. How then can it be that these flaws consistently continue to escape even well-structured diligent testing? The answer, in part, is that testing still by and large only scratches the surface when validating the presence of security flaws. Books such as this hopefully will start to bring a more thorough level of understanding to the arena of security testing and make us all a little safer over time. -Alfred Huger, Senior Director, Development, Symantec Corporation Software security testing may indeed be an art, but this book provides the paint-by-numbers to perform good, solid, and appropriately destructive security testing: proof that an ounce of creative destruction is worth a pound of patching later. If understanding how software can be broken is step one in every programmers twelve-step program to defensible, secure, robust software, then knowledgeable security testing comprises at least steps two through six. -Mary Ann Davidson, Chief Security Officer, Oracle Over the past few years, several excellent books have come out teaching developers how to write more secure software by describing common security failure patterns. However, none of these books have targeted the tester whose job it is to find the security problems before they make it out of the RD lab and into customer hands. Into this void comes The Art of Software Security Testing: Identifying Software Security Flaws. The authors, all of whom have extensive experience in security testing, explain how to use free tools to find the problems in software, giving plenty of examples of what a software flaw looks like when it shows up in the test tool. The reader learns why security flaws are different from other types of bugs (we want to know not only that the program does what it s supposed to, but also that the program doesn t do that which it s not supposed to ), and how to use the tools to find them. Examples are primarily based on C code, but some description of Java, C#, and scripting languages help for those environments. The authors cover both Windows and UNIX-based test tools, with plenty of screenshots to see what to expect. Anyone who s doing QA testing on software should read this book, whether as a refresher for finding security problems, or as a starting point for QA people who have focused on testing functionality. -Jeremy Epstein, WebMethods State-of-the-Art Software Security Testing: Expert, Up to Date, and Comprehensive The Art of Software Security Testing delivers in-depth, up-to-date, battle-tested techniques for anticipating and identifying software security problems before the bad guys do. Drawing on decades of experience in application and penetration testing, this book s authors can help you transform your approach from mere verification to proactive attack. The authors begin by systematically reviewing the design and coding vulnerabilities that can arise in software, and offering realistic guidance in avoiding them. Next, they show you ways to customize softwa. Nº de ref. de la librería AAC9780321304865

Más información sobre esta librería | Hacer una pregunta a la librería

Comprar nuevo
EUR 56,34
Convertir moneda

Añadir al carrito

Gastos de envío: GRATIS
De Reino Unido a Estados Unidos de America
Destinos, gastos y plazos de envío

6.

Chris Wysopal
Editorial: Pearson Education (2006)
ISBN 10: 0321304861 ISBN 13: 9780321304865
Nuevos Cantidad: 1
Librería
Books2Anywhere
(Fairford, GLOS, Reino Unido)
Valoración
[?]

Descripción Pearson Education, 2006. PAP. Estado de conservación: New. New Book. Shipped from US within 10 to 14 business days. Established seller since 2000. Nº de ref. de la librería IB-9780321304865

Más información sobre esta librería | Hacer una pregunta a la librería

Comprar nuevo
EUR 51,73
Convertir moneda

Añadir al carrito

Gastos de envío: EUR 10,45
De Reino Unido a Estados Unidos de America
Destinos, gastos y plazos de envío

7.

Wysopal, Chris; Nelson, Lucas; Dai Zovi, Dino; Dustin, Elfriede
Editorial: Addison-Wesley Professional (2006)
ISBN 10: 0321304861 ISBN 13: 9780321304865
Nuevos Paperback Cantidad: 1
Librería
Irish Booksellers
(Rumford, ME, Estados Unidos de America)
Valoración
[?]

Descripción Addison-Wesley Professional, 2006. Paperback. Estado de conservación: New. book. Nº de ref. de la librería 0321304861

Más información sobre esta librería | Hacer una pregunta a la librería

Comprar nuevo
EUR 62,33
Convertir moneda

Añadir al carrito

Gastos de envío: GRATIS
A Estados Unidos de America
Destinos, gastos y plazos de envío

8.

Chris Wysopal, Lucas Nelson, Dino Dai Zovi, Elfriede Dustin
Editorial: Addison-Wesley Professional (2006)
ISBN 10: 0321304861 ISBN 13: 9780321304865
Nuevos Paperback Cantidad: 1
Librería
Ergodebooks
(RICHMOND, TX, Estados Unidos de America)
Valoración
[?]

Descripción Addison-Wesley Professional, 2006. Paperback. Estado de conservación: New. 1. Nº de ref. de la librería DADAX0321304861

Más información sobre esta librería | Hacer una pregunta a la librería

Comprar nuevo
EUR 60,19
Convertir moneda

Añadir al carrito

Gastos de envío: EUR 3,70
A Estados Unidos de America
Destinos, gastos y plazos de envío

9.

Wysopal, Chris; Nelson, Lucas; Dai Zovi, Dino; Dustin, Elfriede
Editorial: Addison-Wesley Professional
ISBN 10: 0321304861 ISBN 13: 9780321304865
Nuevos PAPERBACK Cantidad: 1
Librería
Movie Mars
(Indian Trail, NC, Estados Unidos de America)
Valoración
[?]

Descripción Addison-Wesley Professional. PAPERBACK. Estado de conservación: New. 0321304861 Brand New Book. Ships from the United States. 30 Day Satisfaction Guarantee!. Nº de ref. de la librería 4195416

Más información sobre esta librería | Hacer una pregunta a la librería

Comprar nuevo
EUR 62,32
Convertir moneda

Añadir al carrito

Gastos de envío: EUR 3,70
A Estados Unidos de America
Destinos, gastos y plazos de envío

10.

Wysopal, Chris, Nelson, Lucas, Dai Zovi,
Editorial: Addison-Wesley Professional (2006)
ISBN 10: 0321304861 ISBN 13: 9780321304865
Nuevos Paperback Cantidad: 3
Librería
Murray Media
(North Miami Beach, FL, Estados Unidos de America)
Valoración
[?]

Descripción Addison-Wesley Professional, 2006. Paperback. Estado de conservación: New. Nº de ref. de la librería P110321304861

Más información sobre esta librería | Hacer una pregunta a la librería

Comprar nuevo
EUR 65,18
Convertir moneda

Añadir al carrito

Gastos de envío: EUR 2,77
A Estados Unidos de America
Destinos, gastos y plazos de envío

Existen otras copia(s) de este libro

Ver todos los resultados de su búsqueda