“Hunting Security Bugs” now available from Microsoft Press
This is a new security book from MSPress that focuses on security testing. I read some of the chapters a few weeks ago, and it's wonderful to add a testing perspective to the world of security. A great deal has been written about security and code quality, but virtually nothing about security testing, and certainly nothing as complete as this book; the authors, Bryan Jeffries, Lawrence Landauer and Tom Gallagher have done a wonderful job.
Chapter Listing:
- General Approach to Security Testing
- Using Threat Models for Security Testing
- Finding Entry Points
- Becoming a Malicious Client
- Becoming a Malicious Server
- Spoofing
- Information Disclosure
- Buffer Overruns and Stack and Heap Manipulation
- Format String Attacks
- HTML Scripting Attacks
- XML Issues
- Canonicalization Issues
- Finding Weak Permissions
- Denial of Service Attacks
- Managed Code Issues
- SQL Injection
- Observation & Reverse Engineering
- ActiveX Repurposing
- Additional Repurposing Attacks
- Reporting Security Bugs
Appendix A: Tools of the Trade
Appendix B: Security Test Case Cheat Sheet
More info about the book is here.
Comments
- Anonymous
September 08, 2006
Hmm I am going to have to check this one out. I have a bunch of standard test I use and have developed over years for testing things like SQL injection, script injection and so on. Always good to read and see other peoples views on same thing. I might have missed something, they might have missed something I am doing, but doubt it, but never hurts to check it out. - Anonymous
September 08, 2006
The comment has been removed - Anonymous
September 11, 2006
Another note on 'Security'