Book Review: The Art of Software Security Testing

Tonight I'm taking a page from the taosecurity blog and reviewing a book. I'm not Richard Bejlich so please be kind in your critique of my critique. While traveling over the holidays I read The Art of Software Security Testing. This is a book I wish I'd had when I'd first started with security. It's a book that aims to help software testing people understand security testing. Particularly I enjoyed the way the authors divided the book into 3 parts and the tone. The first part consisting of the first five chapters is an introduction or overview to what it means to attack software. Specific attention is paid to why one needs to test security and the mindset one needs to play the adversary. The chapter on threat modeling and risk based testing is one that I wish could have been a sample chapter pdf so that I could send to a few people.

The second part of the book is about conducting actual attacks. Unlike other books I've read. The authors make sure to drive home the points and principles made in the first section of the book with the tools and techniques they demonstrate. For example the first chapter in this section on network fault injection when talking about port scanning uses nmap as an example and then quickly with in a page or two moves on. This point should be commended as I don't think that enough books on information security get this right. Take for example the hacking exposed books. They tend to focus on a point and then give you thirty tools that accomplish the same task. This annoys me cause it feels like fluff as well as I get the impression that people read it and come away with the notion that the tools are the important part. As an aside this strikes me as a very bad thing for the security industry as a whole but I'll save that for another post. The only chapter in this section that seems to suffer at all from this is chapter 9 which is basically all about web scarab. The only downside to the second section is that I wish I had some of the code they were using for the web apps. I like to follow along when I can and it'd be nice to try the attacks mentioned and follow along with the screenshots. The third part Analysis consists of one chapter on determining exploitability. This was honestly the weakest part of the book, only because of lack of depth in my opinion. It did an excellent job serving as an intro But didn't get into some of the nuances, I vaguely remember something in their description of how the stack is used that didn't quite sit right with me but can't seem to find the passage. There are other books that do this in great depth in this area, so even for a "weak" section is was pretty descent. Other interesting things in the book that I noticed were : All Screen Shots were in OS X. The @Steak jokes were persistent through out the book. You could tell when some of the authors had written a section based on the command prompts shown. Overall I'd say that it's quite an enjoyable book and one that I plan on giving to software engineering friends as an introduction. As to what did I learn from this book? I'd say that I didn't really learn a whole lot more but that this book helped me reorganize a lot of information that I'd been using these past few years. Sometimes getting better context is better than learning new facts.