How to Break Software Security
James A. Whittaker, Florida Institute of Technology
Herbert H. Thompson, Security Innovation

ISBN-10: 0321194330
ISBN-13: 9780321194336

Publisher: Addison-Wesley
Copyright: 2004
Format: Paper Bound w/CD-ROM; 208 pp
Published: 05/09/2003

Suggested retail price: $44.60
Buy from myPearsonStore

How to Break Software Security describes the general problem of software security in a practical perspective from a software tester's point of view. It defines prescriptive techniques (attacks that testers can use on their own software) that are designed to ferret out security vulnerabilities in software applications. The book's style is easy to read and provides readers with the techniques and advice to hunt down security bugs and see that they're destroyed before the software is released.

Accompanying the book is a CD-ROM containing Holodeck, which tests for security vulnerabilities. There are also a number of bug-finding tools, freeware, and an easy-to-use port scanner included on the CD-ROM.

  • Uses a practical hands-on approach to testing your software for security vulnerabilities.
  • Focuses your security tests on the most common places that security vulnerabilities occur:

    • The User Interface

    • Software Dependencies

    • Design

    • Process and Memory

  • Contains numerous examples drawn from commercial applications.
  • Includes end-of-chapter exercises and a glossary of terms.
  • Comes with a CD-ROM featuring Holodeck, a Windows-based testing software.

(Chapters 1-6 conclude with a “Conclusion,” “Exercises,” and “References.” Chapter 7 concludes with a “Conclusion” and “References” and the Appendices conclude with only “References.”)

Preface.


Dedication.


Chapter Summaries.

I. INTRODUCTION.

1. A Fault Model for Software Security Testing.

Why Security Testing is Different.

A Fault Model for Security Vulnerabilities.

Security Concerns and the How to Break Software Fault Model.

Creating an Attack Plan.

A Note on Format.

II. CREATING UNANTICIPATED USER INPUT SCENARIOS.

2. Attacking Software Dependencies.

First Attack: Block access to libraries.

Second Attack: Manipulate the application's registry values.

Third Attack: Force the application to use corrupt files.

Fourth Attack: Manipulate and replace files that the application creates, reads from, writes to or executes.

Fifth Attack: Force the application to operate in low memory, disk space and network availability conditions.

Summary: A Checklist for Battle.

3. Breaking Security through the User Interface.

First Attack: Overflow input buffers.

Second Attack: Examine all common switches and options.

Third Attack: Explore escape characters, character sets and commands.

Summary: A Checklist for Battle.

III. DESIGN AND IMPLEMENTATION ATTACKS.

4. Attacking Design.

First Attack: Try common default and test account names and passwords.

Second Attack: Use Holodeck to expose unprotected test APIs.

Third Attack: Connect to all ports.

Fourth Attack: Fake the source of data.

Fifth Attack: Create loop conditions in any application that interprets script, code or other user supplied logic.

Sixth Attack: Use alternate routes to accomplish the same task.

Seventh Attack: Force the system to reset values.

Summary: A Checklist for Battle.

5. Attacking Implementation.

First Attack: Get between time of check and time of use.

Second Attack: Create files with the same name as files protected with a higher classification.

Third Attack: Force all error messages.

Fourth Attack: Use Holodeck to look for temporary files and screen their contents for sensitive information.

Summary: A Checklist for Battle.

IV. APPLYING THE ATTACKS.

6. Putting it All Together.

Pre-Attack Preparations.

Opponent#1: Microsoft Windows Media Player 9.0 (Windows).

Opponent#2: Mozilla 1.2.1 (Windows).

Opponent#3: OpenOffice.org 1.0.2 (Linux).

V. CONCLUSION.

7. Some Parting Advice.

How Secure is Secure?

Mining Gold from Bug Databases.

Final Words of Wisdom.

APPENDICES.

Glossary of Coding, Testing, and Software Security Terms.

Appendix A. Using the Tools on the Accompanying CD.

Surveying the Tools.

Holodeck.

Port Scanner.

Appendix B. Software's Invisible Users.

Where Errors Slip In.

The Human User.

The Operating System User.

The API User.

The File System User.

Index.

  • PowerPoints
    Whittaker & Thompson
    © 2004 | Addison-Wesley | On-line Supplement | Estimated Availability: 01/01/2004
    ISBN-10: 0321362292 | ISBN-13: 9780321362292

    PowerPoints
    Whittaker & Thompson
    © 2004 | Addison-Wesley | On-line Supplement | Estimated Availability: 01/01/2004
    ISBN-10: 0321362292 | ISBN-13: 9780321362292

    Downloadable files:

    Help downloading files

    View Downloadable Files

  • Solutions to Exercises
    Whittaker & Thompson
    © 2004 | Addison-Wesley | On-line Supplement | Estimated Availability: 01/01/2004
    ISBN-10: 0321362284 | ISBN-13: 9780321362285

    Solutions to Exercises
    Whittaker & Thompson
    © 2004 | Addison-Wesley | On-line Supplement | Estimated Availability: 01/01/2004
    ISBN-10: 0321362284 | ISBN-13: 9780321362285

    Downloadable files:

    Help downloading files

    View Downloadable Files

Pearson Higher Education offers special pricing when you choose to package your text with other student resources. If you're interested in creating a cost-saving package for your students, contact your Pearson Higher Education representative for pricing and ordering information.

Pearson Higher Education offers special pricing when you choose to package your text with other student resources. If you're interested in creating a cost-saving package for your students contact your Pearson Higher Education representative.


Copyright ©2008 Pearson Education. All rights reserved. Legal Notice | Privacy Policy | Permissions