The Art of Software Security Testing
Chris Wysopal, Lucas Nelson, Dino Dai Zovi, and Elfriede Dustin
Addison-Wesley Professional, 2006
312 pps., $49.99
The Art of Software Security Testing by Chris Wysopal et al., is the first security testing book I read that includes a reputable software tester (Elfriede Dustin) among its authors. This should lend the book instant credibility with its main target audience: Testers and QA engineers. The security proficient readers will be happy to know that the main author is Chris Wysopal, one of the members of the famous L0pht Heavy Industries security research group who testified before the U.S. Senate that it is possible and indeed within their power to "take down the Internet in 30 minutes".
Most security testing books adopt a black-box approach, detailing security assessment and penetration testing techniques that view the "victim" -- be it a device, an operating system or an application -- as an unknown quantity (or should I say quality, since we're talking about testing) that is probed and attacked from the outside in. A few books adopt a white-box approach, teaching code inspection and secure coding techniques, viewing the software from the inside out. The Art of Software Security Testing is a fortunate blend of the two approaches, teaching its readers how to conduct what is called "gray-box testing", which is of course what you get when you combine black and white.
When it comes to assessing the security of an application, testers have one important advantage over outside attackers: they can collaborate with the designers and developers of the application and get an insider view of what the book repeatedly refers to as "the attack surface", basically the list of all the inputs and resources used by the program under test. Armed with this knowledge, testers can then apply a wealth of techniques that attempt to break the security of the application, and that can be summarized in two words -- fault injection. Indeed, the bulk of the book is devoted to the presentation of techniques and tools that assist testers as they try to make the application fail by feeding it various types of inputs (hence the term fault injection). These inputs range from carefully crafted strings used in SQL Injection attacks, to random byte changes in given input files, to random strings fed as command line arguments. Two important classes of fault injection tools discussed throughout the book are proxies (such as WebScarab) which allow the attacker to intercept and modify traffic to and from the application under test, and fuzzers (such as CLI Fuzz) which allow the attacker to inject random inputs into the application. As an aside, I liked the fact that the authors discuss mostly freely available open source tools.
If you are a tester trying to assess the security of an application, a developer trying to improve the security of your code, or even if you are a seasoned security practitioner trying to learn new ways to attack software, this book is for you. I, as a tester, found valuable advice right in Chapter 1: Act as a detective by applying the fault injection model, think as an attacker, prioritize your work via threat modeling, and rely heavily on automated tools. All this and more in a fairly slim book, whose size and weight make it inappropriate for a door stop -- a use I have been tempted to give to many oversized security books.