Channels ▼


Security Testing

Grig can be contacted at
The Art of Software Security Testing
Chris Wysopal, Lucas Nelson, Dino Dai Zovi, and Elfriede Dustin
Addison-Wesley Professional, 2006
312 pps., $49.99
ISBN-10 0321304861

The Art of Software Security Testing by Chris Wysopal et al., is the first security testing book I read that includes a reputable software tester (Elfriede Dustin) among its authors. This should lend the book instant credibility with its main target audience: Testers and QA engineers. The security proficient readers will be happy to know that the main author is Chris Wysopal, one of the members of the famous L0pht Heavy Industries security research group who testified before the U.S. Senate that it is possible and indeed within their power to "take down the Internet in 30 minutes".

Most security testing books adopt a black-box approach, detailing security assessment and penetration testing techniques that view the "victim" -- be it a device, an operating system or an application -- as an unknown quantity (or should I say quality, since we're talking about testing) that is probed and attacked from the outside in. A few books adopt a white-box approach, teaching code inspection and secure coding techniques, viewing the software from the inside out. The Art of Software Security Testing is a fortunate blend of the two approaches, teaching its readers how to conduct what is called "gray-box testing", which is of course what you get when you combine black and white.

When it comes to assessing the security of an application, testers have one important advantage over outside attackers: they can collaborate with the designers and developers of the application and get an insider view of what the book repeatedly refers to as "the attack surface", basically the list of all the inputs and resources used by the program under test. Armed with this knowledge, testers can then apply a wealth of techniques that attempt to break the security of the application, and that can be summarized in two words -- fault injection. Indeed, the bulk of the book is devoted to the presentation of techniques and tools that assist testers as they try to make the application fail by feeding it various types of inputs (hence the term fault injection). These inputs range from carefully crafted strings used in SQL Injection attacks, to random byte changes in given input files, to random strings fed as command line arguments. Two important classes of fault injection tools discussed throughout the book are proxies (such as WebScarab) which allow the attacker to intercept and modify traffic to and from the application under test, and fuzzers (such as CLI Fuzz) which allow the attacker to inject random inputs into the application. As an aside, I liked the fact that the authors discuss mostly freely available open source tools.

If you are a tester trying to assess the security of an application, a developer trying to improve the security of your code, or even if you are a seasoned security practitioner trying to learn new ways to attack software, this book is for you. I, as a tester, found valuable advice right in Chapter 1: Act as a detective by applying the fault injection model, think as an attacker, prioritize your work via threat modeling, and rely heavily on automated tools. All this and more in a fairly slim book, whose size and weight make it inappropriate for a door stop -- a use I have been tempted to give to many oversized security books.

Related Reading

More Insights

Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dr. Dobb's encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dr. Dobb's moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing or spam. Dr. Dobb's further reserves the right to disable the profile of any commenter participating in said activities.

Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.