“Hunting Security Bugs” now available from Microsoft Press

This is a new security book from MSPress that focuses on security testing. I read some of the chapters a few weeks ago, and it’s wonderful to add a testing perspective to the world of security. A great deal has been written about security and code quality, but virtually nothing about security testing, and certainly nothing as complete as this book; the authors, Bryan Jeffries, Lawrence Landauer and Tom Gallagher have done a wonderful job.

Chapter Listing:

  • General Approach to Security Testing
  • Using Threat Models for Security Testing
  • Finding Entry Points
  • Becoming a Malicious Client
  • Becoming a Malicious Server
  • Spoofing
  • Information Disclosure
  • Buffer Overruns and Stack and Heap Manipulation
  • Format String Attacks
  • HTML Scripting Attacks
  • XML Issues
  • Canonicalization Issues
  • Finding Weak Permissions
  • Denial of Service Attacks
  • Managed Code Issues
  • SQL Injection
  • Observation & Reverse Engineering
  • ActiveX Repurposing
  • Additional Repurposing Attacks
  • Reporting Security Bugs


Appendix A: Tools of the Trade

Appendix B: Security Test Case Cheat Sheet

More info about the book is here.

Comments (4)

  1. Jeff Parker says:

    Hmm I am going to have to check this one out. I have a bunch of standard test I use and have developed over years for testing things like SQL injection, script injection and so on. Always good to read and see other peoples views on same thing. I might have missed something, they might have missed something I am doing, but doubt it, but never hurts to check it out.

  2. Drew says:

    Sweet! That goes on the list of books I’ll get my boss to buy. Yes, "Writing Secure Code" was already on the list and already purchased.

    Drew the ex-‘softie

    (I watch other people’s cars now when I smoke. Yeah, I’m that guy.)

  3. Devi Setiawan says:

    Another note on ‘Security’