“Hunting Security Bugs” now available from Microsoft Press
This is a new security book from MSPress that focuses on security testing. I read some of the chapters a few weeks ago, and it's wonderful to add a testing perspective to the world of security. A great deal has been written about security and code quality, but virtually nothing about security testing, and certainly nothing as complete as this book; the authors, Bryan Jeffries, Lawrence Landauer and Tom Gallagher have done a wonderful job.
Chapter Listing:
- General Approach to Security Testing
- Using Threat Models for Security Testing
- Finding Entry Points
- Becoming a Malicious Client
- Becoming a Malicious Server
- Spoofing
- Information Disclosure
- Buffer Overruns and Stack and Heap Manipulation
- Format String Attacks
- HTML Scripting Attacks
- XML Issues
- Canonicalization Issues
- Finding Weak Permissions
- Denial of Service Attacks
- Managed Code Issues
- SQL Injection
- Observation & Reverse Engineering
- ActiveX Repurposing
- Additional Repurposing Attacks
- Reporting Security Bugs
Appendix A: Tools of the Trade
Appendix B: Security Test Case Cheat Sheet
More info about the book is here.