Book Reviews

Book Reviews


Book Review: The Art of Software Security Assessment


By Stephen Northcutt

The Art of Software Security Assessment, Dowd, McDonald, Schuh, Addison Wesley Press

This is one of those rare security books that has a chance to revolutionize the industry like Applied Cryptography, Snort 2.0, or Hacking Exposed. We rarely post book reviews in the Leadership Laboratory, but we will for truly ground breaking books. The longer you wait to read this book, the further you will fall behind. Nuff said?

Every week that goes by we see an increasing understanding in the community about how important secure software is and that it takes the appropriate development process to create secure software. This book is hitting the marketplace at the perfect time, I hope the authors and publishing team have a runaway success, they deserve it. I also hope people will be encouraged by this book, secure software development is certainly possible, this book clearly shows that. It takes management support in terms of resources, training, and good process, but it can certainly be done.

With 1128 content pages, much of this material will be things that you have picked up in other places, such as other books or courses you have taken. Much of it will be things you once knew and forgot. But this is the most complete book on software security available covering Windows, Unix, Network Protocols, Web and other Applications.

What I particularly love is the majority of the information is very accessible, the authors have worked hard to be clear and understandable. Please do not get me wrong, if you have never written a line of code you are going to be lost during the code examples. The only signpost you get is the occasional bolded line, but you will still be able to follow the discussion before the code example and right after the code example.

Section one of the book is called an Introduction to Software Security Assessment. I was able to read the 164 pages all at one time ( though I was up to 2 AM doing it). This is foundational material and if you are responsible for software development as a manager, I recommend you read at least this one section.

The next section, Software Vulnerabilities, starts with a buffer overflow chapter. This is a test of any good security book. If they point to an ancient paper like Smashing the Stack and mumble an incoherent sentence or two, you know they probably dont know what they are talking about. This book builds the case, uses both code fragments and clear diagrams with plenty of explanations.

The final section titled, Software Vulnerabilities in Practice, I am not convinced this is an appropriate section name. Network or Web should probably be in the name. Chapters include Network Protocols, Firewalls ( probably the weakest chapter in the book), Network Application Protocols, Web Applications, and Web Technologies.

They do not list an errata and discussion website in the book, but one of the authors (Schuh) wrote and said try http://taossa.com/ Nice web site/blog, you probably want to bookmark or RSS feed it. Also, in the back of the book you have an opportunity to register your book; that might be a good idea, these guys are still adding content.

Happy Reading!