The Art of Software Security Assessment

Testing the security of an application is a must these days for even the smallest application, so when The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities, by Mark Dowd, John McDonald, and Justin Schuh landed on my desk (and coming in at just under 1200 pages it made a significant thud) I was looking forward to reading it. By the time I finished it however, that enthusiasm had been gradually replaced by disappointment.

To the author's credit, they suggest a number of tracks to help the reader through the book, each of which covers the first four chapters and a selection of later chapters which go into more detail on specific topics. Since I deal mainly with web application I chose the web track. As mentioned, things got off to a promising start with chapters on Software Vulnerability Fundamentals, Design Review, Operational Review, and Application Review Process. Anyone involved in reviews could benefit from these as they set a comprehensive foundation for doing any software assessment whether it is for security or any other topic. The only thing I found myself looking during this section was a more thorough discussion of the common vulnerability classes instead of just the broad buckets that they aggregate up to: design, implementation and operation.

What disappointed me most though was the very reason I read the book -- the web application content. The examples in the chapter on "Strings and Metacharacters" are all C with a few Perl ones added for a bit of diversity but there are no Java or .NET ones which are what most web applications are developed in these days. The same fault can be raised for the "Synchronization and State" chapter. As for the specific "Web Applications" and "Web Technologies" chapters, they are written in a much higher technology level than the rest of the book which makes it feel like they were added at the insistence of the publisher in order to get a wider audience and not because the authors had a lot of knowledge to pass onto the reader. My copy is significantly less marked up in the chapters that I was looking forward to than the opening chapters.

If you work in a non-C shop or web application shop, this book is likely not the one you are looking for. However, if you are writing or auditing thick client C programs there is a lot of value to be had from this tome.