SecurityCertified

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Sunday, September 25, 2011

Impressions: The Art of Software Security Assessment

Posted on 5:33 PM by Unknown
I recently took The Art of Software Security Assessment (TAOSSA) with me on a flight across the US and part of the Pacific. This massive book by Mark Dowd, John McDonald, and Justin Schuh is unlike anything I've read before. If I had read the whole book I would have written a five star review. However, since I only read certain parts of interest to me, I'm sharing these impressions of the book.

One of my favorite aspects of TAOSSA is the demonstration of software vulnerabilities by showing snippets of actual software familiar to many readers. These examples are sort of like behind-the-scenes looks at individual CVEs, where the authors show what's really happening and why it matters.

In some cases these examples show the development of code over time, and the flaws that developers introduce when trying to fix old vulnerabilities. For example, pages 250-3 show the progression of problems with the Antisniff tool. We read about trouble with versions 1.0, 1.1, 1.1.1, and 1.1.2, each trying to fix a bug caused by the previous change.

Another amazing aspect of TAOSSA is its coverage of subtle differences between different Unix-like systems, e.g. FreeBSD, NetBSD, OpenBSD, Solaris, and Linux. I really appreciated such careful attention to detail.

Probably the strongest aspect of TAOSSA was the overall methodology, which I define as 1) show how the technology works; 2) show vulnerabilities in code; 3) show how to fix the code (usually all with real examples).

My only criticism is more philosophical, because the authors recycle the flawed Microsoft "threat modeling" paradigm. This approach results in weird sentences like "threat identification is the process of determining an application's security exposure based on your knowledge of the system" (p 59). Fortunately the authors use the proper term "attack trees" rather than "threat trees," presumably because they recognize that Bruce Schneier was right when he promoted the "attack tree" approach!

Overall, the book is very well written, with great consistency despite three authors and hundreds of pages. If you can find a software developer who honestly read the entire TAOSSA and integrated its wisdom into his or her coding, hire that person!
Tweet
Email ThisBlogThis!Share to XShare to Facebook
Posted in impressions | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • Review of Intelligence, 4th Ed Posted
    Amazon.com just posted my five star review of Intelligence: From Secrets to Policy, 4th Ed by Mark Lowenthall . From the review : I was a...
  • SQL Injection Challenge and Time-Based Security
    Thanks to this Tweet by @ryancbarnett, I learned of the lessons learned of the Level II component of the ModSecurity SQL Injection Challen...
  • Practice of Network Security Monitoring Table of Contents
    Since many of you have asked, I wanted to provide an updated Table of Contents for my upcoming book, The Practice of Network Security Monito...
  • C-SPAN Posts Video of Tuesday Hearing
    You can now access video of Tuesday's House Select Committee on Intelligence Hearing on Cybersecurity at C-SPAN . Some people are alread...
  • Bejtlich's Thoughts on "Why Our Best Officers Are Leaving"
    Twenty-two years ago today I flew to Colorado Springs, CO and reported for Basic Cadet Training with the class of 1994 at the United States ...
  • A Book for the Korean Cyber Armies
    I've got a book for the Korean cyber armies, North and South. That's right, it's my first book , The Tao of Network Security Mo...
  • Bejtlich Teaching at Black Hat West Coast Trainings
    I'm pleased to announce that I will be teaching at  Black Hat West Coast Trainings  9-10 December 2013 in Seattle, Washington. This is a...
  • Mandiant APT1 Report: 25 Best Commentaries of the Last 12 Days
    Two weeks ago today our team at Mandiant was feverishly preparing the release of our APT1 report . In the twelve days that followed public...
  • Tort Law on Negligence
    If any lawyers want to contribute to this, please do. In my post Shodan: Another Step Towards Intrusion as a Service , some comments claim ...
  • Review of America the Vulnerable Posted
    Amazon.com just posted my five star review of America the Vulnerable by Joel Brenner. I reproduce the review in its entirety below. I'...

Categories

  • afcert
  • Air Force
  • analysis
  • announcement
  • apt
  • attribution
  • bestbook
  • blackhat
  • books
  • breakers
  • bro
  • bruins
  • certification
  • china
  • cisco
  • cissp
  • cloud
  • clowns
  • commodore
  • conferences
  • controls
  • correlation
  • counterintelligence
  • cybercommand
  • cyberwar
  • dfm
  • education
  • engineering
  • feds
  • fisma
  • freebsd
  • GE
  • ge-cirt
  • hakin9
  • history
  • impressions
  • information warfare
  • ipv6
  • law
  • leadership
  • malware
  • mandiant
  • microsoft
  • mssp
  • nsm
  • offense
  • oisf
  • packetstash
  • philosophy
  • pirates
  • powerpoint
  • press
  • psirt
  • reading
  • redteam
  • reviews
  • russia
  • sans
  • sec
  • sguil
  • snorby
  • spying
  • threat model
  • threats
  • Traffic Talk
  • training
  • tufte
  • tv
  • ubuntu
  • usenix
  • verizon
  • vulnerabilities
  • wisdom
  • writing

Blog Archive

  • ►  2013 (16)
    • ►  September (1)
    • ►  August (1)
    • ►  June (2)
    • ►  April (2)
    • ►  March (1)
    • ►  February (3)
    • ►  January (6)
  • ►  2012 (60)
    • ►  December (4)
    • ►  November (5)
    • ►  October (3)
    • ►  September (10)
    • ►  August (2)
    • ►  July (6)
    • ►  June (6)
    • ►  May (4)
    • ►  April (2)
    • ►  March (9)
    • ►  February (6)
    • ►  January (3)
  • ▼  2011 (108)
    • ►  December (3)
    • ►  November (7)
    • ►  October (11)
    • ▼  September (9)
      • Chinese Espionage in Five Minutes
      • Review of Robust Control System Networks Posted
      • Impressions: The Art of Software Security Testing
      • Impressions: The Art of Software Security Assessment
      • Impressions: Tiger Trap
      • Bejtlich Cited in Chinese Article on APT
      • Classic Chinese Defensive Propaganda
      • Government Takeover of Compromised Digital Infrast...
      • Watch National Geographic Channel's The Liquid Bom...
    • ►  August (18)
    • ►  July (10)
    • ►  June (5)
    • ►  May (4)
    • ►  April (13)
    • ►  March (17)
    • ►  February (2)
    • ►  January (9)
  • ►  2010 (193)
    • ►  December (14)
    • ►  November (11)
    • ►  October (6)
    • ►  September (16)
    • ►  August (15)
    • ►  July (26)
    • ►  June (15)
    • ►  May (15)
    • ►  April (15)
    • ►  March (16)
    • ►  February (19)
    • ►  January (25)
  • ►  2009 (123)
    • ►  December (10)
    • ►  November (17)
    • ►  October (21)
    • ►  September (13)
    • ►  August (20)
    • ►  July (21)
    • ►  June (21)
Powered by Blogger.

About Me

Unknown
View my complete profile