countdown boutiques-francophones Learn more scflyout Pets All-New Kindle Music Deals Store sports Tools

Customer Reviews

4.4 out of 5 stars
4.4 out of 5 stars
Format: Paperback|Change
Price:$59.03+ Free shipping with Amazon Prime
Your rating(Clear)Rate this item

There was a problem filtering reviews right now. Please try again later.

on March 10, 2004
A disturbing, subversive book. And I mean this in a positive sense. Hogland and McGraw explain the major ways in which software can be attacked.
They describe how reverse engineering can be done, even if all you have is binary code to work on. Given a disassembler and a decompiler, and these exist for all the major platforms, you can systematically apply white box, black box and grey box analysis to deconstruct a program.
They show how attacks can be done against servers, because nowadays on the net, servers are often tempting, fat targets. But from your standpoint, if you wish to defend against these attacks, you really need to be aware of the issues they raises. "Know the enemy". Plus, they also show how a server could attack, or be used to attack, unsuspecting clients that connect to it.
Of course, buffer overflows are the most commonly known source of attacks. Thus an entire chapter is devoted to this.
PHP users may not be thrilled to hear that it is fundamentally insecure. Its ease of learning and coding comes with this heavy price. Still, it is all the more reason that PHP users and sysadmins running web servers that use PHP, should be aware of the dangers in it.
The book is not a trivial read. The authors give detailed examples at the level of the x86 assembler. A strong background in this and in C/C++ will give you the greatest benefit when studying the book.
0Comment|Was this review helpful to you?YesNoReport abuse
Target Audience
Software developers and network administrators who are responsible for or concerned with the security of the code they write or run.
This book covers software exploits and how they work.
The book is divided into the following chapters:
Software - The Root Of The Problem; Attack Patterns; Reverse Engineering And Program Understanding; Exploiting Server Software; Exploiting Client Software; Crafting (Malicious) Input; Buffer Overflow; Rootkits; References; Index
Software security is foremost in the news today. You can't go a day without news on how another group has found and exploited some software flaw to create havoc on the internet. It seems that the software bugs are found faster than the developers can patch them. How can a software developer get ahead of the curve and write software that is more secure from the start? Get this book.
The authors start out with an overview of software and how code is open to bugs and exploits. By understanding the concepts of complexity, extensibility, and connectivity, you'll start to understand how easy it is for software to be "broke" by others to gain some sort of advantage or control over it. The rest of the book then goes into specific areas of attack and how they occur. There is an abundance of "attack patterns" that are highlighted throughout the chapters. These short sidebars will help you understand all the types of attacks that can (and will be) used against your systems. After you read and digest this information, you will be much better prepared to write code that is designed to be more secure from the initial design through implementation.
A question comes to mind quickly when reading the book... Isn't it dangerous to put all this hacking information in one place where anyone can access it? In my opinion, it's more dangerous to not have this data available. If a person wants to break your software or systems, they already know this stuff. In the case of software security, it's often the corporate developer who is at a distinct disadvantage as they are more concerned with getting their software to work in the first place. By having a single volume that explains the concepts of software exploitation in detail, we can all start to write secure software instead of writing patches to fix flawed code.
This book should be on the shelf of all software developers and administrators who are concerned about writing and administering secure software. And that should be all software developers and administrators! The information may be disturbing, but you need to understand it before others use the information against you.
0Comment|Was this review helpful to you?YesNoReport abuse
Many readers and reviewers view this book as a security text, which it is. However, the main value in my opinion is to the software testing/QA community and to developers working in environments using either agile methods or Extreme Programming.
For the software testing and QA community the book is a ready-made manual for developing test cases, and also raises interesting thoughts about testing tools. For example, Chapter 8 (Rootkits) gives a list of techniques and tools that can be effectively used as testing tools as well as hacking tools. What better way to test software than to use the very methods and tools that the bad guys use?
Developers will find a plethora of common exposures and vulnerabilities that will need to be addressed in the software they develop. Moreover, much of the information in this book will provide guidance about what should be checked during unit and integration testing. As an aside, I also recommend that developers in any development environment read "Building Secure Software" (ISBN 020172152X), which nicely augments this book.
Of course, the security community's concerns are also address, especially in the first three chapters. In fact, if this book proves anything it's that security, development and QA need to work in concert in order to have a defensive, in-depth security posture.
If you are a developer or testing professional I highly recommend this book, and also recommend that you augment the information provided with two other books - "How to Break Software: A Practical Guide to Testing" (ISBN 0201796198), and "How to Break Software Security" (ISBN 0321194330).
0Comment|Was this review helpful to you?YesNoReport abuse
on February 24, 2004
For many years the "white hats" (good guys) have tried to guess how the black hats think, and how they find problems with software. That's as true with software as it is with other disciplines, where police study criminals, and military strategists learn about their enemy's tactics. Those of us in the information security field need to study our criminals and enemies, so we can tell the difference between pop guns and weapons of mass destruction.
I enjoyed this book because it helped me understand how the bad guys think, and how they find the flaws that we constantly read about (and suffer from).
The authors explain not only how hackers attack servers, but also how malicious server operators can attack clients (and how each can protect themselves from the other). I'd highly recommend it as a companion to Ross Anderson's "Security Engineering": Anderson's book provides the broad view of security, and this book provides the deep analysis of software security.
An excellent book for practicing security engineers, and an ideal textbook for an undergraduate class in software security.
0Comment|Was this review helpful to you?YesNoReport abuse
on February 24, 2004
On today's security bookshelves, guides on securing applications through use of security features and pithy advice far outweigh books aiding readers in understanding how their software is actually attacked. This leaves software development and security professionals to wonder: How can attackers really exploit my software? How easy is it for them to do so? And how is it really done? Exploiting Software goes a long way towards leveling that playing field by addressing those questions.
As a security consultant, I see this book as being an essential purchase for both those developing software and those auditing or otherwise trying to secure it. Exploiting software presents a solid baseline coverage of the problems developers inadvertently introduce and explains how those problems become patterns of attack for attackers and security professionals like myself. The book presents each pattern with enough detailed explanation and aid for using unix/windows tools that the curious reader can explore the pattern of attack on their own systems from a destructive perspective. In doing so, readers are convinced of each pattern's viability and are free to explore its impact in their environment.
Exploiting software is a must-have attack dictionary for security professionals, especially those in organizations unaware of the threat attackers pose to their software--despite network and host controls. It provides a go-to resource to familiarize both security and development staff with the constituency of the attacker's toolkit.
While this book is a tremendous start on enumerating attack patterns, readers expecting a full treatment of attacks against Java's application servers and code targeting the .NET platform may be disappointed. Still, while these systems (and attacks against them) are becoming more popular, Exploiting Software is still relevant to these frameworks' virtual machines and their underlying OSes. Exploiting Software correctly left attacking these systems directly to subsequent work, but enables the skilled attacker to pull the table cloth out from under this middleware.
Like "Building Secure Software" and "Writing Secure Code" this book is an excellent foothold into reusable knowledge the reader's organization should be cataloging. And if your organization isn't using and expanding a catalogue of attacks to which its software is vulnerable--it's behind the 8 ball in developing and deploying secure software.
0Comment|Was this review helpful to you?YesNoReport abuse
on February 23, 2004
"Exploiting Software" is a provocative and revealing book from two leading security experts and world class software exploiters. It enters the mind of the cleverest and wickedest crackers and shows you how they think. This book illustrates general principles for breaking software, and provides readers with a whirlwind tour of techniques for finding and exploiting software vulnerabilities, along with detailed examples from real software exploits.
Exploiting Software is essential reading for anyone responsible for placing software in a hostile environment-that is, everyone who writes or installs programs that run on the Internet.
0Comment|Was this review helpful to you?YesNoReport abuse
on May 18, 2004
Like all other books on "how to hack," this one starts out with a history of computing back to the beginning of time, then jumps into advanced techniques requiring some pretty advanced knowledge of assembly code and network protocols. Why do all these books do this? They implicitly assume that their readers understand computer systems in later chapters, but still feel the need to go over basic material in early chapters.
Anyway, the content of this book is pretty good. How could you not like a book that includes the line "think of a server as a public restroom?"
0Comment|Was this review helpful to you?YesNoReport abuse
on February 24, 2004
This is a seductive book. It starts with anecdotes that draw you in then leads you step-by-step to an indepth understanding of software vulnerabilities. This books is an essential introduction and enduring reference on a critical but often overlooked area of information security. In the business we spend most of our time and attention on perimeter protection and authentication, and way too little on the actual vulnerability of the stuff we buy and the code we develop. This books is a thorough and entertaining call to action and plan of attack. An absolute must buy.
0Comment|Was this review helpful to you?YesNoReport abuse
on February 26, 2004
Hoglund and McGraw is an amazing book. It's well written, comprehensive and full of detailed, up-to-date methodologies for messing with all kinds of code.
It's a shame the black hats can buy this book. However, since they can, every white hat should make a point of reading it to understand how subtle attacks can be and what kinds of tools are out there to help develop exploits.
Reading it will make you weep about the current state of operational code vulnerability!!!
0Comment|Was this review helpful to you?YesNoReport abuse