countdown boutiques-francophones Learn more vpcflyout Furniture All-New Kindle Music Deals Store sports Tools Registry

Customer Reviews

4.4 out of 5 stars
4.4 out of 5 stars
Format: Paperback|Change
Price:$58.42+ Free shipping with Amazon Prime
Your rating(Clear)Rate this item

There was a problem filtering reviews right now. Please try again later.

on March 24, 2004
Yes, this is it! The book will rock the world of infosec! It is exclusive in so many different ways. Authors did write a bible of exploitation, conceptual, practical and very novel.
The book has great coverage of exploitation topics from basics onwards. Overall, it's an awesome book, perception changing and extremely enlightening (even if you are not into writing exploits for a living!). It is well written and easy to read (pretty much reads thru non-stop). Some items in the book might cause some controversy, which is undoubtfully good for marketing.
This is a very exciting book. Just about everything is unique: content, presentation, code, etc. Its not just up-to-date, its bleeding-edge, never-seen-in-public material. The book has nice organization and complex matters are presented well. I managed to enjoy even parts where I knew less than was needed to fully comprehend it. I especially liked the coverage of Windows rootkits and BIOS malware.
Anton Chuvakin, Ph.D., GCIA, GCIH is a Senior Security Analyst with a major security information management company. He is the author of the book "Security Warrior" (O'Reilly, 2004). His areas of infosec expertise include intrusion detection, UNIX security, forensics, honeypots, etc. In his spare time, he maintains his security portal
0Comment|Was this review helpful to you?YesNoReport abuse
on May 3, 2004
'Exploiting Software' is a quite disappointing book. It is not well organized and repeats itself very often, there's no thread and the authors always lose themselves in trivial things. Whenever it started to get interesting the book stopped short of going into details. The only slightly sophisticated chapters are the ones at the end, about buffer overflows and the XP rootkit.
I found that often code fragments are insufficiently described or not explained at all. This is a no-no in writing software, and it is all the more when writing a book about software (I can easily download some code and then wade through the code myself, what's the added value of the book?). On the other hand, simple tasks like appending a line to a Unix text file are explained exhaustively. Or, the book contains several pages about a code to display sampled data graphically. Why would I want to read this in a book about software exploits?
Overall, the book fails in the most important aspect: to bear the reader in mind. It seems that the authors just wanted to write a book, a thick book. Among the target audience mentioned in the book, i.e., programmers, consultants, managers etc. only programmers with absolutely no background in security may appreciate the book.
Go check the book carefully if you think about buying it. I give it two out of five stars just because of the final two chapters.
0Comment|Was this review helpful to you?YesNoReport abuse
Many readers and reviewers view this book as a security text, which it is. However, the main value in my opinion is to the software testing/QA community and to developers working in environments using either agile methods or Extreme Programming.
For the software testing and QA community the book is a ready-made manual for developing test cases, and also raises interesting thoughts about testing tools. For example, Chapter 8 (Rootkits) gives a list of techniques and tools that can be effectively used as testing tools as well as hacking tools. What better way to test software than to use the very methods and tools that the bad guys use?
Developers will find a plethora of common exposures and vulnerabilities that will need to be addressed in the software they develop. Moreover, much of the information in this book will provide guidance about what should be checked during unit and integration testing. As an aside, I also recommend that developers in any development environment read "Building Secure Software" (ISBN 020172152X), which nicely augments this book.
Of course, the security community's concerns are also address, especially in the first three chapters. In fact, if this book proves anything it's that security, development and QA need to work in concert in order to have a defensive, in-depth security posture.
If you are a developer or testing professional I highly recommend this book, and also recommend that you augment the information provided with two other books - "How to Break Software: A Practical Guide to Testing" (ISBN 0201796198), and "How to Break Software Security" (ISBN 0321194330).
0Comment|Was this review helpful to you?YesNoReport abuse
on April 13, 2004
Over the last couple years, I have read nearly every book on the subject of secure programming. In my opinion, this book clearly stands out from the rest as best in class. This book systematically and thoroughly covers the topic from the attacker's perspective, which is where any serious study of the subject should begin. Given the increasing integration and open access to systems, any serious software system from an operating system utility to a complex business application will experience many of these attacks in deployment - there is no hiding from these types of attacks behind a firewall. This book represents a great step in the right direction since one must understand an attacker's perspective and techniques before you can form an appropriate defense. This is definitely a pre-requisite to other books in the domain that focus on defensive coding techniques. This subject matter is crucial knowledge for anyone involved with software today and an interesting read for those who depend on and use information systems.
I concur with earlier reviews that this book makes an interesting cover-to-cover read due to the intriguing subject matter of hacking, cracking, and otherwise attacking information systems. Unlike Mitnick's 300+ page treatise describing how to get a password from a user (yawn), this book is a tour-de-force of attacks aimed directly at software itself. While the descriptions of each attack are straightforward and easy to comprehend, the reader gets an insight into the brilliance required to devise many of these attacks.
I have found it most useful as a reference guide for red-team testing and security review at design and coding time. If you are a development manager or a computer science instructor definitely give this a read. Then do a survey of your developers and students and see how many attack patterns they can identify - you will probably want to give a copy to each of them after you do! Enjoy.
Roger Thornton
CTO, Fortify Software Inc
0Comment|Was this review helpful to you?YesNoReport abuse
on April 22, 2004
I admit it, I was expecting a lot of this book. I've seen one of the co-authors, hoglund, speak at various security conferences in the past, and he is one of the top minds in the industry. I was therefore very excited to find he was writing a book on "exploiting software".
That being said, I was led to believe that this book would actually teach me how to "exploit software" --- that is the title, isn't it? The first two chapters are kind of overview, talking about historical flaws in things like embedded processors, and then a lengthy tutorial on somewhat obscure topics, such as writing plugins for the popular belgian disassembler, IDA Pro. While this is all fine and dandy, at this point in the book you will start to read faster and think "when do I get to learn how to "exploit software", and write some friggen exploits?"
Well, I was hoping to find that content later in the book (obviously contributed by mr. hoglund), but all I found was some terse overviews on how these exploits are possible. NOT how to actually write them, or use them in practice. This is where I was letdown, and may I even say, misled by the marketing material for the book.
I do have to say, the final section on writing a windows xp rootkit does have some concrete examples, and is highly interesting and informative. But, it remains the only truly hands on and practical portion of the book. This book should have been titled, AND marketed as "The Theory of Software Exploitation + A Good Chapter On Rootkits".
0Comment|Was this review helpful to you?YesNoReport abuse
on February 23, 2004
"Exploiting Software" is a provocative and revealing book from two leading security experts and world class software exploiters. It enters the mind of the cleverest and wickedest crackers and shows you how they think. This book illustrates general principles for breaking software, and provides readers with a whirlwind tour of techniques for finding and exploiting software vulnerabilities, along with detailed examples from real software exploits.
Exploiting Software is essential reading for anyone responsible for placing software in a hostile environment-that is, everyone who writes or installs programs that run on the Internet.
0Comment|Was this review helpful to you?YesNoReport abuse
on May 18, 2004
Like all other books on "how to hack," this one starts out with a history of computing back to the beginning of time, then jumps into advanced techniques requiring some pretty advanced knowledge of assembly code and network protocols. Why do all these books do this? They implicitly assume that their readers understand computer systems in later chapters, but still feel the need to go over basic material in early chapters.
Anyway, the content of this book is pretty good. How could you not like a book that includes the line "think of a server as a public restroom?"
0Comment|Was this review helpful to you?YesNoReport abuse
on February 24, 2004
This is a seductive book. It starts with anecdotes that draw you in then leads you step-by-step to an indepth understanding of software vulnerabilities. This books is an essential introduction and enduring reference on a critical but often overlooked area of information security. In the business we spend most of our time and attention on perimeter protection and authentication, and way too little on the actual vulnerability of the stuff we buy and the code we develop. This books is a thorough and entertaining call to action and plan of attack. An absolute must buy.
0Comment|Was this review helpful to you?YesNoReport abuse
on February 26, 2004
Hoglund and McGraw is an amazing book. It's well written, comprehensive and full of detailed, up-to-date methodologies for messing with all kinds of code.
It's a shame the black hats can buy this book. However, since they can, every white hat should make a point of reading it to understand how subtle attacks can be and what kinds of tools are out there to help develop exploits.
Reading it will make you weep about the current state of operational code vulnerability!!!
0Comment|Was this review helpful to you?YesNoReport abuse

Need customer service? Click here