***** The Software Vulnerability Guide. By Herbert Thompson and Scott Chase; published by Charles River Media, www.charlesriver.com (Web), 800/347-7707 (phone); 354 pages; $49.95.
Every month, hundreds of security vulnerabilities and warnings are announced. Although they cover a wide set of products and programs, the underlying reason for them is generally the same: insecurely written software. When software is written in insecure code (which includes most software programs written today), serious security flaws are inevitable.
The Software Vulnerability Guide was written to help software developers acquire the methods necessary to write secure code and find existing problems in current software. After making a persuasive case for secure code in part one, the book progresses into the areas that are crucial to writing secure software.
Part two of the book covers system-level attacks and details important topics such as passwords, scripts and macros, and dynamic linking and loading (DLL). Part three plunges into attacks on the software, exploring heady concepts such as buffer overflows, format-string vulnerabilities, and integer overflow vulnerabilities. Most of these attacks have been known for decades but are only receiving wide-scale attention now.
Further chapters delve into securing data and Web servers. For each of the vulnerabilities mentioned, the authors describe how they occur and how to prevent them.
An enclosed CD-ROM contains software examples described in the text, plus various open-source security software testing tools, including Ethereal, Nessus, and Nmap. Any business serious about writing secure software should ensure that all of its code writers receive a copy of this book.
Reviewer: Ben Rothke, CISSP (Certified Information Systems Security Professional), is a New York City-based information security director with a multinational financial services firm. He is a member of ASIS International.