Title: Exploiting Software
Authors: Greg Hoglund, Gary McGraw
Published: February 27, 2004
Edition: 1st Edition
Anyone who's been in network security long enough will tell you that the current state of products and ‘solutions' to security problems are woefully inadequate.
Firewalls, intrusion detection systems, content filters and anti-virus solutions are all reactive technologies, and as a result, they fail to address the primary cause of security vulnerabilities.
This root cause is bad software. Viruses, worms and hackers exploit vulnerabilities in the design and logic of software applications to compromise, destroy and otherwise take control of important information. Once you accept this fact, you'll realize that the only path to good security is to write better code.
‘Exploiting Software – How to Break Code' is a book that fires up the hacker in me. It does not aim to teach you about the latest scanning tool, instead, it teaches you how to find and exploit vulnerabilities in systems. While many of the ideas in the book (such as the omnipresent buffer overflow) are not new, there is simply no literary comparison to the treatment given to them in this book.
Application security is one of the highest regarded and specialized technical services in the security industry, and thus, finding people (let alone books) that delve in-depth into the topic is rare and refreshing. The first day I used this book, I was on an application security project. The target application was a distributed database application running on SQL server with a web front-end.
I happened to have this book along with me, and while reading through it, the section on equivalent requests was something I hadn't tried – sure enough, 20 minutes later I had full control of the application and a very good impression of this book.
I particularly like the conceptual sections of this book, especially their idea of ‘attack patterns' – generic scenarios that often lead to compromise in systems. A thorough study of all these attack patterns will leave you a much better analyst than when you started out, and it definitely pays off when it comes to testing.
The book is also chock-a-block full of code, something that other books don't have the guts to do. Better yet, we're not talking about ‘hello world' stuff here, while reading the excellent chapter on root kits I finally realized that the device driver code I was trying out was way over my head. That's something you like to find, because it gives you something to learn.
The art of reverse engineering, disassembly, writing IDA-Pro plugins, black / white and grey-box techniques, advanced payload creation on multiple architectures – this book has it all. The only thing I can possibly say against it is that this it caters to a niche audience.
If you're not a coder or seriously into security however, large parts of the book may be inaccessible to you. However if you're a hacker, security tester or application developer and you don't own a copy of this book, you're not reaching your full potential.