Authors: Mark Dowd, John McDonald, Justin Schuh
Publisher: Addison-Wesley Professional (www.awprofessional.com)
Published: November 2006
ISBN: 0321444426
Format: Soft cover, 1200 pages
Price: $54.99
Insider's Guide to Software Security
Although much of the content of the book, "The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities" is aimed at developers, a range of other IT professionals can also benefit from its content too. Those professionals include security specialists, testers, quality assurance personnel, consultants, and administrators of either UNIX/Linux or Windows environments.
The reason for the book's broad appeal is its emphasis on exposing vulnerabilities in systems and then helping IT professionals to remove those vulnerabilities as quickly and as inexpensively as possible. The information contained within "The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities" has been divided up into three major sections.
The first section of the book provides an introduction to software security assessment, and it is here that readers can learn about three different sorts of vulnerabilities: design vulnerabilities, implementation vulnerabilities, and operational vulnerabilities. An example of a possible design vulnerability within a system could be the use of the TELNET protocol. In itself, TELNET may not present a problem at all because it is simply a protocol for allowing users to connect to a remote machine. But because TELNET uses unencrypted communication, there is the disastrous potential for any sensitive information entered by users, for example an administrator's user name and password, to be detected by hackers monitoring TELNET sessions.
An implementation vulnerability can occur because of a flaw or an inconsistency within the platform that an application runs on, or because of a deficiency in the language environment that is used to build the software. A classic example that could result in an implementation vulnerability is a buffer overflow. An operational vulnerability often arises as a result of human error in terms of the manual processes surrounding the running of an application, or because of an unexpected configuration issue.
Mark Dowd, John McDonald, and Justin Schuh, the authors of "The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities," are quick to point out that "there's plenty of room for interpretation and overlap in the concepts of design, implementation, and operational vulnerabilities, so don’t consider these definitions to be an infallible formal system for labeling software flaws." Rather the definitions and accompanying explanations should be regarded as being a more "useful way to approach and study software vulnerabilities."
The three other major topics that are discussed in the first section of the book are the recommended ways of respectively conducting design reviews, operational reviews, and application reviews. A word of caution. When reviews of this nature are undertaken, it is essential that they are not conducted in isolation. For instance, the outcomes generated from any design review should flow smoothly into the implementation review process. And when it comes to the application review process, the authors of the book recommend that "you need to consider the target deployment environment (if one is available) and the application's default configuration parameters." They warn that "unsafe or unnecessary exposure of the application can lead to vulnerabilities that are entirely independent of the program code."
The last chapter in this section of the book concludes with a short case study in which a practical example of the application review process is presented and dissected. The real world example that is used in the case study is based around OpenSSH, which is regarded by many as being the premier Secure Shell (SSH) server on the Internet. The official OpenSSH Web site is located at www.openssh.com.
The second section of "The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities" investigates the different types of software vulnerabilities that can occur. The purpose of the nine chapters in this part of the book are to provide practical, real world examples of how to successfully unearth software security vulnerabilities in applications running in either Windows or UNIX environments. For example, the interprocess communications (IPC) mechanisms provided by Windows are discussed in detail from the perspective of how the availability of these mechanisms can potentially affect application security.
The authors of the book cite severe cases where "Windows IPC vulnerabilities have allowed remote unauthenticated users to gain full administrative access to a vulnerable machine."
But there is good news too.
The authors reassure readers of their book that "by understanding these vulnerabilities and how they are attacked, you should be able to identify, assess, and prevent them." In the third and final section of the book, the focus is on putting into practice the theory and lessons that have been presented in the earlier chapters of the book.
The different areas that are investigated are as follows:
· Network protocols including Internet Protocol (IP), User Datagram Protocol (UDP), and Transmission Control Protocol (TCP). One of the strengths of this book is that it highlights the security issues that are often associated with the software that implements these protocols.
· Firewalls, which involve an in-depth discussion of stateless firewalls, simple stateful firewalls, stateful inspection firewalls, the differences between the various types of firewalls, and spoofing attacks. The book's authors believe that the review of firewall software is "an area that's currently lacking in extensive investigation, so it's a good place for a vulnerability researcher to cover new ground."
· Network application protocols such as HyperText Transfer Protocol (HTTP) and Internet Security Association and Key Management Protocol (ISAKMP) along with Abstract Syntax Notation (ASN.1) and the Domain Name System (DNS.)
· Web applications, which, according to the authors of the book, are "one of the most popular areas of modern software development; in fact, they might be the single biggest innovation of the dot-com era," and finally
· Web technologies, which starts off with a discussion of Web Services and Service-Oriented Architecture, for example, Simple Object Access Protocol (SOAP), Representational State Transfer (REST) and Asynchronous JavaScript and XML (AJAX) followed by a look at Web application platforms and other technologies like Common Gateway Interface (CGI), Perl, PHP Hypertext Preprocessor (PHP), Java, Active Server Pages (ASP) and ASP.NET.
As regards the last chapter of the book, which is dedicated to Web technologies, the authors of the book themselves readily acknowledge that Web application platforms are "quite complex" and that "an entire book could be devoted to a detailed exploration of the security aspects of each one." One solution to this problem, as suggested by the book's authors and one which I agree with too, is to obtain additional detailed information from platform developers themselves as well as from other security resources.
The book concludes with a short but still useful bibliography.
Although "The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities" is a largish book – it is over 1100 pages in length – I recommend that you read it through from start to finish, instead of randomly picking out chapters here and there to read. By adopting such an approach, you give yourself the best chance of understanding software vulnerabilities, and most importantly, learning about the different techniques and tools that can help you and members of your staff to successfully perform software security assessments. But if your time constraints and pressures of work are such that it is simply impossible to read the whole book, then at least read the first four chapters, that is, the complete first section of the book. Doing so will provide the foundation that is required for subsequently selecting individual chapters to read.
In conclusion, it is worth remembering too that while a large number of books have already been written that cover the art of building secure applications, there are relatively few that show IT professionals how to unearth vulnerabilities in existing software. This particular book has been written to readdress that vital issue. It is recommended reading for IT professionals whose responsibility is to either create secure software applications and systems, or alternatively, to ensure that any existing software in their care is indeed safe and secure.