November 2004: Book Review
How to Break Software Security
Author(s): James A. Whittaker, Herbert H. Thompson
Publisher: Addison Wesley
This is the sequel to “How to Break Software: A Practical Guide to Testing”. In this book, James Whittaker and Herbert Thompson introduce software testers to security testing. The book is organized as a sequence of attack techniques like Force the application to use corrupt files and Fake the source of data. For each of the 19 attacks discussed, the authors explain when to apply the attack, the cause of the vulnerability, how to verify if security is compromised and how to perform the attack. The focus is on the hands-on attack itself, and the authors have bundled their testing tool Holodeck version 1.3 in the accompanying CD ROM. The emphasis on using Holodeck does tend to distract one from the underlying testing technique.
In its favor, the book is strong on screen shots and real world examples. The book has several nuggets for the experienced security tester too. For instance, the authors point out that unused command line options from older versions might still be active and vulnerable as they have probably not been tested in the newer versions. This book is a good introduction to security testing for professional software testers.