Table of Contents | The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities

The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities
By Mark Dowd, John McDonald, Justin Schuh
...............................................
Publisher: Addison Wesley Professional
Pub Date: November 10, 2006
Print ISBN-10: 0-321-44442-6
Print ISBN-13: 978-0-321-44442-4
Pages: 1200

Table of Contents | Index

About the Authors

Preface

Acknowledgments

Part I: Introduction to Software Security Assessment

Chapter 1. Software Vulnerability Fundamentals

Introduction

Vulnerabilities

The Necessity of Auditing

Classifying Vulnerabilities

Common Threads

Summary

Chapter 2. Design Review

Introduction

Software Design Fundamentals

Enforcing Security Policy

Threat Modeling

Summary

Chapter 3. Operational Review

Introduction

Exposure

Web-Specific Considerations

Protective Measures

Summary

Chapter 4. Application Review Process

Introduction

Overview of the Application Review Process

Preassessment

Application Review

Documentation and Analysis

Reporting and Remediation Support

Code Navigation

Code-Auditing Strategies

Code-Auditing Tactics

Code Auditor's Toolbox

Case Study: OpenSSH

Summary

Part II: Software Vulnerabilities

Chapter 5. Memory Corruption

Introduction

Buffer Overflows

Shellcode

Protection Mechanisms

Assessing Memory Corruption Impact

Summary

Chapter 6. C Language Issues

Introduction

C Language Background

Data Storage Overview

Arithmetic Boundary Conditions

Type Conversions

Type Conversion Vulnerabilities

Operators

Pointer Arithmetic

Other C Nuances

Summary

Chapter 7. Program Building Blocks

Introduction

Auditing Variable Use

Auditing Control Flow

Auditing Functions

Auditing Memory Management

Summary

Chapter 8. Strings and Metacharacters

Introduction

C String Handling

Metacharacters

Common Metacharacter Formats

Metacharacter Filtering

Character Sets and Unicode

Summary

Chapter 9. UNIX I: Privileges and Files

Introduction

UNIX 101

Privilege Model

Privilege Vulnerabilities

File Security

File Internals

Links

Race Conditions

Temporary Files

The Stdio File Interface

Summary

Chapter 10. UNIX II: Processes

Introduction

Processes

Program Invocation

Process Attributes

Interprocess Communication

Remote Procedure Calls

Summary

Chapter 11. Windows I: Objects and the File System

Introduction

Background

Objects

Sessions

Security Descriptors

Processes and Threads

File Access

The Registry

Summary

Chapter 12. Windows II: Interprocess Communication

Introduction

Windows IPC Security

Window Messaging

Pipes

Mailslots

Remote Procedure Calls

COM

Summary

Chapter 13. Synchronization and State

Introduction

Synchronization Problems

Process Synchronization

Signals

Threads

Summary

Part III: Software Vulnerabilities in Practice

Chapter 14. Network Protocols

Introduction

Internet Protocol

User Datagram Protocol

Transmission Control Protocol

Summary

Chapter 15. Firewalls

Introduction

Overview of Firewalls

Stateless Firewalls

Simple Stateful Firewalls

Stateful Inspection Firewalls

Spoofing Attacks

Summary

Chapter 16. Network Application Protocols

Introduction

Auditing Application Protocols

Hypertext Transfer Protocol

Internet Security Association and Key Management Protocol

Abstract Syntax Notation (ASN.1)

Domain Name System

Summary

Chapter 17. Web Applications

Introduction

Web Technology Overview

HTTP

State and HTTP Authentication

Architecture

Problem Areas

Common Vulnerabilities

Harsh Realities of the Web

Auditing Strategy

Summary

Chapter 18. Web Technologies

Introduction

Web Services and Service-Oriented Architecture

Web Application Platforms

CGI

Perl

PHP

Java

ASP

ASP.NET

Summary

Bibliography

Index