Foreword

When Jesse James, the famous outlaw of the American West, was asked why he robbed banks, he replied, Thats where the money is. Similarly, any modern company that is likely to employ your services as a security tester has significant assets on its internal networks, and malicious people will attempt to get in and steal those assets. No matter what kind of software you test software for internal use, external Web sites, or commercial off-the-shelf softwaresomeone will be motivated to attack your products. Improving application security involves designers, developers, and testers, and the role of security testers is one that cannot be underestimated.

With all the books out there on software security, why read this one? I know a lot of people at Microsoft and in the larger security community who can find security flaws, but Tom Gallagher and Lawrence Landauer, whose work I know well, are two of the best and most articulate . The Microsoft Office Trustworthy Computing team includes some of the best security testers in the business. Tom, Lawrence, and their friend and coauthor Bryan Jeffries are extremely experienced and knowledgeable. The information they provide in this book will enable you to gain deeper insight into security testing.

Consider the topics that have been covered to date in other books, such as Hacking Exposed and Assessing Network Security . These do a great job of exposing the techniques of the network hacker and people who perform network security assessments. If your job is to create more secure software, this can be useful information and can help you see the flaws that make an attackers job easier. But, although this sort of knowledge is good to have, it wont help you systematically find security problems quickly and efficiently . The topics discussed in this book will.

Some people have the job of finding security flaws in other peoples products, and one of the most creative people is Greg Hoglund. His book Exploiting Software (with Gary McGraw; Addison-Wesley Professional, 2004) gives some good insight into how one of the best and most creative people in the business finds holes. But Greg doesnt have source code or access to developers, so he takes a different approach. As Tom makes clear shortly, the superstarsof the security business find and publish only a very few problems per year. When I managed bug hunters in Internet Security Systems X-Force, the very best people on the team did well to find one or two serious security problems per month. A professional software tester doesnt have the luxury of taking that much time to find so few bugs , and most of the people reading this book will also be responsible for functionality testing, which further imposes constraints on their time. You can use this book as a resource to help you streamline and intensify your security testing process.

Perhaps youre typically concerned with creating software that runs internally, behind the corporate firewall. If your companys network is reasonably large, the safest assumption is to treat the internal network as a semipublic, semihostile network. Most companies have made hiring mistakes, and lack of internal security can allow disgruntled or malicious employees to do a lot of damage. Although internal attacks by insiders are much rarer than are attacks on your external network, theyre much, much more likely to succeed and do significant damage. Ive also seen examples of internal, line-of-business applications that make large corporate networks impossible to secure. If an attacker finds that set of systems, theres going to be a lot of problems. Getting even one moderately skilled attacker out of a large network is extremely difficult and costly.

Why do you need to learn about security? The losses associated with security bugs have been heavy. If youre working for Microsoft or another major software vendor, you see the effects of security problems on your customers and your company. Time spent trying to patch software thats already in the field is a lot more expensive for you and the customer than if the bug can be caught before shipping. Customers experience disruptions, and in some cases losses, and are less likely to purchase more software from a vendor that does not catch security flaws before shipping products.

To make matters worse , the situation is changing and becoming even more challenging. The tools available to the attackers are becoming more sophisticated and easier to use. In the mid-1990s, it took a highly specialized developer to write the assembly code needed to turn a buffer overrun into an exploit. Within a few years , many of the better security auditing teams included one or more people who could write exploits to attack custom software during a penetration test. Now, a point-and-click Web site will generate exploit code for a variety of operating systems, overcome many restrictions on user input, and generally make it easy to turn any developers mistakes into exploitable conditions.

Even as the resources available to attackers have become more sophisticated, so have attackers. Years ago, the people who broke into computers generally wouldnt disrupt anything, or they might only play a few pranks . A code of ethics developed among attackers because there werent many computers on the Internet, and a broken computer wasnt so much fun. People would write viruses with political messages or simply cause a nuisance. Truly destructive viruses were rare.

Today we have people taking over large numbers of computers to form armies of bots. Instead of viruses, we have people writing sophisticated spyware for financial gain. The goal of todays attackers is often money. There are marketplaces for stolen credit cards obtained from commercial Web sites. A recent evaluation of more than a hundred commercial Web sites by the Little Earth Corporation, a security company based in Tokyo, Japan, found that there are more Web sites that have serious security problems than there are secure sites. Even when developers of operating systems and Web servers do a great job, if the software built on top of those secure platforms is insecure , the customers data and the companys reputation remain at risk.

To fully protect your customers, read this book!

David LeBlanc, April 2006