Introduction

Overview

You might wonder why Microsoft is publishing a book about security testing, given the grave difficulties of the jobtrying to make software more secure. Certainly, Microsoft has had its fair share of security problems and thus has plenty of experience for testers to ponder. We (the authors) began working at Microsoft prior to the companys Trustworthy Computing Initiative, which was proposed in 2002. Since the Initiative became Microsoft practice, we have seen a significant change in how Microsoft approaches security. Security is no longer just the responsibility of a security expertnow it is everyones responsibility. This book about aggressive security testing of software emerges from our experience at work at Microsoft and our efforts to help our company create software that we hope continues to work safely and reliably after users buy it.

Security of an application isnt restricted to features using security technologies and such features as encryption and account management. The security of each feature of a product must be carefully considered . For this reason, at Microsoft every program manager, developer, tester, and technical writer helping create software is responsible for ensuring the software is as secure as possible. This book takes the approach that security is everyones responsibility and focuses on providing testers the information they need to find security bugs in functionality of their software that might not have obvious security implications.

This book does not describe how these bugs should be fixed. Other books such as Michael Howard and David LeBlancs Writing Secure Code (Microsoft Press, 2002) are excellent references for fixing and preventing security bugs from entering code.

Microsoft learned some lessons the hard way when the company shipped software that contained security flaws; later the company needed to make security updates. This book describes many of the security problems present in software today and includes information about some of the bugs that have bitten us and some of the bugs we found internally before the product shipped. We hope that you can learn from our experiences and prevent similar bugs from shipping in your software.

Throughout the book, we refer to data that can be controlled by another user as attacker- controlled data . We do this so that you will not only become conscious that data an application consumes might be from an attacker, but also to help you develop the mind-set of an attacker and to realize you can control this data. We encourage you not only to practice thinking maliciously like an attacker but also to become, while youre doing your job, an attacker against your own system to help your company find vulnerabilities in the software you are testing.

The purpose of this book is to help you do your job of helping your colleagues build better software inside your own company, not to break into other peoples software or apply a malicious mind-set or techniques to any software not approved for you to test. This book is a white-hat book for white hats.

Software security continues to evolve quickly. In the future, we will face dangerous attacks not known today. However, the processes discussed in this book, which include developing a malicious mind-set and taking an attackers approach toward security testing while youre working should largely remain the same.



Hunting Security Bugs
Hunting Security Bugs
ISBN: 073562187X
EAN: 2147483647
Year: 2004
Pages: 156

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net