 | | |
| Exploiting Software: How to Break Code (Addison-Wesley Software Security Series) | 
| Authors: Greg Hoglund, Gary Mcgraw
Publisher: Addison-Wesley Professional
Category: Book
List Price: $54.99
Buy New: $23.98
You Save: $31.01 (56%)
Buy New/Used from $19.90
Avg. Customer Rating:  (29 reviews)
Sales Rank: 190733
Languages: English (Original Language), English (Unknown), English (Published)
Media: Paperback
Number Of Items: 1
Pages: 512
Shipping Weight (lbs): 2.1
Dimensions (in): 9.1 x 7 x 1.3
ISBN: 0201786958
Dewey Decimal Number: 005.8
UPC: 785342786958
EAN: 9780201786958
ASIN: 0201786958
Publication Date: February 27, 2004
Availability: Usually ships in 1-2 business days
|
| Similar Items:
|
| Editorial Reviews:
Amazon.com Review
Computing hardware would have no value without software; software tells hardware what to do. Software therefore must have special authority within computing systems. All computer security problems stem from that fact, and Exploiting Software: How to Break Code shows you how to design your software so it's as resistant as possible to attack. Sure, everything's phrased in offensive terms (as instructions for the attacker, that is), but this book has at least as much value in showing designers what sorts of attacks their software will face (the book could serve as a checklist for part of a pre-release testing regimen). Plus, the clever reverse-engineering strategies that Greg Hoglund and Gary McGraw teach will be useful in many legitimate software projects. Consider this a recipe book for mayhem, or a compendium of lessons learned by others. It depends on your situation. PHP programmers will take issue with the authors' blanket assessment of their language ("PHP is a study in bad security"), much of which seems based on older versions of the language that had some risky default behaviors--but those programmers will also double-check their servers' register_globals settings. Users of insufficiently patched Microsoft and Oracle products will worry about the detailed attack instructions this book contains. Responsible programmers and administrators will appreciate what amounts to documentation of attackers' rootkits for various operating systems, and will raise their eyebrows at the techniques for writing malicious code to unused EEPROM chips in target systems. --David Wall Topics covered: How to make software fail, either by doing something it wasn't designed to do, or by denying its use to its rightful users. Techniques--including reverse engineering, buffer overflow, and particularly provision of unexpected input--are covered along with the tools needed to carry them out. A section on hardware viruses is detailed and frightening.
|
| Customer Reviews: Read 24 more reviews...
 Must read if ... June 15, 2008
Nutshell review - You must read this book if you have anything to do with building software, from developer to development manager. Hoglund and McGraw are required reading.
Don't let the black hat on the cover fool you... June 9, 2008
This book is a great review of software security and deserves to be on any security professional's bookshelf. The chapter on Rootkits (Chapter 8) is well worth the price of the book. While the book isn't too long (at just over 400 pages) it does deliver in a concise, easy to read format that makes the book a rewarding read.
Not as good as other works by these great authors, but still valuable July 4, 2007
1 out of 2 found this review helpful
I read Exploiting Software (ES) last year but realized I hadn't reviewed it yet. Having read other books by these authors, like McGraw's Software Security and Hoglund's Rootkits, I realized ES was not as good as those newer books. At the time ES was published (2004) it continued to define the software exploitation genre begun in Building Secure Software. However, I don't think it's necessary to pay close attention to ES when newer books by McGraw and Hoglund are now available.
On the positive side, I appreciate three aspects of ES. First, I like the attention paid to attack patterns. This concept makes sense and should be used by other authors who want to describe a means to exploit a target. Second, I am impressed that ES features a whole chapter (5) on attacking client software. When ES was published, client-side attacks were just becoming popular. Discussing this problem shows great insights on the part of the authors. Third, several of the examples in ES are great case studies on exploiting software. When explained in sufficient detail they make for educational reading.
On the down side, I agree with several other reviewers that the book seems somewhat erratic. Attack patterns that are two sentences long are probably candidates for inclusion in a chart, not listed in the main text. I don't think the predictions found in ch 1 were necessary, and I think some of the criticism of detection methods in ch 6 border on the ignorant. I agree that perfect detection is impossible, but there are plenty of methods that work in the real world. They may not be real-time, but no intruder is perfectly stealthy in all aspects of an attack.
Regarding chapters 7 and 8, on buffer overflows and rootkits -- at 170 pages, those could almost have been their own book. The material doesn't seem to match the rest of the book, and it's obviously Hoglund's work. Add in a like-minded chapter on reverse engineering (3) at 74 pages and you definitely have a stand-alone book!
It's probably sufficient to read Building Secure Software, Software Security, and Rookits if you like the McGraw/Hoglund approach to attacking and defending software. Take a quick look at the attack pattern material to get a feel for that concept.
 Want to fix things instead of break them? March 3, 2006
7 out of 18 found this review helpful
One of the authors here.
Thinking carefully about how things break is a good idea. You should read this book and you should also read the Shellcoder's Handbook" by Litchfield et al. Pretend security nonsense crumbles under the weight of real attacks.
However, if you're interested in fixing the problem, get "Software Security: Building Security In". It's time to DO software security!
On the other hand, if you're looking for the ultimate weapon in the attacker's toolkit, go get "Rootkits."
In the end, the only smart move is a combo package of "think like and attacker" and "build like a pro." For your best all around bargain, get "The Software Security Library."
Why we use it for a graduate class August 19, 2005
10 out of 14 found this review helpful
The one major strength of this book, from a computer science viewpoint, is its emphasis on "attack patterns". This systemization of these issues really differentiates this book from many of its competitors (which tend to be either the latest 500 hacks or descriptions of standards). Put simply CS is the study of algorithms, and this book fits nicely into that tradition.
|
|
|
Powered by: Dknc, inc. and Amazon.com | | 
For your safety and security, orders are processed through amazon.com
|
|
|
|
