Hi, Justin Schuh, John McDonald and I recently finished a book on software security assessment. The three of us have put quite a bit of time and effort into this project; essentially, it's a 1200 page book about how to audit code to find vulnerabilities, based on our own experience. We present high-level strategies for performing design and implementation reviews, but the bulk of the content is dedicated to the technical details of vulnerabilities and how they appear in real-world applications.
We've attempted to structure this book so it will prove useful for a variety of audiences: developers assessing their own work (or the work of their peers), consultants performing professional application security reviews, or researchers looking to find the showstoppers that will appear in next month's Patch Tuesday. Here are some links: http://www.amazon.com/gp/product/0321444426/ http://www.awprofessional.com/bookstore/product.asp?isbn=0321444426&rl=1 There's a sample chapter on the AW site that will give you a feel for what the rest of the book is like. It's our chapter on C language issues, and it has lots of examples of integer overflows and type conversion flaws, as well as some fun C puzzles. The book will be hitting stores within the next few days. Any thoughts/comments would be appreciated. Enjoy! Mark Dowd
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
