Sunday, August 13, 2006
 
Book Report: How to Break Software Security by James A. Whittaker and Herbert H. Thompson (2003)
After I read How to Break Software (which a quick Google check indicates I have not reviewed, gentle reader, but most of you wouldn't have read it anyway), I bought the companion volumes. This book, which I bought off of Amazon.com at its retail price, disappointed me where How to Break Software did not.

Both books run off of a quick list of fault-model testing (a term I learned from the first book). I had a ball with the first book, laughing at seeing some of my favorite dirty tricks encapsulated in someone definitive's book. This book, however, didn't hold the same glee for me.

The first book dealt with a broad subject and offered some very concrete things to try to attack software. This second book deals with a similarly broad subject (security testing), but is more abstract. The attacks it discusses aren't as narrow and easy to recreate; they're more methods and abstract ideas to try rather than concrete shortcuts to finding issues. I know, there's something to be said for a broad, ranging methodology, but the first book wasn't that way, and I didn't expect this one to be that way. Additionally, the book is sized similarly to the first, which doesn't allow it to go into a lot of detail for each of the abstract things it talks about.

Finally, I don't know that the book focuses enough on actual security attacks; rather, it focuses on attacks that could be construed as security breaches. However, in many cases, they're not specifically security attacks, but rather regular tests that could, if applied to applications needing security, be security attacks.

Maybe that's all security testing is, but this book wasn't different enough from the first book to make me wonder if it wasn't really a sequel given a better title.

On the other hand, it does come with a CD and a tool which looks to be pretty cool, if I could get some professional time to play with it.

So buy the first book, How to Break Software, and apply its attacks to secure software. Buy this book if you're really into it or if the company is buying it for you.

Books mentioned in this review:

 

 
To say Noggle, one first must be able to say the "Nah."