Customer comments on this selection.
 Must read if ...
Nutshell review - You must read this book if you have anything to do with building software, from developer to development manager. Hoglund and McGraw are required reading.
Don't let the black hat on the cover fool you...
This book is a great review of software security and deserves to be on any security professional's bookshelf. The chapter on Rootkits (Chapter 8) is well worth the price of the book. While the book isn't too long (at just over 400 pages) it does deliver in a concise, easy to read format that makes the book a rewarding read.
Not as good as other works by these great authors, but still valuable
I read Exploiting Software (ES) last year but realized I hadn't reviewed it yet. Having read other books by these authors, like McGraw's Software Security and Hoglund's Rootkits, I realized ES was not as good as those newer books. At the time ES was published (2004) it continued to define the software exploitation genre begun in Building Secure Software. However, I don't think it's necessary to pay close attention to ES when newer books by McGraw and Hoglund are now available.
On the positive side, I appreciate three aspects of ES. First, I like the attention paid to attack patterns. This concept makes sense and should be used by other authors who want to describe a means to exploit a target. Second, I am impressed that ES features a whole chapter (5) on attacking client software. When ES was published, client-side attacks were just becoming popular. Discussing this problem shows great insights on the part of the authors. Third, several of the examples in ES are great case studies on exploiting software. When explained in sufficient detail they make for educational reading.
On the down side, I agree with several other reviewers that the book seems somewhat erratic. Attack patterns that are two sentences long are probably candidates for inclusion in a chart, not listed in the main text. I don't think the predictions found in ch 1 were necessary, and I think some of the criticism of detection methods in ch 6 border on the ignorant. I agree that perfect detection is impossible, but there are plenty of methods that work in the real world. They may not be real-time, but no intruder is perfectly stealthy in all aspects of an attack.
Regarding chapters 7 and 8, on buffer overflows and rootkits -- at 170 pages, those could almost have been their own book. The material doesn't seem to match the rest of the book, and it's obviously Hoglund's work. Add in a like-minded chapter on reverse engineering (3) at 74 pages and you definitely have a stand-alone book!
It's probably sufficient to read Building Secure Software, Software Security, and Rookits if you like the McGraw/Hoglund approach to attacking and defending software. Take a quick look at the attack pattern material to get a feel for that concept.
 Want to fix things instead of break them?
One of the authors here.
Thinking carefully about how things break is a good idea. You should read this book and you should also read the Shellcoder's Handbook" by Litchfield et al. Pretend security nonsense crumbles under the weight of real attacks.
However, if you're interested in fixing the problem, get "Software Security: Building Security In". It's time to DO software security!
On the other hand, if you're looking for the ultimate weapon in the attacker's toolkit, go get "Rootkits."
In the end, the only smart move is a combo package of "think like and attacker" and "build like a pro." For your best all around bargain, get "The Software Security Library."
Why we use it for a graduate class
The one major strength of this book, from a computer science viewpoint, is its emphasis on "attack patterns". This systemization of these issues really differentiates this book from many of its competitors (which tend to be either the latest 500 hacks or descriptions of standards). Put simply CS is the study of algorithms, and this book fits nicely into that tradition.
|
