Sunday, September 25, 2011

Impressions: The Art of Software Security Assessment

I recently took The Art of Software Security Assessment (TAOSSA) with me on a flight across the US and part of the Pacific. This massive book by Mark Dowd, John McDonald, and Justin Schuh is unlike anything I've read before. If I had read the whole book I would have written a five star review. However, since I only read certain parts of interest to me, I'm sharing these impressions of the book.

One of my favorite aspects of TAOSSA is the demonstration of software vulnerabilities by showing snippets of actual software familiar to many readers. These examples are sort of like behind-the-scenes looks at individual CVEs, where the authors show what's really happening and why it matters.

In some cases these examples show the development of code over time, and the flaws that developers introduce when trying to fix old vulnerabilities. For example, pages 250-3 show the progression of problems with the Antisniff tool. We read about trouble with versions 1.0, 1.1, 1.1.1, and 1.1.2, each trying to fix a bug caused by the previous change.

Another amazing aspect of TAOSSA is its coverage of subtle differences between different Unix-like systems, e.g. FreeBSD, NetBSD, OpenBSD, Solaris, and Linux. I really appreciated such careful attention to detail.

Probably the strongest aspect of TAOSSA was the overall methodology, which I define as 1) show how the technology works; 2) show vulnerabilities in code; 3) show how to fix the code (usually all with real examples).

My only criticism is more philosophical, because the authors recycle the flawed Microsoft "threat modeling" paradigm. This approach results in weird sentences like "threat identification is the process of determining an application's security exposure based on your knowledge of the system" (p 59). Fortunately the authors use the proper term "attack trees" rather than "threat trees," presumably because they recognize that Bruce Schneier was right when he promoted the "attack tree" approach!

Overall, the book is very well written, with great consistency despite three authors and hundreds of pages. If you can find a software developer who honestly read the entire TAOSSA and integrated its wisdom into his or her coding, hire that person!


dre said...

This is the best book ever published in the field of information security.

Joe said...

I have this book. It's *heavy*. I wish I bought the ebook.