Impressions: Hunting Security Bugs

I don't hunt security bugs for a living, but I've worked on teams that do and I find the process important to understand. A defender should appreciate the work that an adversary must perform in order to discover a vulnerability and weaponize an exploit. That is the spirit with which I read Hunting Security Bugs by Tom Gallagher, Bryan Jeffries, and Lawrence Landauer. When the book was published in 2006 all the authors worked at Microsoft and Microsoft Press published the book. (Yes, I did wait a long time to take a look at this title...)

Despite the passage of time, I thought HSB stood up very well. Most of the problems discussed in the book and the techniques to find them should still work today. The targets have changed somewhat (XP was the target in the book; Windows 7 would be more helpful today -- thought not everywhere).

Again, this is an impression and not a review, so I only offer thoughts and not opinions or judgements on the text. From what I saw, the book appears well written with helpful diagrams and screen shots. It covers a lot of surface area and ways to exploit it.

One note for the history buffs: the foreword says:

When Jesse James, the famous outlaw of the American West, was asked why he robbed banks, he replied, Thats where the money is.

I'm sure most of you think that Willie Sutton said that, not Jesse James. According to Snopes neither of them said it:

While lore would have it that the bank robber replied "Because that's where the money is" to that common question, Sutton denied ever having said it. "The credit belongs to some enterprising reporter who apparently felt a need to fill out his copy," wrote Sutton in his autobiography. "I can't even remember where I first read it. It just seemed to appear one day, and then it was everywhere."

But back to the book -- should you buy it? If your job involves finding vulnerabilities in Windows software (and this book does have more of a Windows slant), I would take a close look at it.

Comments

Raymond Dubisky said…
Are there any texts on this topic that you would recommend reading that are more recent? I'll be adding this one to my list of books to read- but don't want to have a huge gap.
Tobias Klein's Bug Hunter's Diary appears popular.

Popular posts from this blog

Zeek in Action Videos

MITRE ATT&CK Tactics Are Not Tactics

New Book! The Best of TaoSecurity Blog, Volume 4