|
|
| [¿Ü¼ÇåÃ¥] E=The Art of Software Security Testing [Àç°í: 1 ±Ç] |
|   | ¡Ø µµ¼ÀÇ »ó¼¼ÇÑ ³»¿ëÀº ¾Æ¸¶Á¸¿¡¼ È®ÀÎÇÏ½Ç ¼ö ÀÖ½À´Ï´Ù. [ ³»¿ëº¸±â] |
-ÀÌ µµ¼ÀÇ Á¤°¡´Â 1´Þ·¯¸¦ 1000¿øÀ¸·Î ȯ»êÇÏ¿© ÀÓÀÇ·Î ±â·ÏÇÏ¿´½À´Ï´Ù.
State-of-the-Art Software Security Testing: Expert, Up to Date, and Comprehensive
The Art of Software Security Testing delivers in-depth, up-to-date, battle-tested techniques for anticipating and identifying software security problems before the ¡°bad guys¡± do.
Drawing on decades of experience in application and penetration testing, this book¡¯s authors can help you transform your approach from mere ¡°verification¡± to proactive ¡°attack.¡± The authors begin by systematically reviewing the design and coding vulnerabilities that can arise in software, and offering realistic guidance in avoiding them. Next, they show you ways to customize software debugging tools to test the unique aspects of any program and then analyze the results to identify exploitable vulnerabilities.
Coverage includes;
- Tips on how to think the way software attackers think to strengthen your defense strategy
- Cost-effectively integrating security testing into your development lifecycle
- Using threat modeling to prioritize testing based on your top areas of risk
- Building testing labs for performing white-, grey-, and black-box software testing
- Choosing and using the right tools for each testing project
- Executing today¡¯s leading attacks, from fault injection to buffer overflows
- Determining which flaws are most likely to be exploited by real-world attackers
This book is indispensable for every technical professional responsible for software security: testers, QA specialists, security professionals, developers, and more. For IT managers and leaders, it offers a proven blueprint for implementing effective security testing or strengthening existing processes. |
 Elfriede Dustin
About the Author
Chris Wysopal is CTO at Veracode, Inc. His career in the information security industry has spanned over 15 years. Having held several positions in the industry, while also serving as a regular advisor to various government agencies, he is recognized as an expert in the field of information security. Wysopal also served as vice president of research and development for @stake. In this role, Wysopal managed a product group in developing security tools focused on wireless, infrastructure, and application security. Working with vendors and the general public, Wysopal was also responsible for managing @stake's vulnerability research and disclosure process.
Lucas Nelson has worked for Symantec for the past 3 years leading test teams engagements in a variety of services including application penetration tests, code reviews, product penetration tests, application design reviews, as well as teaching classes in cyber attacks. He counts several of the top ten banks and investment firms as his clients along with many large software development companies on the west coast. Some notable work includes assessments of electronic voting machines used in the United States and the wireless infrastructure of a stock exchange. He also leads the Application Security Center of Excellence, which focused on developing application security practices and guidelines as well as the training of new hires in the methodology of application testing, inside of Symantec.
Dino A. Dai Zovi is a computer security consultant and developer for Matasano Security. Author of numerous papers and presentations on exploitation techniques, 802.11 wireless attacks, and OS kernel security, Dino comes to Matasano from the Attack and Exploitation Team at Bloomberg. Dino's career spans over 7 years and includes key roles at @stake, and the IDART Red Team at Sandia Labs. He has spoken at security conferences including IEEE, DEFCON, CanSecWest, and PACSEC.
|
 FOREWORD XIII
PREFACE XVII
ACKNOWLEDGMENTS XXIX
ABOUT THE AUTHORS XXXI
PART I: INTRODUCTION
CASE YOUR OWN JOINT: A PARADIGM SHIFT FROM TRADITIONAL SOFTWARE TESTING 3(16)
SECURITY TESTING VERSUS TRADITIONAL SOFTWARE TESTING 5(2)
SQL INJECTION ATTACK PATTERN 7(1)
THE PARADIGM SHIFT OF SECURITY TESTING 8(1)
HIGH-LEVEL SECURITY TESTING STRATEGIES 9(1)
THE FAULT INJECTION MODEL OF TESTING: TESTERS AS DETECTIVES 9(2)
THINK LIKE AN ATTACKER 11(5)
PRIORITIZING YOUR WORK 13(1)
TAKE THE EASY ROAD: USING TOOLS TO AID IN THE DETECTIVE WORK 14(1)
LEARN FROM THE VULNERABILITY TREE OF KNOWLEDGE 15(1)
TESTING RECIPE: SUMMARY 16(1)
ENDNOTES 17(2)
HOW VULNERABILITIES GET INTO ALL SOFTWARE 19(36)
DESIGN VERSUS IMPLEMENTATION VULNERABILITIES 20(2)
COMMON SECURE DESIGN ISSUES 22(7)
POOR USE OF CRYPTOGRAPHY 22(2)
TRACKING USERS AND THEIR PERMISSIONS 24(1)
FLAWED INPUT VALIDATION 25(1)
WEAK STRUCTURAL SECURITY 26(2)
OTHER DESIGN FLAWS 28(1)
PROGRAMMING LANGUAGE IMPLEMENTATION ISSUES 29(15)
COMPILED LANGUAGE: C/C++ 30(8)
INTERPRETED LANGUAGES: SHELL SCRIPTING AND PHP 38(4)
VIRTUAL MACHINE LANGUAGES: JAVA AND C# 42(2)
PLAT...(ÇÏ·«) |
|
|  | ÇöÀç E=The Art of Software Security Testing¿¡ µî·ÏµÈ ¼ÆòÀÌ ¾ø½À´Ï´Ù. |  |
|
|
|
