“Hunting Security Bugs” now available from Microsoft Press

This is a new security book from MSPress that focuses on security testing. I read some of the chapters a few weeks ago, and it's wonderful to add a testing perspective to the world of security. A great deal has been written about security and code quality, but virtually nothing about security testing, and certainly nothing as complete as this book; the authors, Bryan Jeffries, Lawrence Landauer and Tom Gallagher have done a wonderful job.

Chapter Listing:

  • General Approach to Security Testing
  • Using Threat Models for Security Testing
  • Finding Entry Points
  • Becoming a Malicious Client
  • Becoming a Malicious Server
  • Spoofing
  • Information Disclosure
  • Buffer Overruns and Stack and Heap Manipulation
  • Format String Attacks
  • HTML Scripting Attacks
  • XML Issues
  • Canonicalization Issues
  • Finding Weak Permissions
  • Denial of Service Attacks
  • Managed Code Issues
  • SQL Injection
  • Observation & Reverse Engineering
  • ActiveX Repurposing
  • Additional Repurposing Attacks
  • Reporting Security Bugs


Appendix A: Tools of the Trade

Appendix B: Security Test Case Cheat Sheet

More info about the book is here.