Book Review - The Art of Software Security Assessment
The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities by Mark Dowd, John McDonald, and Justin Schuh is a comprehensive treatment of how to study and assess the security of your software and operating system platforms. If you are at all responsible for the security of software in your organization (and that includes all the developers, too), then this is a book that should be resident on your shelf.
Part 1 - Introduction to Software Security Assessment: Software Vulnerability Fundamentals; Design Review; Operational Review; Application Review Process
Part 2 - Software Vulnerabilities: Memory Corruption; C Language Issues; Program Building Blocks; Strings and Metacharacters; Unix 1 - Privileges and Files; Unix 2 - Processes; Windows 1 - Objects and the File System; Windows 2 - Interprocess Communications; Synchronization and State
Part 3 - Software Vulnerabilities in Practice: Network Protocols; Firewalls; Network Application Protocols; Web Applications; Web Technologies
Rather than just dive right in to detailed hacks, the authors take a measured, structured approach to assessing the security of software. The first part of the book covers the general process of reviewing for security, including design security, operational security, and application security. They also present the general areas of potential weaknesses that you need to look for in each development stage. Instead of just saying "look for bugs", they present different approaches to reviews that each have their strengths and weaknesses. You come away from Part 1 with a practical methodology that you can use immediately to consistently review all parts of your development process. Parts 2 and 3 are a bit more like other security books you've possibly seen, but much more emphasis is placed on understanding the "why" behind the problem rather than just the "how" of fixing it. Armed with this deeper understanding of why certain techniques are lacking, it's easier to change fundamental coding habits rather than just fixing problems as they're discovered in testing (or unfortunately in production). Many of the examples are in C/C++, so if that's your language of choice you'll get a lot more out of the book than others. Still, a competent developer should be able to follow the concepts regardless of their language of choice. And it really doesn't matter if you're just Unix or just Windows. Both sides are covered...
This is definitely not a small book (close to 1200 pages), but it's not padded or fluffed out to get there. It delivers real value for your money...