Review By: Sid Snook
08/04/2009

Once again for the "Master Jedi" tester and his loyal band of "Jedi Knight" testers from the far, far, away galaxy of the Florida Institute of Technology...it's "Brain on...eyes open...TEST!" The quest that the author's previous book ("How to Break Software") started is continued and surpassed in this sequel. The refreshing, pragamatic, and thoroughly delightful style of the original book is continued and focused on a very specific category of software bugs: "those that cause security vulnerabilities."

The subject matter of this book, like the original, is based on extensive and thorough research of "every published security vulnerability that could be found." A solid reverse-engineering research approach lead the authors to conclusions about the likely root causes of each security bug analyzed.

Insight is given into the very different, sometimes pernicious, and almost invisible nature of security bugs as opposed to the more visible bugs presented in "How to Break Software." It is stated the many of the traditional testing techniques used to break software functionality simply are not applicable to security vulnerabilities and security bugs.

The feeling of being led into battle against a deadly foe—and having fun at the same time emanates from this thoroughly entertaining and frequently inspiring illustration of attacks and examples. As I was armed with my arsenal of nineteen specific "Jedi knight light-saber" attacks, I began to feel a growing confidence that I might actually be able to stand my ground with some reasonable expectation of success against the nemesis of software security hackers that at times runs rampant on the internet.

This combat training started with a firm foundation based on developing a "fault model" as a guide. It continued by presenting in detail nineteen attacks that are constructed to locate and identify security vulnerabilities in design, implementation, software application, host, and data.

Well-known software applications (Microsoft Media Player, Mozilla Web Browser, OpenOffice) are used as "hands-on" examples of how to successfully apply the attacks. The reader is led through the process of identifying the software security risks and then designing and executing test to expose these risks if they exist. As a professional tester, I was emotionally and professionally drawn into the excitement of finding the bugs described—almost as if I was point-man on the attack and not just an after-the-battle analyst and observer.

As a final step in this combat training, there is a chapter devoted to preparing a battle plan for selecting and applying the attacks.

Overall this book is amazingly informative, authoritative, and at the same time elemental in its pragmatic approach to the security problem, instead of using esoteric academic technical terms and concepts. The "Brain on...eyes open...test" philosophy of the original book is carried on in this book within a similar structure of experiential framework structure of attacks. It effectively makes the difficult nature of security testing much easier for the journeyman tester. That is, one need not be a worldclass test professional to understand and use the techniques presented.

An added bonus of this book is a CD that contains a new version of Holodeck Version 1.3, updated with features specific to hunting down security related vulnerabilities as well as a user friendly port scanner (FITScanner). For those who have not read the original, Holodeck is logically a "cosmic cloud" around the application under test that partially insulates the application from its environment. Holodeck both monitors the environment and allows injection errors in OS responses.

Note: I had the distinct pleasure of attending an SQE STAR conference and participating in a live presentation of the subject material contained in this course by Dr. Whittaker and Dr.Thompson. It should be noted that the subject material of this book, along with other material, is now also offered as a two-day training course. This course is very hands-on and supplemented with in-class testing attack demonstrations.