Review By: Showey Howey
09/22/2008

Add fuzzing and this book to your library of test tools to help you produce more secure software environments. The book, a 2008 Jolt-award finalist, is both a technical reference and a fascinating read. Programmers and security professionals get bluntly-stated pros and cons of the state of current tools with (as of this review) good working links to more code and information. The authors discuss fuzzing in neatly divided, yet cross-referenced, sections within the text. It is easy to locate a specific area of interest without having to read through pages of what you already know or what you hope you don't need to know. Coverage of these special effects includes methods and types of fuzzer tools; data generation; and building or extending COTS and freeware automation over applications, servers, file formats, network protocols, browsers, and in-memory testing on both Windows and UNIX platforms.

Fans of CSI, Numbers, and even Bones can enjoy an armchair hunt for automated testing techniques and algorithms that calculate the "good, better, and best" of bad input data. The technical parts of this book are easy to locate and skim over. While the hilarious quotes from George W. Bush keep everyone from geeks to C-level suits thinking about this topic's real relevance in our country and world today. Those in the trenches will use catchy quotes and information from the authors to encourage management’s consideration of integrating fuzzing in a project plan and budget.

The book acknowledges its shelf life by guiding readers to sources on the Web where, presumably, the ideas and concepts in the book will be updated as the field grows.