Computer Software is an integral part of modern society. Companies rely on applications to manage client information, payment data, and inventory tracking. Consumers use software for a variety of different reasons as well--to manage their daily lives, to communicate with friends and family, and to browse resources made available on the internet, to name a few. With such a heavy reliance on software in our society, questions surrounding the security of the pieces of software performing these various tasks begin to arise. Is the software we are using really secure? How can we verify that it is? And what are the implications of a particular application being compromised? These are some of the questions that this book attempts to address. This book sheds light on the theory and practice of code auditing--how to rip apart an application and discover security vulnerabilities, whether they be simple or subtle, and how to assess the danger that each vulnerability represents. Product Description ´´There are a number of secure programming books on the market, but none that go as deep as this one. The depth and detail exceeds all books that I know about by an order of magnitude.´´ -Halvar Flake, CEO and head of research, SABRE Security GmbH The Definitive Insider´s Guide to Auditing Software Security This is one of the most detailed, sophisticated, and useful guides to software security auditing ever written. The authors are leading security consultants and researchers who have personally uncovered vulnerabilities in applications ranging from sendmail to Microsoft Exchange, Check Point VPN to Internet Explorer. Drawing on their extraordinary experience, they introduce a start-to-finish methodology for ´´ripping apart´´ applications to reveal even the most subtle and well-hidden security flaws. The Art of Software Security Assessment covers the full spectrum of software vulnerabilities in both UNIX/Linux and Windows environments. It demonstrates how to audit security in applications of all sizes and functions, including network and Web software. Moreover, it teaches using extensive examples of real code drawn from past flaws in many of the industry´s highest-profile applications . Coverage includes . Code auditing: theory, practice, proven methodologies, and secrets of the trade . Bridging the gap between secure software design and post-implementation review . Performing architectural assessment: design review, threat modeling, and operational review . Identifying vulnerabilities related to memory management, data types, and malformed data . UNIX/Linux assessment: privileges, files, and processes . Windows-specific issues, including objects and the filesystem . Auditing interprocess communication, synchronization, and state . Evaluating network software: IP stacks, firewalls, and common application protocols . Auditing Web applications and technologies This book is an unprecedented resource for everyone who must deliver secure software or assure the safety of existing software: consultants, security specialists, developers, QA staff, testers, and administrators alike. Contents ABOUT THE AUTHORS xv PREFACE xvii ACKNOWLEDGMENTS xxi I Introduction to Software Security Assessment 1 SOFTWARE VULNERABILITY FUNDAMENTALS 3 2 DESIGN REVIEW 25 3 OPERATIONAL REVIEW 67 4 APPLICATION REVIEW PROCESS 91 II Software Vulnerabilities 5 MEMORY CORRUPTION 167 6 C LANGUAGE ISSUES 203 7 PROGRAM BUILDING BLOCKS 297 8 STRINGS ANDMETACHARACTERS 387 9 UNIX I: PRIVILEGES AND FILES 459 10 UNIX II: PROCESSES 559 11 WINDOWS I: OBJECTS AND THE FILE SYSTEM 625 12 WINDOWS II: INTERPROCESS COMMUNICATION 685 13 SYNCHRONIZATION AND STATE 755 III Software Vulnerabilities in Practice 14 NETWORK PROTOCOLS 829 15 FIREWALLS 891 16 NETWORK APPLICATION PROTOCOLS 921 17 WEB APPLICATIONS 1007 18 WEB TECHNOLOGIES 1083 BIBLIOGRAPHY 1125 INDEX 1129 Backcover ´´There are a number of secure programming books on the market, but none that go as deep as this one. The depth and detail exceeds all books that I know about by an order of magnitude.´´ -Halvar Flake, CEO and head of research, SABRE Security GmbH The Definitive Insider´s Guide to Auditing Software Security This is one of the most detailed, sophisticated, and useful guides to software security auditing ever written. The authors are leading security consultants and researchers who have personally uncovered vulnerabilities in applications ranging from sendmail to Microsoft Exchange, Check Point VPN to Internet Explorer.
The new edition of bestselling CCNA Cert Library by Wendell Odom is a comprehensive review and practice package for the latest CCNA exams. The two books contained in this package, CCENT/CCNA ICND1 Official Cert Guide, and CCNA ICND2 Official Cert Guide, present complete reviews and a more challenging and realistic preparation experience. The books will be fully updated to cover the latest CCNA exam topics. The companion DVDs contains the powerful Pearson IT Certification Practice Test engine, complete with hundreds of well-reviewed, exam-realistic questions. The assessment engine offers you a wealth of customization options and reporting features, laying out a complete assessment of your knowledge to help you focus your study where it is needed most. This new edition also includes a free copy of the CCNA Network Simulator Lite edition complete with meaningful lab exercises, which help you hone your hands-on skills with the Cisco user interface for routers and switches. The DVDs also contain more than 60 minutes of personal video mentoring from the author focused on subnetting. Well-regarded for its level of detail, assessment features, and challenging review questions and exercises, these official study guides help you master the concepts and techniques that will enable you to succeed on the exam the first time. This package includes the following two products: 1. CCENT/CCNA ICND1 Official Cert Guide 2. CCNA ICND2 Official Cert Guide
Automotive SPICE ist ein ISO/IEC-15504-kompatibles, speziell auf die Automobilbranche zugeschnittenes Assessmentmodell. Die Herausforderung bei der Einführung und Umsetzung von Automotive SPICE besteht darin, die Norm richtig zu interpretieren und auf eine konkrete Problemstellung anzupassen. Dieses Buch gibt die dafür notwendigen Interpretationshilfen und unterstützt dabei, Prozessverbesserung Automotive-SPICE-konform zu betreiben. Es liefert einheitliche Beurteilungsmaßstäbe. Der Buchaufbau entspricht der Struktur der Norm. Die 2. Auflage wurde auf Automotive SPICE 3.0 aktualisiert und ergänzt um aktuelle Themen wie praxistaugliche Assessments gemäß intacs(TM)- und VDA-Anforderungen, Herausforderungen bei Prozessverbesserungen, agile Entwicklung und funktionale Sicherheit nach ISO 26262.
Mitigate the risks involved in migrating away from a proprietary database platform toward MariaDB´s open source database engine. This book will help you assess the risks and the work involved, and ensure a successful migration. Migrating to MariaDB describes the process and lessons learned during a migration from a proprietary database management engine to the MariaDB open source solution. The book discusses the drivers for making the decision and change, walking you through all aspects of the process from evaluating the licensing, navigating the pitfalls and hurdles of a migration, through to final implementation on the new platform. The book highlights the cost-effectiveness of MariaDB and how the licensing worries are simplified in comparison to running on a proprietary platform. You´ll learn to do your own risk assessment, to identify database and application code that may need to be modified or re-implemented, and to identify MariaDB features to provide the security and failover protection needed by corporate customers. Let the author´s experience in migrating a financial firm to MariaDB inform your own efforts, helping you to develop a road map for both technical and political success within your own organization as you migrate away from proprietary lock-in toward MariaDB´s open source solution. What You´ll Learn Evaluate and compare licensing costs between proprietary databases and MariaDB Perform a proper risk assessment to inform your planning and execution of the migration Build a migration road map from the book´s example that is specific to your situation Make needed application changes and migrate data to the MariaDB open source database engine Who This Book Is For Technical professionals (including database administrators, programmers, and technical management) who are interested in migrating away from a proprietary database platform toward MariaDB´s open source database engine and need to assess the risks and the work involved
The new edition of bestselling CCNP Routing and Switching Official Cert Library is a comprehensive review and practice package for the latest CCNP Routing and Switching exams. The three books contained in this package, CCNP ROUTE Official Cert Guide, CCNP SWITCH Official Cert Guide, and CCNP TSHOOT Official Cert Guide, present complete reviews and a more challenging and realistic preparation experience. The books will be fully updated to cover the latest CCNP exam topics. Product Description The new edition of bestselling CCNP Routing and Switching Official Cert Library is a comprehensive review and practice package for the latest CCNP Routing and Switching exams. The three books contained in this package, CCNP Routing and Switching ROUTE 300-101 Official Cert Guide, CCNP Routing and Switching SWITCH 300-115 Official Cert Guide , and CCNP Routing and Switching TSHOOT 300-135 Official Cert Guide , present complete reviews and a more challenging and realistic preparation experience. The books will be fully updated to cover the latest CCNP exam topics. The companion DVDs contains the powerful Pearson IT Certification Practice Test engine, complete with hundreds of well-reviewed, exam-realistic questions. The assessment engine offers you a wealth of customization options and reporting features, laying out a complete assessment of your knowledge to help you focus your study where it is needed most. The DVDs also each contain more than 60 minutes of personal video mentoring from the author. Well-regarded for their level of detail, assessment features, and challenging review questions and exercises, these official study guides help you master the concepts and techniques that will enable you to succeed on the exam the first time. Features + Benefits Revised editions of the #1 selling CCNP preparation self-study guides in a value-priced bundle Book content is fully updated to align to the new CCNP exam objectives Books and CDs are packed with features to help candidates master more difficult testing methods on the actual exams Practice tests contain exam-realistic questions that closely mimic the difficulty of the actual exam. Includes supplemental video training In-depth expert explanations of all protocols, commands, and technologies on the CCNP exams The new edition of bestselling CCNP Routing and Switching Official Cert Library is a comprehensive review and practice package for the latest CCNP Routing and Switching exams. The three books contained in this package, CCNP ROUTE Official Cert Guide, CCNP SWITCH Official Cert Guide, and CCNP TSHOOT Official Cert Guide, present complete reviews and a more challenging and realistic preparation experience. The books will be fully updated to cover the latest CCNP exam topics.
Softwareentwicklung wird heute mit agilen Methoden durchgeführt. Dass ein Team, eine Softwareabteilung oder ein ganzes Unternehmen agiles Entwickeln langfristig erfolgreich realisiert und damit die erhofften Vorteile erzielt, daran haben Softwaretests und agile Softwarequalitätssicherung einen entscheidenden Anteil. Dieses Buch gibt einen praxisorientierten Überblick über die am weitesten verbreiteten Testmethoden und -praktiken sowie Managementinstrumente in agilen Projekten. Entwicklungsleiter, Projektleiter, Testmanager und Qualitätsmanager erhalten Hinweise und Tipps, wie Testen und Qualitätssicherung organisiert werden müssen, damit sie auch in agilen Projekten nicht an Schlagkraft verlieren. Professionelle Tester und Experten für Softwarequalität erfahren, wie sie in agilen Teams erfolgreich mitarbeiten und ihre spezielle Expertise optimal einbringen können. Aus dem Inhalt: - Agile und klassische Vorgehensmodelle - Planung im agilen Projekt - Unit Tests, Test First - Integrationstests, Continuous Integration - Systemtests, Test nonstop - Qualitätsmanagement, Qualitätssicherung Fallstudien, ein durchgängiges Fallbeispiel sowie Übungsaufgaben und Checkfragen zum Self-Assessment runden den Inhalt ab. Das Buch orientiert sich am ISTQB® Certified Tester - Foundation Level Extension Syllabus ´´Agile Tester´´. Es eignet sich gleichermaßen für das Selbststudium wie als Begleitliteratur zu den entsprechenden Schulungen. Die 2. Auflage wurde komplett überarbeitet und ist konform zum ISTQB®-Lehrplan Version 2014. ´´Das Buch ist sehr zu empfehlen.´´ Harry Sneed zur 1. Auflage
Penetration testers simulate cyber attacks to find security weaknesses in networks, operating systems, and applications. Information security experts worldwide use penetration techniques to evaluate enterprise defenses. In Penetration Testing, security expert, researcher, and trainer Georgia Weidman introduces you to the core skills and techniques that every pentester needs. Using a virtual machine based lab that includes Kali Linux and vulnerable operating systems, you ll run through a series of practical lessons with tools like Wireshark, Nmap, and Burp Suite. As you follow along with the labs and launch attacks, you ll experience the key stages of an actual assessment including information gathering, finding exploitable vulnerabilities, gaining access to systems, post exploitation, and more. Learn how to: Crack passwords and wireless network keys with brute-forcing and wordlists Test web applications for vulnerabilities Use the Metasploit Framework to launch exploits and write y
This book addresses the latest approaches to holistic Cyber-Physical System (CPS) resilience in real-world industrial applications. Ensuring the resilience of CPSs requires cross-discipline analysis and involves many challenges and open issues, including how to address evolving cyber-security threats. The book describes emerging paradigms and techniques from two main viewpoints: CPSs´ exposure to new threats, and CPSs´ potential to counteract them. Further, the chapters address topics ranging from risk modeling to threat management and mitigation. The book offers a clearly structured, highly accessible resource for a diverse readership, including graduate students, researchers and industry practitioners who are interested in evaluating and ensuring the resilience of CPSs in both the development and assessment stages. Foreword by Prof. Shiyan Hu, Chair of Cyber-Physical Systems at Linnaeus University, Sweden.
Understand critical cybersecurity and risk perspectives, insights, and tools for the leaders of complex financial systems and markets. This book offers guidance for decision makers and helps establish a framework for communication between cyber leaders and front-line professionals. Information is provided to help in the analysis of cyber challenges and choosing between risk treatment options. Financial cybersecurity is a complex, systemic risk challenge that includes technological and operational elements. The interconnectedness of financial systems and markets creates dynamic, high-risk environments where organizational security is greatly impacted by the level of security effectiveness of partners, counterparties, and other external organizations. The result is a high-risk environment with a growing need for cooperation between enterprises that are otherwise direct competitors. There is a new normal of continuous attack pressures that produce unprecedented enterprise threats that must be met with an array of countermeasures. Financial Cybersecurity Risk Management explores a range of cybersecurity topics impacting financial enterprises. This includes the threat and vulnerability landscape confronting the financial sector, risk assessment practices and methodologies, and cybersecurity data analytics. Governance perspectives, including executive and board considerations, are analyzed as are the appropriate control measures and executive risk reporting. What You´ll Learn Analyze the threat and vulnerability landscape confronting the financial sector Implement effective technology risk assessment practices and methodologies Craft strategies to treat observed risks in financial systems Improve the effectiveness of enterprise cybersecurity capabilities Evaluate critical aspects of cybersecurity governance, including executive and board oversight Identify significant cybersecurity operational challenges Consider the impact of the cybersecurity mission across the enterprise Leverage cybersecurity regulatory and industry standards to help manage financial services risks Use cybersecurity scenarios to measure systemic risks in financial systems environments Apply key experiences from actual cybersecurity events to develop more robust cybersecurity architectures Who This Book Is For Decision makers, cyber leaders, and front-line professionals, including: chief risk officers, operational risk officers, chief information security officers, chief security officers, chief information officers, enterprise risk managers, cybersecurity operations directors, technology and cybersecurity risk analysts, cybersecurity architects and engineers, and compliance officers
This book discusses the problems and challenges in the interdisciplinary research field of self-adaptive software systems. Modern society is increasingly filled with software-intensive systems, which are required to operate in more and more dynamic and uncertain environments. These systems must monitor and control their environment while adapting to meet the requirements at runtime. This book provides promising approaches and research methods in software engineering, system engineering, and related fields to address the challenges in engineering the next-generation adaptive software systems. The contents of the book range from design and engineering principles (Chap. 1) to control-theoretic solutions (Chap. 2) and bidirectional transformations (Chap. 3), which can be seen as promising ways to implement the functional requirements of self-adaptive systems. Important quality requirements are also dealt with by these approaches: parallel adaptation for performance (Chap. 4), self-adaptive authorization infrastructure for security (Chap. 5), and self-adaptive risk assessment for self-protection (Chap. 6). Finally, Chap. 7 provides a concrete self-adaptive robotics operating system as a testbed for self-adaptive systems. The book grew out of a series of the Shonan Meetings on this ambitious topic held in 2012, 2013, and 2015. The authors were active participants in the meetings and have brought in interesting points of view. After several years of reflection, they now have been able to crystalize the ideas contained herein and collaboratively pave the way for solving some aspects of the research problems. As a result, the book stands as a milestone to initiate further progress in this promising interdisciplinary research field.