Cargando…

Hunting security bugs /

"Finding security flaws is now a fundamental development task, yet there has not been adequate documentation of the process used to find security bugs-until now. Before the Internet, computers were deployed in trusted environments and software development and testing practices emphasized functi...

Descripción completa

Detalles Bibliográficos
Clasificación:Libro Electrónico
Autor principal: Gallagher, Tom
Otros Autores: Jeffries, Bryan, Landauer, Lawrence
Formato: Electrónico eBook
Idioma:Inglés
Publicado: Redmond, Wash. : Microsoft Press, 2006.
Colección:Secure software development series.
Temas:
Acceso en línea:Texto completo (Requiere registro previo con correo institucional)

MARC

LEADER 00000cam a2200000Ia 4500
001 OR_ocm85789106
003 OCoLC
005 20231017213018.0
006 m o d
007 cr unu||||||||
008 070307s2006 wau o 001 0 eng d
010 |a  2006927197 
040 |a UMI  |b eng  |e pn  |c UMI  |d BAKER  |d TXJ  |d NIALS  |d CEF  |d OCLCQ  |d TEFOD  |d B24X7  |d DEBSZ  |d OCLCQ  |d OCLCO  |d OCLCQ  |d OCLCF  |d OCLCQ  |d OCLCO  |d OCLCQ  |d AU@  |d YDXCP  |d OCLCQ  |d OCLCE  |d OCLCQ  |d OCLCA  |d OCLCQ  |d OCLCA  |d WYU  |d OCLCQ  |d VT2  |d EQK  |d OCLCA  |d OCLCQ  |d INARC  |d LDP  |d UKAHL  |d LVT  |d OCLCO  |d OCLCQ 
019 |a 185038530  |a 827175005  |a 989014079  |a 1044356283  |a 1056408717  |a 1058180933  |a 1060830249  |a 1063816908  |a 1073067333  |a 1083174836  |a 1103256833  |a 1129360705  |a 1149475755  |a 1152999068  |a 1200475519  |a 1202553496  |a 1240531317  |a 1289801099  |a 1302274647 
020 |a 073562187X 
020 |a 9780735621879 
020 |a 9780735690592  |q (electronic bk. ;  |q Adobe Reader) 
020 |a 0735690596  |q (electronic bk. ;  |q Adobe Reader) 
020 |a 9780735660243  |q (e-book) 
020 |a 0735660247 
020 0 |a 9780735660465  |q (online) 
020 |a 0735660468 
029 1 |a AU@  |b 000050492004 
029 1 |a CHBIS  |b 006149161 
029 1 |a CHVBK  |b 17140002X 
029 1 |a DEBBG  |b BV040903106 
029 1 |a DEBSZ  |b 355375028 
029 1 |a DEBSZ  |b 381391949 
029 1 |a GBVCP  |b 617231451 
029 1 |a HEBIS  |b 291448828 
029 1 |a AU@  |b 000066231955 
035 |a (OCoLC)85789106  |z (OCoLC)185038530  |z (OCoLC)827175005  |z (OCoLC)989014079  |z (OCoLC)1044356283  |z (OCoLC)1056408717  |z (OCoLC)1058180933  |z (OCoLC)1060830249  |z (OCoLC)1063816908  |z (OCoLC)1073067333  |z (OCoLC)1083174836  |z (OCoLC)1103256833  |z (OCoLC)1129360705  |z (OCoLC)1149475755  |z (OCoLC)1152999068  |z (OCoLC)1200475519  |z (OCoLC)1202553496  |z (OCoLC)1240531317  |z (OCoLC)1289801099  |z (OCoLC)1302274647 
037 |a CL0500000007  |b Safari Books Online 
042 |a dlr 
050 4 |a QA76.9.A25  |b G356 2006 
082 0 4 |a 005.8  |2 22 
084 |a 54.38  |2 bcl 
084 |a 54.52  |2 bcl 
084 |a ST 276  |2 rvk 
049 |a UAMI 
100 1 |a Gallagher, Tom. 
245 1 0 |a Hunting security bugs /  |c Tom Gallagher, Bryan Jeffries, Lawrence Landauer. 
260 |a Redmond, Wash. :  |b Microsoft Press,  |c 2006. 
300 |a 1 online resource. 
336 |a text  |b txt  |2 rdacontent 
337 |a computer  |b c  |2 rdamedia 
338 |a online resource  |b cr  |2 rdacarrier 
490 1 |a Secure software development series 
588 0 |a Print version record. 
506 |3 Use copy  |f Restrictions unspecified  |2 star  |5 MiAaHDL 
533 |a Electronic reproduction.  |b [Place of publication not identified] :  |c HathiTrust Digital Library,  |d 2011.  |5 MiAaHDL 
538 |a Master and use copy. Digital master created according to Benchmark for Faithful Digital Reproductions of Monographs and Serials, Version 1. Digital Library Federation, December 2002.  |u http://purl.oclc.org/DLF/benchrepro0212  |5 MiAaHDL 
583 1 |a digitized  |c 2011  |h HathiTrust Digital Library  |l committed to preserve  |2 pda  |5 MiAaHDL 
500 |a Includes index. 
504 |a Includes index. 
505 0 0 |a Machine derived contents note: Dedication; Foreword; Introduction; Who Is This Book For?; Organization of This Book; System Requirements; Technology Updates; Code Samples and Companion Content; Support for This Book; Acknowledgments; Chapter 1: General Approach to Security Testing; 1.1 Different Types of Security Testers; 1.2 An Approach to Security Testing; 1.3 Summary; Chapter 2: Using Threat Models for Security Testing; 2.1 Threat Modeling; 2.2 How Testers Can Leverage a Threat Model; 2.3 Data Flow Diagrams; 2.4 Enumeration of Entry Points and Exit Points; 2.5 Enumeration of Threats; 2.6 How Testers Should Use a Completed Threat Model; 2.7 Implementation Rarely Matches the Specification or Threat Model; 2.8 Summary; Chapter 3: Finding Entry Points; 3.1 Finding and Ranking Entry Points; 3.2 Common Entry Points; 3.3 Summary; Chapter 4: Becoming a Malicious Client; 4.1 Client/Server Interaction; 4.2 Testing HTTP; 4.3 Testing Specific Network Requests Quickly; 4.4 Testing Tips; 4.5 Summary; Chapter 5: Becoming a Malicious Server; 5.1 Understanding Common Ways Clients Receive Malicious Server Responses; 5.2 Does SSL Prevent Malicious Server Attacks?; 5.3 Manipulating Server Responses; 5.4 Examples of Malicious Response Bugs; 5.5 Myth: It Is Difficult for an Attacker to Create a Malicious Server; 5.6 Understanding Downgrade MITM Attacks; 5.7 Testing Tips; 5.8 Summary; Chapter 6: Spoofing; 6.1 Grasping the Importance of Spoofing Issues; 6.2 Finding Spoofing Issues; 6.3 General Spoofing; 6.4 User Interface Spoofing; 6.5 Testing Tips; 6.6 Summary; Chapter 7: Information Disclosure; 7.1 Problems with Information Disclosure; 7.2 Locating Common Areas of Information Disclosure; 7.3 Identifying Interesting Data; 7.4 Summary; Chapter 8: Buffer Overflows and Stack and Heap Manipulation; 8.1 Understanding How Overflows Work; 8.2 Testing for Overruns: Where to Look for Cases; 8.3 Black Box (Functional) Testing; 8.4 White Box Testing; 8.5 Additional Topics; 8.6 Testing Tips; 8.7 Summary; Chapter 9: Format String Attacks; 9.1 What Are Format Strings?; 9.2 Understanding Why Format Strings Are a Problem; 9.3 Testing for Format String Vulnerabilities; 9.4 Walkthrough: Seeing a Format String Attack in Action; 9.5 Testing Tips; 9.6 Summary; Chapter 10: HTML Scripting Attacks; 10.1 Understanding Reflected Cross-Site Scripting Attacks Against Servers; 10.2 Understanding Persistent XSS Attacks Against Servers; 10.3 Identifying Attackable Data for Reflected and Persistent XSS Attacks; 10.4 Common Ways Programmers Try to Stop Attacks; 10.5 Understanding Reflected XSS Attacks Against Local Files; 10.6 Understanding Script Injection Attacks in the My Computer Zone; 10.7 Ways Programmers Try to Prevent HTML Scripting Attacks; 10.8 Understanding How Internet Explorer Mitigates XSS Attacks Against Local Files; 10.9 Identifying HTML Scripting Vulnerabilities; 10.10 Finding HTML Scripting Bugs Through Code Review; 10.11 Summary; Chapter 11: XML Issues; 11.1 Testing Non-XML Security Issues in XML Input Files; 11.2 Testing XML-Specific Attacks; 11.3 Simple Object Access Protocol; 11.4 Testing Tips; 11.5 Summary; Chapter 12: Canonicalization Issues; 12.1 Understanding the Importance of Canonicalization Issues; 12.2 Finding Canonicalization Issues; 12.3 File-Based Canonicalization Issues; 12.4 Web-Based Canonicalization Issues; 12.5 Testing Tips; 12.6 Summary; Chapter 13: Finding Weak Permissions; 13.1 Understanding the Importance of Permissions; 13.2 Finding Permissions Problems; 13.3 Understanding the Windows Access Control Mechanism; 13.4 Finding and Analyzing Permissions on Objects; 13.5 Recognizing Common Permissions Problems; 13.6 Determining the Accessibility of Objects; 13.7 Other Permissions Considerations; 13.8 Summary; Chapter 14: Denial of Service Attacks; 14.1 Understanding Types of DoS Attacks; 14.2 Testing Tips; 14.3 Summary; Chapter 15: Managed Code Issues; 15.1 Dispelling Common Myths About Using Managed Code; 15.2 Understanding the Basics of Code Access Security; 15.3 Finding Problems Using Code Reviews; 15.4 Understanding the Issues of Using APTCA; 15.5 Decompiling .NET Assemblies; 15.6 Testing Tips; 15.7 Summary; Chapter 16: SQL Injection; 16.1 Exactly What Is SQL Injection?; 16.2 Understanding the Importance of SQL Injection; 16.3 Finding SQL Injection Issues; 16.4 Avoiding Common Mistakes About SQL Injection; 16.5 Understanding Repurposing of SQL Stored Procedures; 16.6 Recognizing Similar Injection Attacks; 16.7 Testing Tips; 16.8 Summary; Chapter 17: Observation and Reverse Engineering; 17.1 Observation Without a Debugger or Disassembler; 17.2 Using a Debugger to Trace Program Execution and Change its Behavior; 17.3 Using a Decompiler or Disassembler to Reverse Engineer a Program; 17.4 Analyzing Security Updates; 17.5 Testing Tips; 17.6 Legal Considerations; 17.7 Summary; Chapter 18: ActiveX Repurposing Attacks; 18.1 Understanding ActiveX Controls; 18.2 ActiveX Control Testing Walkthrough; 18.3 Testing Tips; 18.4 Summary; Chapter 19: Additional Repurposing Attacks; 19.1 Understanding Document Formats That Request External Data; 19.2 Web Pages Requesting External Data; 19.3 Understanding Repurposing of Window and Thread Messages; 19.4 Summary; Chapter 20: Reporting Security Bugs; 20.1 Reporting the Issue; 20.2 Contacting the Vendor; 20.3 What to Expect After Contacting the Vendor; 20.4 Public Disclosure; 20.5 Addressing Security Bugs in Your Product; 20.6 Summary; Tools of the Trade; General; ActiveX/COM; Canonicalization; Code Analysis; Debugging; Documents and Binaries; Fuzzers; Memory/Runtime; Network; Permissions; SQL; Security Test Cases Cheat Sheet; Network Requests and Responses; Spoofing; Information Disclosures; Buffer Overflows; Format Strings; Cross-Site Scripting and Script Injection; XML; SOAP; Canonicalization Issues; Weak Permissions; Denial of Service; Managed Code; SQL Injection; ActiveX; ; Tom Gallagher; Bryan Jeffries; Lawrence Landauer. 
520 0 |a "Finding security flaws is now a fundamental development task, yet there has not been adequate documentation of the process used to find security bugs-until now. Before the Internet, computers were deployed in trusted environments and software development and testing practices emphasized functionality over security. As networking technologies emerged, though, times changed and people began to connect their computers together, instead of deploying in silos. However, development and testing practices did not account for attacks that could be mounted over networks." --Microsoft. 
590 |a O'Reilly  |b O'Reilly Online Learning: Academic/Public Library Edition 
650 0 |a Computer security. 
650 0 |a Computer software  |x Testing. 
650 0 |a Computer networks  |x Security measures. 
650 2 |a Computer Security 
650 6 |a Sécurité informatique. 
650 6 |a Réseaux d'ordinateurs  |x Sécurité  |x Mesures. 
650 7 |a Computer security.  |2 blmlsh 
650 7 |a Computer software  |x Testing.  |2 blmlsh 
650 7 |a Computer networks  |x Security measures.  |2 blmlsh 
650 7 |a Computer networks  |x Security measures.  |2 fast  |0 (OCoLC)fst00872341 
650 7 |a Computer security.  |2 fast  |0 (OCoLC)fst00872484 
650 7 |a Computer software  |x Testing.  |2 fast  |0 (OCoLC)fst00872601 
650 7 |a Computersicherheit  |2 gnd 
650 7 |a Softwareentwicklung  |2 gnd 
650 7 |a Testen  |2 gnd 
650 7 |a Engineering & Applied Sciences.  |2 hilcc 
650 7 |a Computer Science.  |2 hilcc 
653 0 |a Computer networks  |a Security measures 
653 0 |a Computer security 
653 0 |a Computer software  |a Testing 
700 1 |a Jeffries, Bryan. 
700 1 |a Landauer, Lawrence. 
776 0 8 |i Print version:  |a Gallagher, Tom.  |t Hunting security bugs.  |d Redmond, Wash. : Microsoft Press, 2006  |z 9780735621879  |w (DLC) 2006927197  |w (OCoLC)71837204 
830 0 |a Secure software development series. 
856 4 0 |u https://learning.oreilly.com/library/view/~/073562187X/?ar  |z Texto completo (Requiere registro previo con correo institucional) 
938 |a Baker & Taylor  |b BKTY  |c 49.99  |d 37.49  |i 073562187X  |n 0006739631  |s active 
938 |a YBP Library Services  |b YANK  |n 11201866 
938 |a Internet Archive  |b INAR  |n huntingsecurityb0000gall 
938 |a Askews and Holts Library Services  |b ASKH  |n AH26904564 
994 |a 92  |b IZTAP