| Exploitation/Bug Hunting/Code review |
|
| Open Source Fuzzing Tools |
| Author: Noam Rathaus, Gadi Evron |
| Publisher: Syngress |
| Year: 2007 |
| Pages: 448 |
| Amazon's book description: Open Source Fuzzing Tools is the first book to market that covers the subject of black box testing using fuzzing techniques. Fuzzing has been around fow a while, but is making a transition from hacker home-grown tool to commercial-grade quality assurance product. Using fuzzing, developers can find and eliminate buffer overflows and other software vulnerabilities during the development process and before release. |
|
|
|
| Hacking: The Art of Exploitation |
| Author: Jon Erickson |
| Publisher: No Starch Press |
| Year: 2007 |
| Pages: 504 |
| Amazon's book description: Hacking is the art of creative problem solving, whether that means finding an unconventional solution to a difficult problem or exploiting holes in sloppy programming. Many people call themselves hackers, but few have the strong technical foundation needed to really push the envelope. Rather than merely showing how to run existing exploits, author Jon Erickson explains how arcane hacking techniques actually work. To share the art and science of hacking in a way that is accessible to everyone, Hacking: The Art of Exploitation, 2nd Edition introduces the fundamentals of C programming from a hacker's perspective. |
|
|
|
| The Shellcoder's Handbook: Discovering and Exploiting Security Holes |
| Author: Chris Anley, John Heasman, Felix Linder, Gerardo Richarte |
| Publisher: Wiley |
| Year: 2007 |
| Pages: 718 |
| Amazon's book description: This much-anticipated revision, written by the ultimate group of top security experts in the world, features 40 percent new content on how to find security holes in any operating system or application. New material addresses the many new exploitation techniques that have been discovered since the first edition, including attacking "unbreakable" software packages such as McAfee's Entercept, Mac OS X, XP, Office 2003, and Vista. Also features the first-ever published information on exploiting Cisco's IOS, with content that has never before been explored. The companion Web site features downloadable code files. |
|
|
|
| Metasploit Toolkit for Penetration Testing, Exploit Development, and Vulnerability Research |
| Author: James Foster |
| Publisher: Syngress |
| Year: 2007 |
| Pages: 352 |
| Amazon's book description: This is the first book available for the Metasploit Framework (MSF), which is the attack platform of choice for one of the fastest growing careers in IT security: Penetration Testing. The book and companion Web site will provide professional penetration testers and security researchers with a fully integrated suite of tools for discovering, running, and testing exploit code. |
|
|
|
| Fuzzing: Brute Force Vulnerability Discovery |
| Author: Michael Sutton, Adam Greene, Pedram Amini |
| Publisher: Addison-Wesley Professional |
| Year: 2007 |
| Pages: 576 |
| Amazon's book description: Fuzzing is the first and only book to cover fuzzing from start to finish, bringing disciplined best practices to a technique that has traditionally been implemented informally. The authors begin by reviewing how fuzzing works and outlining its crucial advantages over other security testing methods. Next, they introduce state-of-the-art fuzzing techniques for finding vulnerabilities in network protocols, file formats, and web applications; demonstrate the use of automated fuzzing tools; and present several insightful case histories showing fuzzing at work. |
|
|
|
| The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities |
| Author: Mark Dowd, John McDonald, Justin Schuh |
| Publisher: Addison-Wesley Professional |
| Year: 2006 |
| Pages: 1200 |
| Amazon's book description: This is one of the most detailed, sophisticated, and useful guides to software security auditing ever written. The authors are leading security consultants and researchers who have personally uncovered vulnerabilities in applications ranging from sendmail to Microsoft Exchange, Check Point VPN to Internet Explorer. Drawing on their extraordinary experience, they introduce a start-to-finish methodology for "ripping apart" applications to reveal even the most subtle and well-hidden security flaws. |
|
|
|
| Software Security: Building Security In |
| Author: Gary McGraw |
| Publisher: Addison-Wesley Professional |
| Year: 2006 |
| Pages: 448 |
| Amazon's book description: Beginning where the best-selling book Building Secure Software left off, Software Security teaches you how to put software security into practice.The software security best practices, or touchpoints, described in this book have their basis in good software engineering and involve explicitly pondering security throughout the software development lifecycle. This means knowing and understanding common risks (including implementation bugsand architectural flaws), designing for security, and subjecting all software artifacts to thorough, objective risk analyses and testing. |
|
|
|
| Hunting Security Bugs |
| Author: Tom Gallagher, Lawrence Landauer, Bryan Jeffries |
| Publisher: Microsoft Press |
| Year: 2006 |
| Pages: 592 |
| Amazon's book description: Your in-depth, hands-on, technical security-testing reference. Written for testers by testers, this guide highlights up-to-date tools, technologies, and techniques for helping find and eliminate security vulnerabilities in software. |
|
|
|
| The Art of Software Security Testing: Identifying Software Security Flaws |
| Author: Chris Wysopal, Lucas Nelson, Dino Dai Zovi, Elfriede Dustin |
| Publisher: Addison-Wesley Professional |
| Year: 2006 |
| Pages: 312 |
| Amazon's book description: Risk-based security testing, the important subject of this book, is one of seven software security touchpoints introduced in my book, Software Security: Building Security In. This book takes the basic idea several steps forward. Written by masters of software exploit, this book describes in very basic terms how security testing differs from standard software testing as practiced by QA groups everywhere. It unifies in one place ideas from Michael Howard, David Litchfield, Greg Hoglund, and me into a concise introductory package. Improve your security testing by reading this book today. |
|
|
|
| Programming Linux Hacker Tools Uncovered: Exploits, Backdoors, Scanners, Sniffers, Brute-Forcers, Rootkits |
| Author: Ivan Sklyarov |
| Publisher: A-List Publishing |
| Year: 2006 |
| Pages: 300 |
| Amazon's book description: Uncovering the development of the hacking toolset under Linux, this book teaches programmers the methodology behind hacker programming techniques so that they can think like an attacker when developing a defense. Analyses and cutting-edge programming are provided of aspects of each hacking item and its source code-including ping and traceroute utilities, viruses, worms, Trojans, backdoors, exploits (locals and remotes), scanners (CGI and port), smurf and fraggle attacks, and brute-force attacks. In addition to information on how to exploit buffer overflow errors in the stack, heap and BSS, and how to exploit format-string errors and other less common errors, this guide includes the source code of all the described utilities on the accompanying CD-ROM. |
|
|
|
| Buffer Overflow Attacks |
| Author: James C. Foster, Vitaly Osipov, Nish Bhalla |
| Publisher: Syngress |
| Year: 2005 |
| Pages: 512 |
| Amazon's book description: Buffer overflows make up one of the largest collections of vulnerabilities in existence; And a large percentage of possible remote exploits are of the overflow variety. Almost all of the most devastating computer attacks to hit the Internet in recent years including SQL Slammer, Blaster, and I Love You attacks. If executed properly, an overflow vulnerability will allow an attacker to run arbitrary code on the victims machine with the equivalent rights of whichever process was overflowed. This is often used to provide a remote shell onto the victim machine, which can be used for further exploitation. A buffer overflow is an unexpected behavior that exists in certain programming languages. This book provides specific, real code examples on exploiting buffer overflow attacks from a hacker's perspective and defending against these attacks for the software developer. |
|
|
|
| Sockets, Shellcode, Porting, & Coding: Reverse Engineering Exploits and Tool Coding for Security Professionals |
| Author: James C. Foster, Stuart McClure |
| Publisher: Syngress |
| Year: 2005 |
| Pages: 696 |
| Amazon's book description: The book is logically divided into 5 main categories with each category representing a major skill set required by most security professionals: 1. Coding The ability to program and script is quickly becoming a mainstream requirement for just about everyone in the security industry. This section covers the basics in coding complemented with a slue of programming tips and tricks in C/C++, Java, Perl and NASL. 2. Sockets The technology that allows programs and scripts to communicate over a network is sockets. Even though the theory remains the same communication over TCP and UDP, sockets are implemented differently in nearly ever language. 3. Shellcode Shellcode, commonly defined as bytecode converted from Assembly, is utilized to execute commands on remote systems via direct memory access. 4. Porting Due to the differences between operating platforms and language implementations on those platforms, it is a common practice to modify an original body of code to work on a different platforms. This technique is known as porting and is incredible useful in the real world environments since it allows you to not recreate the wheel. 5. Coding Tools The culmination of the previous four sections, coding tools brings all of the techniques that you have learned to the forefront. With the background technologies and techniques you will now be able to code quick utilities that will not only make you more productive, they will arm you with an extremely valuable skill that will remain with you as long as you make the proper time and effort dedications. |
|
|
|
| Shellcoder's Programming Uncovered |
| Author: Kris Kaspersky |
| Publisher: A-List Publishing |
| Year: 2005 |
| Pages: 500 |
| Amazon's book description: How hackers, viruses, and worms attack computers from the Internet and exploit security holes in software is explained in this outline of antivirus software, patches, and firewalls that try in vain to withstand the storm of attacks. Some software's effectiveness exists only in the imaginations of its developers because they prove unable to prevent the propagation of worms, but this guide examines where security holes come from, how to discover them, how to protect systems (both Windows and Unix), and how to do away with security holes altogether. Unpublished advanced exploits and techniques in both C and Assembly languages are included. |
|
|
|
| 19 Deadly Sins of Software Security |
| Author: Michael Howard, David LeBlanc, John Viega |
| Publisher: McGraw-Hill Osborne Media |
| Year: 2005 |
| Pages: 304 |
| Amazon's book description: "Ninety-five percent of software bugs are caused by the same 19 programming flaws." -Amit Yoran, Former Director of The Department of Homeland Security's National Cyber Security Division. Secure your software by eliminating code vulnerabilities from the start. This essential book for all software developers--regardless of platform, language, and type of application--outlines the 19 sins of software security and shows how to fix each one. Best-selling authors Michael Howard and David LeBlanc, who teach Microsoft employees how to write secure code, have partnered with John Viega, the man who uncovered the 19 deadly programming sins to write this hands-on guide. Detailed code examples throughout show the code defects as well as the fixes and defenses. If you write code, you need this book. |
|
|
|
| Writing Security Tools and Exploits |
| Author: James C. Foster |
| Publisher: Syngress |
| Year: 2005 |
| Pages: 664 |
| Amazon's book description: Writing Security Tools and Exploits will be the foremost authority on vulnerability and security code and will serve as the premier educational reference for security professionals and software developers. The book will have over 600 pages of dedicated exploit, vulnerability, and tool code with corresponding instruction. Unlike other security and programming books that dedicate hundreds of pages to architecture and theory based flaws and exploits, this book will dive right into deep code analysis. Previously undisclosed security research in combination with superior programming techniques will be included in both the Local and Remote Code sections of the book. |
|
|
|
| The Software Vulnerability Guide |
| Author: Herbert H Thompson, Scott G Chase |
| Publisher: Charles River Media |
| Year: 2005 |
| Pages: Charles River Media |
| Amazon's book description: In today's market, secure software is a must for consumers. Many developers, however, are not familiar with the techniques needed to produce secure code or detect existing vulnerabilities. The Software Vulnerability Guide helps developers and testers better understand the underlying security flaws in software and provides an easy-to-use reference for security bugs. Most of these bugs (and the viruses, worms, and exploits that derive from them) start out as programmer mistakes. With this guide, professional programmers and testers will learn how to find, fix, and prevent these vulnerabilities before their software reaches the market. Detailed explanations and examples are provided for each of the vulnerabilities, as well as a summary sheet that can be referenced quickly. Tools that make it easier to recognize and prevent vulnerabilities are also explored, and source code snippets, commentary, and techniques are provided in easy-to-read sidebars. This guide is a must have for today's software developers. |
|
|
|
| The Database Hacker's Handbook: Defending Database Servers |
| Author: David Litchfield, Chris Anley, John Heasman, Bill Grindlay |
| Publisher: Wiley |
| Year: 2005 |
| Pages: 500 |
| Amazon's book description: Databases are the nerve center of our economy. Every piece of your personal information is stored there-medical records, bank accounts, employment history, pensions, car registrations, even your children's grades and what groceries you buy. Database attacks are potentially crippling-and relentless. In this essential follow-up to The Shellcoder's Handbook, four of the world's top security experts teach you to break into and defend the seven most popular database servers. You'll learn how to identify vulnerabilities, how attacks are carried out, and how to stop the carnage. The bad guys already know all this. You need to know it too. |
|
|
|
| Exploiting Software: How to Break Code |
| Author: Greg Hoglund, Gary McGraw |
| Publisher: Addison-Wesley |
| Year: 2004 |
| Pages: 512 |
| Amazon's book description: Exploiting Software highlights the most critical part of the software quality problem. As it turns out, software quality problems are a major contributing factor to computer security problems. Increasingly, companies large and small depend on software to run their businesses every day. The current approach to software quality and security taken by software companies, system integrators, and internal development organizations is like driving a car on a rainy day with worn-out tires and no air bags. In both cases, the odds are that something bad is going to happen, and there is no protection for the occupant/owner. This book will help the reader understand how to make software quality part of the design-a key change from where we are today! |
|
|
|
| Code Hacking: A Developer's Guide To Network Security |
| Author: Richard Conway, Julian Cordingley |
| Publisher: Charles River Media |
| Year: 2004 |
| Pages: 450 |
| Amazon's book description: Developer's Guide to Network Security provides a hands-on approach to learning the vital security skills. It details the software and techniques hackers use and provides practical insights on what's really important in understanding hacking issues. The book cuts through the cursory issues and quickly delves into the essentials at a code and implementation level. It teaches users how to write and use scanners, sniffers, exploits, and more. It also helps developers write network security test harnesses for application and infrastructure. In addition, it covers how to create passive defense strategies to collect data on hackers, as well as how to use active defense strategies through techniques such as penetration testing. Unlike other books on hacking, Code Hacking takes a unique approach that covers hacking issues using a variety of languages. Software explanations and code samples are provided in C#, C++, Java, and Perl, allowing developers to learn from a variety of perspectives. The companion CD-ROM contains a custom security scanner written in C#. This scanner is a combination of a port and vulnerability scanner that scans IP addresses, allows certain services to be "brute forced," and exploits well-known vulnerabilities. |
|
|