Comments about Microsoft Press Hunting Security Bugs:

Hunting Security Bugs covers the methodology of testing software, large numbers of attacks, and some useful cheatsheets to use during testing.The first section covers the approach to security testing, models to classify software threats and discusses the common areas that attackers use; namely input.The coverage of the various types of security bugs is excellent although the coverage on web issues is a little light. The big names in web application defects have entire chapters such as SQL injection and Cross Site Scripting. However, some issues in the OWASP Top Ten and other web issues do not get coverage. Given that XSS and SQL injection are still the top web issues, this is fair but there should probably be a chapter on Cross Site Request Forgery due to its power, and Insecure Direct Object References because of the commonness of unprotected inputs in web pages.The coverage of buffer overflow and format string attacks is both solid and also offers easy to understand explanations with helpful diagrams.Two sections that are excellent are on XML and permissions. Many application security testing books mention permission issues but dont provide the amount of information needed or the focus which this book gives. There is a full chapter on XML which is helpful given the amount of XML used to transport data and XMLs use in Web 2.0 aka AJAX technology.The defenses recommeded are generally very good. There was an overdone focus on filtering in some cases. For example, in the SQL injection chapter filtering or escaping certain characters was recommended. Using stored procedures should have been given the highest recommendation and placed first on the "to do" list of defenses with dangerous charater escaping getting second billing. Dangeerous character escaping or filter is a type of blocklisting which is not a good first defense.The chapter on Cross Site Scripting correct points out that HTML encoding is an excellent defense and proceeds to demonstrate how to use this defense but also states that HTML injection will nto work when the context is not HTML (for example in JavaScript). While this is certainly true, the book should show how to encode in non-HTML web contexts. Instead of saying HTML encoding wont work in JavaScript, it would be better to simply state that JavaScript encoding should be used in the JavaScript context. Most developers will understand that using the wrong encoding for the context wont work if presented with all encoding choices (HTML Encoding, JavaScript Encoding, Cascading Style Sheet Encoding, HTML Attribute Encoding, HTTP Header Encoding, URL Query String Parameter Encoding).Overall the book has a great methodology for testing security defects and has the right mind-set for approaching security issues. The book advises to stop trying to test that functionilty works when good input is entered and start trying to find tests which show how to misuse the functionalty when mallicious input is entered.