here is the release note
when asked to come up with a quote for the new release...
"if that new drag and drop meterpreter file browser in the GUI doesnt make you hot for your INFOSEC job, nothing will."
Book Review For:
The Craft of System Security
by Sean Smith, John Marchesini
Useful for the Novice and Professional
The preface of the book says that the book grew from a college course to solve this problem: “to provide the right security education to students who may only ever take one security course and then move on toward a wide range of professional careers.” Its nice when the authors put the goal of the book at the front, it makes reading it in the proper context much easier and reviewing the book (usually) much easier.
I think the authors met their goal of a book to give to people who may only read one security book in a college course and have it be readable and useful. It is written in an understandable manner and provides enough pictures and explanations for someone new to the subject who “has to take the class” and enough math and further reading for someone that wants to really delve into a subject to do so. Important words are in italics so if you wanted to or needed to look up the definitions to really understand the section you could, but there is enough information in the paragraphs to get by.
The book also has the added plus of being useful to someone studying for their CISSP (if they actually want to know the subjects). It explains topics that, in my opinion, are not explained very well in the study guides. Their discussion of the orange book was superb and I wish I had this book when I was trying to make sense of it when I was studying. The chapters on cryptography go beyond the typical Alice and Bob stuff you get in most books (Alice and Bob are still there) but they also get into examples of breaking cryptography and explaining how the attacks work and usually backing it up with the math involved. I really could say something good about every chapter in the book. Each chapter is laid out with a solid, consistent road map, is full of quality readable content, and wraps it up with a “take home” message at the end.
The Table of Contents doesn't seem to be available on Amazon but if you are interested in the book, I'd recommend you take a look at it over at the InformIT site. It covers a lot of ground in its five parts of History, Security and the Modern Computing Landscape, Building Blocks for Secure Systems, Applications, and Emerging Tools. The book also comes with a huge list of references and a pretty good index for looking up topics.
I usually have my list of likes and dislikes for books. For this book I don't have any dislikes. The book is readable, well edited, a good font size, and I learned things from it. I've been actively recommending it to people at work, especially the guys working on their CISSP.
This is a good “short” version of "The Art of Software Security Assessment" by Dowd. For a security book its short, at 250 pages. The book contains useful information but not enough to be an expert at anything. This is definitely one of those mile wide, inch deep books and not a one stop shop as it says in the preface. It covers topics in enough detail to have heard of the issue and some of the chapters give you some links to further information but you wont come away with enough knowledge to actually do many of the attacks talked about.
It does hit the major attack vectors; Ch6 Generic Network Fault Injection, Ch7 Web Applications: Session Attacks, Ch8 Web Applications: Common Issues, Ch9 Web Proxies: Using WebScarab, Ch10 Implementing a Custom Fuzz Utility, and Ch11 Local Fault Injection. So thats a plus. The first part of the book on Secure Software Development Lifecycle was good, but again, not really enough information to be the only book you need on the subject. The third part of the book on analysis, Ch12 Determining Exploitability, was really not useful to me its way too short and tries to cram exploit development into 25 pages which just isn't possible. It shows you some diagrams of the stack and heap then some winDbg screen shots of nameless programs crashing and overwriting EIP (stack) and EAX (heap) and a null dereference. Fairly anti-climatic and doesn't dispel the “magic” of writing exploits.
Things I liked; the WebScarab chapter (Ch9) was good, that can be a tough tool to get up and running with all of its options. The Web Application chapters (Ch 7 & Ch8) are pretty good overviews. Part 1 of the book on the SSDL, overview of how vulnerabilities get into code, and risk-based security testing was useful to me and serves as a good into to the Dowd book.
Things I didn't like; Chapter 12 on Determining Exploitability was too short and not enough information, no code for the custom web application they use for examples for SQL Injection. I'm very much a “have to do it” guy and not having the code was a disappointment and lastly the book's website seems to have never been updated after first standing it up.
I'd recommend the book to people who need to get an idea of security flaws, how they get into code and some visual examples of those flaws. But only if they needed either a high level overview or they need an initiation to the topic. For people who need a deep knowledge I'd refer them to the Dowd book.