Books about Vulnerability from Amazon.com

Dubai has a remarkable success story. Since its origins as a small fishing and pearling community, the emirate has steadily grown in strength to become the premier trading center of the Persian Gulf. It is also the locus of an exciting and innovative architectural revolution. Despite its lack of democratization and a genuine civil society, Dubai is now a booming metropolis of more than two million people, most of whom are expatriates benefiting from the city's increasingly diversified economy.

Following a detailed history, Christopher M. Davidson presents an in-depth study of Dubai's post-oil development strategies and their implementation during a period of near-complete political stability. Davidson addresses the probability of future problems as the need for sustained foreign direct investment encourages far-reaching socioeconomic reforms, many of which may affect the ideological, religious, and cultural legitimacy of the traditional monarchy. He also analyzes Dubai's awkward relationship with its federal partners in the United Arab Emirates and highlights some of the pitfalls of being the region's most successful free port-its attractiveness to international criminal fraternities, the economy of the global black market, and terrorist networks.

.
Price: $24.99 [Notify me when price goes down.]

Being highly flexible in building dynamic, database-driven web applications makes the PHP programming language one of the most popular web development tools in use today. It also works beautifully with other open source tools, such as the MySQL database and the Apache web server. However, as more web sites are developed in PHP, they become targets for malicious attackers, and developers need to prepare for the attacks.

Security is an issue that demands attention, given the growing frequency of attacks on web sites. Essential PHP Security explains the most common types of attacks and how to write code that isn't susceptible to them. By examining specific attacks and the techniques used to protect against them, you will have a deeper understanding and appreciation of the safeguards you are about to learn in this book.

In the much-needed (and highly-requested) Essential PHP Security, each chapter covers an aspect of a web application (such as form processing, database programming, session management, and authentication). Chapters describe potential attacks with examples and then explain techniques to help you prevent those attacks.

Topics covered include:

• Preventing cross-site scripting (XSS) vulnerabilities
• Protecting against SQL injection attacks
• Complicating session hijacking attempts

You are in good hands with author Chris Shiflett, an internationally-recognized expert in the field of PHP security. Shiflett is also the founder and President of Brain Bulb, a PHP consultancy that offers a variety of services to clients around the world.

.
Price: $15.00 [Notify me when price goes down.]

FUZZING

Master One of Today’s Most Powerful Techniques for Revealing Security Flaws!

Fuzzing has evolved into one of today’s most effective approaches to test software security. To “fuzz,” you attach a program’s inputs to a source of random data, and then systematically identify the failures that arise. Hackers have

relied on fuzzing for years: Now, it’s your turn. In this book, renowned fuzzing experts show you how to use fuzzing to reveal weaknesses in your software before someone else does.

Fuzzing is the first and only book to cover fuzzing from start to finish, bringing disciplined best practices to a technique that has traditionally been implemented informally. The authors begin by reviewing how fuzzing works and outlining its crucial advantages over other security testing methods. Next, they introduce state-of-the-art fuzzing techniques for finding vulnerabilities in network protocols, file formats, and web applications; demonstrate the use of automated fuzzing tools; and present several insightful case histories showing fuzzing at work. Coverage includes:

• Why fuzzing simplifies test design and catches flaws other methods miss

• The fuzzing process: from identifying inputs to assessing “exploitability”

• Understanding the requirements for effective fuzzing

• Comparing mutation-based and generation-based fuzzers

• Using and automating environment variable and argument fuzzing

• Mastering in-memory fuzzing techniques

• Constructing custom fuzzing frameworks and tools

• Implementing intelligent fault detection

Attackers are already using fuzzing. You should, too. Whether you’re a developer, security engineer, tester, or QA specialist, this book teaches you how to build secure software.

Foreword xix

Preface xxi

Acknowledgments xxv

About the Author xxvii

PARTI BACKGROUND 1

Chapter 1 Vulnerability Discovery Methodologies 3

Chapter 2 What Is Fuzzing? 21

Chapter 3 Fuzzing Methods and Fuzzer Types 33

Chapter 4 Data Representation and Analysis 45

Chapter 5 Requirements for Effective Fuzzing 61

PART II TARGETS AND AUTOMATION 71

Chapter 6 Automation and Data Generation 73

Chapter 7 Environment Variable and Argument Fuzzing 89

Chapter 8 Environment Variable and Argument Fuzzing: Automation 103

Chapter 9 Web Application and Server Fuzzing 113

Chapter 10 Web Application and Server Fuzzing: Automation 137

Chapter 11 File Format Fuzzing 169

Chapter 12 File Format Fuzzing: Automation on UNIX 181

Chapter 13 File Format Fuzzing: Automation on Windows 197

Chapter 14 Network Protocol Fuzzing 223

Chapter 15 Network Protocol Fuzzing: Automation on UNIX 235

Chapter 16 Network Protocol Fuzzing: Automation on Windows 249

Chapter 17 Web Browser Fuzzing 267

Chapter 18 Web Browser Fuzzing: Automation 283

Chapter 19 In-Memory Fuzzing 301

Chapter 20 In-Memory Fuzzing: Automation 315

PART III ADVANCED FUZZING TECHNOLOGIES 349

Chapter 21 Fuzzing Frameworks 351

Chapter 22 Automated Protocol Dissection 419

Chapter 23 Fuzzer Tracking 437

Chapter 24 Intelligent Fault Detection 471

PART IV LOOKING FORWARD 495

Chapter 25 Lessons Learned 497

Chapter 26 Looking Forward 507

Index 519

.
Price: $26.88 [Notify me when price goes down.]

The Climate Change 2007 volumes of the Fourth Assessment Report of the Intergovernmental Panel on Climate Change (IPCC) provide the most comprehensive and balanced assessment of climate change available. This IPCC Working Group II volume brings us completely up-to-date on the vulnerability of socio-economic and natural systems to climate change. Written by the world's leading experts, the IPCC volumes will again prove to be invaluable for researchers, students, and policymakers, and will form the standard reference works for policy decisions for government and industry worldwide..
Price: $71.25 [Notify me when price goes down.]

“There are a number of secure programming books on the market, but none that go as deep as this one. The depth and detail exceeds all books that I know about by an order of magnitude ”

—Halvar Flake, CEO and head of research, SABRE Security GmbH

The Definitive Insider’s Guide to Auditing Software Security

This is one of the most detailed, sophisticated, and useful guides to software security auditing ever written. The authors are leading security consultants and researchers who have personally uncovered vulnerabilities in applications ranging from sendmail to Microsoft Exchange, Check Point VPN to Internet Explorer. Drawing on their extraordinary experience, they introduce a start-to-finish methodology for “ripping apart” applications to reveal even the most subtle and well-hidden security flaws.

The Art of Software Security Assessment covers the full spectrum of software vulnerabilities in both UNIX/Linux and Windows environments. It demonstrates how to audit security in applications of all sizes and functions, including network and Web software. Moreover, it teaches using extensive examples of real code drawn from past flaws in many of the industry's highest-profile applications.

Coverage includes

• Code auditing: theory, practice, proven methodologies, and secrets of the trade

• Bridging the gap between secure software design and post-implementation review

• Performing architectural assessment: design review, threat modeling, and operational review

• Identifying vulnerabilities related to memory management, data types, and malformed data

• UNIX/Linux assessment: privileges, files, and processes

• Windows-specific issues, including objects and the filesystem

• Auditing interprocess communication, synchronization, and state

• Evaluating network software: IP stacks, firewalls, and common application protocols

• Auditing Web applications and technologies

This book is an unprecedented resource for everyone who must deliver secure software or assure the safety of existing software: consultants, security specialists, developers, QA staff, testers, and administrators alike.

Contents

ABOUT THE AUTHORS xv

PREFACE xvii

ACKNOWLEDGMENTS xxi

I Introduction to Software Security Assessment

1 SOFTWARE VULNERABILITY FUNDAMENTALS 3

2 DESIGN REVIEW 25

3 OPERATIONAL REVIEW 67

4 APPLICATION REVIEW PROCESS 91

II Software Vulnerabilities

5 MEMORY CORRUPTION 167

6 C LANGUAGE ISSUES 203

7 PROGRAM BUILDING BLOCKS 297

8 STRINGS ANDMETACHARACTERS 387

9 UNIX I: PRIVILEGES AND FILES 459

10 UNIX II: PROCESSES 559

11 WINDOWS I: OBJECTS AND THE FILE SYSTEM 625

12 WINDOWS II: INTERPROCESS COMMUNICATION 685

13 SYNCHRONIZATION AND STATE 755

III Software Vulnerabilities in Practice

14 NETWORK PROTOCOLS 829

15 FIREWALLS 891

16 NETWORK APPLICATION PROTOCOLS 921

17 WEB APPLICATIONS 1007

18 WEB TECHNOLOGIES 1083

BIBLIOGRAPHY 1125

INDEX 1129

.
Price: $37.50 [Notify me when price goes down.]

Gold Award Winner for Business and Economics in the 2005 ForeWord Magazine Book of the Year Awards

What happens when fire strikes the manufacturing plant of the sole supplier for the brake pressure valve used in every Toyota? When a hurricane shuts down production at a Unilever plant? When Dell and Apple chip manufacturers in Taiwan take weeks to recover from an earthquake? When the U.S. Pacific ports are shut down during the Christmas rush? When terrorists strike? In The Resilient Enterprise, Yossi Sheffi shows that companies' fortunes in the face of such business shocks depend more on choices made before the disruption than they do on actions taken in the midst of it--and that resilience benefits firms every day, disaster or no disaster. He shows how companies can build in flexibility throughout their supply chains, based on proven design principles and the right culture--balancing security, redundancy, and short-term profits. And he shows how investments in resilience and flexibility not only reduce risk but create a competitive advantage in the increasingly volatile marketplace.

Sheffi describes the way companies can increase security--reducing the likelihood of a disruption--with layered defenses, the tracking and analysis of “near-misses,” fast detection, and close collaboration with government agencies, trading partners, and even competitors. But the focus of the book is on resilience--the ability to bounce back from disruptions and disasters--by building in redundancy and flexibility. For example, standardization, modular design, and collaborative relationships with suppliers (and other stakeholders) can help create a robust supply chain. And a corporate culture of flexibility--with distributed decision making and communications at all levels--can create a resilient enterprise.

Sheffi provides tools for companies to reduce the vulnerability of the supply chain they live in. And along the way he tells the stories of dozens of enterprises, large and small, including Toyota, Nokia, General Motors, Zara, Land Rover, Chiquita, Aisin Seiki, Southwest Airlines, UPS, Johnson and Johnson, Intel, Amazon.com, the U.S. Navy, and others, from across the globe. Their successes, failures, preparations, and methods provide a rich set of lessons in preparing for and managing disruptions.
Additional material available at www.TheResilientEnterprise.com.
Price: $5.50 [Notify me when price goes down.]

Charles Perrow is famous worldwide for his ideas about normal accidents, the notion that multiple and unexpected failures--catastrophes waiting to happen--are built into our society's complex systems. In The Next Catastrophe, he offers crucial insights into how to make us safer, proposing a bold new way of thinking about disaster preparedness.

Perrow argues that rather than laying exclusive emphasis on protecting targets, we should reduce their size to minimize damage and diminish their attractiveness to terrorists. He focuses on three causes of disaster--natural, organizational, and deliberate--and shows that our best hope lies in the deconcentration of high-risk populations, corporate power, and critical infrastructures such as electric energy, computer systems, and the chemical and food industries. Perrow reveals how the threat of catastrophe is on the rise, whether from terrorism, natural disasters, or industrial accidents. Along the way, he gives us the first comprehensive history of FEMA and the Department of Homeland Security and examines why these agencies are so ill equipped to protect us.

The Next Catastrophe is a penetrating reassessment of the very real dangers we face today and what we must do to confront them. Written in a highly accessible style by a renowned systems-behavior expert, this book is essential reading for the twenty-first century. The events of September 11 and Hurricane Katrina--and the devastating human toll they wrought--were only the beginning. When the next big disaster comes, will we be ready?

.
Price: $18.27 [Notify me when price goes down.]

IDA Pro is a commercial disassembler and debugger that allows reverse engineers to learn how specific programs work. It is the de facto standard for the analysis of hostile code and vulnerability research and the tool that programmers around the world use to pick apart compiled software to see how it works. The IDA Pro Book provides a top-down overview of IDA Pro and its potential uses in the software reverse engineering field. After a thorough introduction to the origins and basic operation of IDA Pro, the book goes into depth on how to use IDA Pro. Author Chris Eagle, a recognized expert in the field, introduces topics in the order in which most users encounter them, so that experienced users can easily jump in at the most appropriate point. Eagle covers a variety of real-world reverse engineering challenges and offers strategies to deal with them, such as disassembly manipulation, graphing, and effective use of cross references. Eagle also shows readers how to extend IDA s capabilities with scripting, plugins, and loader modules..
Price: $37.77 [Notify me when price goes down.]

In the female psyche nowadays, “contradictions speckle the landscape, like ingrown hairs after a bad bikini wax.” So writes Laura Kipnis, author of the widely acclaimed polemic Against Love. With “the gleeful viperish wit of Dorothy Parker” (Slate), Kipnis now offers a fresh and provocative assessment of the female condition in the post-post-feminist world of the twenty-first century. For every advance toward sexual equality on the part of women in recent years, she argues, some new impediment just “seems” to appear. Ironically, feminism ran up against an unanticipated opponent: the inner woman.

An ambitious and original reassessment of feminism and women’s ambivalence about it, The Female Thing brims with bracing and funny social observations informed by psychological acuity. For all the upbeat “You go, girl” slogans, women remain caught between feminism and femininity, between self-affirmation and an endless quest for self-improvement, between playing the injured party and claiming independence. Feminism is bedeviled by the same impasses and contradictions it seeks to rectify. But rather than blaming the usual suspects–men, the media–Kipnis takes a hard look at culprits closer to home, namely women themselves and their complicity in upholding male privilege, even as they resent men deeply for it. Which makes relations between the sexes rather thorny at the moment, and Kipnis serves up the gory details of the mutual displeasure between men and women in painfully hilarious detail.

In the tradition of The Feminine Mystique and The Female Eunuch, this is a pathbreaking work. As audacious as it is historically and socially grounded, The Female Thing explores age-old quandaries: the war between the sexes, what women “really” want, and to what extent anatomy is destiny after all..
Price: $3.25 [Notify me when price goes down.]

The intensive search for a more secure operating system has often left everyday, production computers far behind their experimental, research cousins. Now SELinux (Security Enhanced Linux) dramatically changes this. This best-known and most respected security-related extension to Linux embodies the key advances of the security field. Better yet, SELinux is available in widespread and popular distributions of the Linux operating system--including for Debian, Fedora, Gentoo, Red Hat Enterprise Linux, and SUSE--all of it free and open source. SELinux emerged from research by the National Security Agency and implements classic strong-security measures such as role-based access controls, mandatory access controls, and fine-grained transitions and privilege escalation following the principle of least privilege. It compensates for the inevitable buffer overflows and other weaknesses in applications by isolating them and preventing flaws in one application from spreading to others. The scenarios that cause the most cyber-damage these days--when someone gets a toe-hold on a computer through a vulnerability in a local networked application, such as a Web server, and parlays that toe-hold into pervasive control over the computer system--are prevented on a properly administered SELinux system. The key, of course, lies in the words "properly administered." A system administrator for SELinux needs a wide range of knowledge, such as the principles behind the system, how to assign different privileges to different groups of users, how to change policies to accommodate new software, and how to log and track what is going on. And this is where SELinux is invaluable. Author Bill McCarty, a security consultant who has briefed numerous government agencies, incorporates his intensive research into SELinux into this small but information-packed book. Topics include:

• A readable and concrete explanation of SELinux concepts and the SELinux security model
• Installation instructions for numerous distributions
• Basic system and user administration
• A detailed dissection of the SELinux policy language
• Examples and guidelines for altering and adding policies

With SELinux, a high-security computer is within reach of any system administrator. If you want an effective means of securing your Linux system--and who doesn't?--this book provides the means..
Price: $29.95 [Notify me when price goes down.]