Fuzzing For Software Security Testing And Quality Assurance

Description: "Fuzzing for Software Security Testing and Quality Assurance" gives software developers a powerful new tool to build secure, high-quality software, and takes a weapon from the malicious hackers' arsenal. This practical resource helps developers think like a software cracker, so they can find and patch flaws in software before harmful viruses, worms, and Trojans can use these vulnerabilities to rampage systems. Traditional software programmers and testers learn how to make fuzzing a standard practice that integrates seamlessly with all development activities. The book progresses through each phase of software development and points out where testing and auditing can tighten security. It surveys all popular commercial fuzzing tools and explains how to select the right one for a software development project. The book also covers those cases where commercial tools fall short and developers need to build their own custom fuzzing tools.

Contents: Introduction; Software Security; Software Quality; Fuzzing; Book Goals and Layout; Software Vulnerability Analysis; Purpose of Vulnerability Analysis; People Conducting Vulnerability Analysis; Target Software; Basic Bug Categories; Bug Hunting Techniques; Fuzzing; Defenses; Quality Assurance and Testing; Quality Assurance and Security; Measuring Quality, Testing for Quality; Main Categories of Testing; White-Box Testing; Black-Box Testing; Purpose of Black-Box Testing; Testing Metrics; Black-Box Testing Techniques for Security; Summary; Fuzzing Metrics; Threat Analysis and Risk-Based Testing; Transition to Proactive Security; Defect Metrics and Security; Test Automation for Security; Summary; Building and Classifying Fuzzers; Fuzzing Methods; Detailed View of Fuzzer Types; Fuzzer Classification via Interface; Summary; Target Monitoring; What Can Go Wrong and What Does It Look Like; Methods of Monitoring; Advanced Methods; Monitoring Overview; A Test Program; Case Study: PCRE. Summary; Advanced Fuzzing; Automatic Protocol Discovery; Using Code Coverage Information; Symbolic Execution; Evolutionary Fuzzing; Summary; Fuzzer Comparison; Fuzzing Lifecycle; Evaluating Fuzzers; Introducing the Fuzzers; The Targets; The Bugs; Results; A Closer Look at the Results; General Conclusions; Summary.

Author Biography: Ari Takanen is the chief technical officer at Codenomicon, a software fuzzing tool company. A noted speaker and author on software testing and security, he is a graduate of Finland's University of Oulo, where he did research with the university's Secure Programming Group. Jared D. DeMott is a software vulnerability researcher, speaker, teacher, and author. He is a leading expert on fuzzing and fuzzing tools. He earned an M.S. in computer science from Johns Hopkins University and is a Ph.D. candidate at Michigan State University. Charlie Miller is principal analyst at Independent Security Evaluators. Previously, he spent five years at the National Security Agency. He is probably best known as the first to publicly create a remote exploit against the iPhone. Dr. Miller is also a frequent speaker at major computer security conferences. He earned his Ph.D. from the University of Notre Dame.