How to Break Web Software
by Andrews, Mike and James A. Whitaker

Addison-Wesley 2006.
ISBN 0-321-36944-0. Price: $34.99. 219 pages, Index, CDROM

Reviewed by  Bob Bruen   May 17, 2006 

How to Break Web Software is aimed at software testers, in this case web software.

The other secure software books are written for software producers. Testers can pick up this one to learn how the underlying web components work and how to systematically go about breaking them. Naturally, learning the techniques of breaking software helps when it is time to test your own. The book is written for a beginner in a clear and detailed manner. It is shorter than most security books, but it is an excellent starting point. Each chapter explains an attack in a step-by-step manner along with how to defend against it. They range from simple attacks to fingerprint a web server to injection attacks. The tools on the CD are mainly Windows based, there are certainly enough *nix tools, and Cygwin is included for those who only have access to Windows. We cannot lose by having more people aware of how to do a better job on the Web.

The software written for our digital universe is one of the weakest links that provides crackers with entry points. The problem is insidious because software is the foundation for just about everything else, so any problem inherent in the software will propagate up to the user level. While several excellent books on how to design and write secure software have appeared in the past few years, the industry still manages to produce software without much consideration for security.

As we can all see from the amount of COBOL code still running, software tends to stay around for a really long time. Moreover, software production shows no sign of slowing down; in fact, more is produced each day than the day previous. This should not surprise anyone. Just like television, the hardware falls within a narrow range of size, quality, price, etc. and the programs which are shown on television are the domain's money and the creativity. The hardware is required as display medium, but the real work is in program production. Computer hardware gets faster, and sometimes cheaper, but software is where the real work is done. And like television programs which are mostly junk, software has a lot of junk.

If software architects and programmers were security aware, problems would diminish. The problem falls to the testers and quality assurance folks to demonstrate that the software is broken. This book is for them. The Web was around for about five years before Mosaic and Netscape appeared. The browser made the Web accessible for business and average users, so it all caught fire, resulting in the dot com bubble burst. The ride up was fast and furious with impossible deadlines to get code into production. This approached gave us lots of junk software and a lot a bad habits, which were worse than other software. The problems are compounded because the Web is used by so many people. It is time for the web software producers to take more care in what they do.

My complaint is broad and generalized, however to be fair, there are many excellent examples of secure aware code, like Apache. Again, like TV, excellent programs exist within the wasteland.