The Software Vulnerability Guide

  • 5h 10m
  • Herbert Thomas, Scott Chase
  • Cengage Course PTR
  • 2005

In today's market, secure software is a must for consumers. Many developers, however, are not familiar with the techniques needed to produce secure code or detect existing vulnerabilities. The Software Vulnerability Guide helps developers and testers better understand the underlying security flaws in software and provides an easy-to-use reference for security bugs. Most of these bugs (and the viruses, worms, and exploits that derive from them) start out as programmer mistakes. With this guide, professional programmers and testers will learn how to find, fix, and prevent these vulnerabilities before their software reaches the market. Detailed explanations and examples are provided for each of the vulnerabilities, as well as a summary sheet that can be referenced quickly. Tools that make it easier to recognize and prevent vulnerabilities are also explored, and source code snippets, commentary, and techniques are provided in easy-to-read sidebars. This guide is a must have for today's software developers.


  • Includes coding examples in a variety of languages, including C, C++, Java, VB.NET, scripting languages, and more
  • Features a detailed discussion and examples for each vulnerability, along with a summary sheet that can be referenced quickly and easily
  • Includes tips for uncovering vulnerabilities in a diverse array of systems, including what it might look like in code, and how the offending code can be fixed
  • Covers vulnerabilities such as dynamic linking and loading, buffer overflows, creating temporary files, forceful browsing, spoofing, and SQL injection

About the Authors

Herbert Thomas is the Director of Security Technology at Security Innovation LLC and serves on the graduate faculty of the Florida Institute of Technology. He is the co-author of How to Break Software Security: Effective Techniques for Security Testing and is a frequent speaker at industry conferences.

Scott Chase is a Security Architect at SI Government Solutions, where he manages key research projects for the US government. He has also worked as a university researcher in information security and as a software tester in industry.

In this Book

  • A Call to Action
  • Security Background
  • Some Useful Tools
  • Problems with Permissions
  • Permitting Default or Weak Passwords
  • Shells, Scripts, and Macros
  • Dynamic Linking and Loading
  • Buffer Overflow Vulnerabilities
  • Proprietary Formats and Protocols
  • Format String Vulnerabilities
  • Integer Overflow Vulnerabilities
  • Storing Passwords in Plain Text
  • Creating Temporary Files
  • Leaving Things in Memory
  • The Swap File and Incomplete Deletes
  • Spoofing and Man-in-the-Middle Attacks
  • Volunteering Too Much Information
  • Cross-Site Scripting
  • Forceful Browsing
  • Parameter Tampering, Cookie Poisoning, and Hidden Field Manipulation
  • SQL Injection Vulnerabilities
  • Additional Browser Security Issues
  • Conclusion