Recently I was sent review copies of three books from No Starch Press and Addison Wesley. This occasionally happens but I never blog reviews, I'm going to change that...
'A Bug Hunters Diary'
This book by Tobias Klein was the first book I reviewed. I, like many others in the security community, received a review copy a few weeks back and I just finished it up. I was aware of Tobias' public security advisories and tools long before this book was published, so I was eager to read it from the start. The author takes the reader through a tour of bug hunting from start to finish. This includes detailed source and binary analysis of the bugs he has found, the process for triggering them and finally gaining control of EIP. While gaining EIP is great, in 2011 its just the first step to reliable code execution, but exploitation is not the focus of the book. He does not provide full exploits due to the laws in his home country (he makes this point several times), which is a shame but understandable. Each chapter focuses on different applications ranging from media players (VLC) to kernel drivers and on different operating system platforms including iOS, Solaris, Linux and Windows. This sounds like a ton of information to take in but the book is actually quite small and readable. As usual No Starch does a good job of adding side-bar style information and good illustrations to help the reader understand complex technical concepts. There are also three appendices with helpful information for bug hunting, debugging tips and exploit mitigations. I even got a mention in appendix C for a generic RELRO technique I published a number of years ago. I definitely recommend this book for anyone who is just starting out in this field and is interested to know exactly what the process of finding software vulnerabilities is like.
'The CERT Oracle Secure Coding Standard For Java'
I would normally never review a book like this because #1 its a massive technical reference book and #2 I'm not a huge fan of Java. But I saw Robert Seacord was one of the authors and changed my mind. Nothing against the other authors, their names just weren't known to me. To be honest I did not read the entire thing, its a reference book in my opinion and not meant to be read cover to cover. In fact it reads like the cert.org standards websites and thats because its the same text. All of the CERT standards are well researched and tested, I recommend them to developers all the time and this one is no exception. If you are a Java developer then you should definitely have the standards website bookmarked. If you're looking for some light weekend reading then this probably isn't the book for you.
'The Tangled Web'