23Apr/09Off
Book Review:
I recently read Ari Takanen's Fuzzing for Software Security Testing and Quality Assurance. This is a valuable book on fuzz testing, and timely.
Fuzzing for Software Security Testing and Quality Assurance
Good Things
- He really puts fuzzing in context. Fuzz testing has been around for a long time, and this book gives you the full historical perspective, as well as a modern view.
- Fuzz testing is important. When Gary McGraw and company did their Building Security In Maturity Model, one of the activities that virtually everyone did was fuzz testing. Clearly we need books like this to get everyone onboard.
- Although Ari is CTO of Codenomicon, a commercial fuzz testing tool vendor, the book is not a pitch for his tool. He actually gives lots and lots of information on a broad variety of tools, including free tools. It's a complete and honest vision that is not overly promoting his company's product.
- I learned a lot of fundamentals that make a difference to how I fuzz test things. For example, I now understand mutational versus generational fuzzers. They each have benefits and you probably want some of both for good coverage.
The Not-So-Good
- I think he spends too much time talking about motherhood and apple pie security things. Things like security testing, risk analysis, code analysis, etc. There have been ample trees killed on these topics and I don't think the treatment in this book really adds to that body of knowledge. I would have been happier with just some references to the rest of the world.
- The comparisons of commercial and free tools are intermixed with all this extra security discussion. So sometimes you have to read about security metrics or some other broad topic in order to find a specific example of a specific tool.
- The authors' perspective is too much fuzzing über alles. They downplay the value of techniques like static code analysis and architecture risk analysis. Those techniques are complementary, not counter, to fuzz testing.
I like the book a lot and am glad I have it. I recommend it.
April 24th, 2009 - 13:47
Thanks Paco! I added a link to the review on the book web site: http://www.fuzz-test.com/
Some comments on the “Not-So-Good”:
Motherhood and apple pie things were included so that the book can be used as a course book. For some unlucky (or reluctant to learn) people, just giving links will not help much.
Product comparisons were actually originally intended to be scattered around, to teach some other aspect in relation to fuzzing, rather than just focus too much on data that will be outdated fast. One chapter was still dedicated to just plain product comparison (thanks to Charlie Miller). Do not take that chapter as a fact though, as most open source and commercial tools develop rather fast, whereas others have been already abandoned for some reason. Things really develop fast in this market. For example, Codenomicon tools used in the comparison were already previous generation when the book came out.
Fuzzing is “über alles”! At least for the intended audience. The guys who do have access to source code (which does not usually include security auditors and testers) definitely need to look at static analysis also. That was out of the scope for this book.
In short, in everything we did in the book, the purpose was that the book is equally valid five or ten years from now.