Volume 9 Number 4 • 4th Quarter 2008 Book Review

Software Testing - An ISEB Foundation

Software Testing - An ISEB FoundationAuthors: Brian Hambling (Editor), Peter Morgan, Angelina Samaroo, Geoff Thompson, Peter Williams
Paperback:  208 pages
Publisher:  CAPDM
ISBN:  1-902505-79-4

I thought that the content of the book would be a replica of what is in the ISEB Foundation course. After reading this well-written book, I was pleasantly surprised to find the same concepts with a different spin.  The book maintains your interest at all times and the examples help you to relate the theory to practical examples.  The pages of this book are detailed in their explanation of the concepts being covered. The topics covered range from the General Testing Principles to the Fundamental Test Process to Test Design Techniques which cover Equivalence Class Partition, Boundary Value Analysis, Decision Table Testing and State Transition Testing, to mention a few.

This book isn’t aimed at novices, but rather at testers who have been in the industry for a while and have gained experienced in testing. This book can be used to supplement the Foundation course material or to aid the reader in passing the Foundation course without attending the actual course.   In either of these choices the Syllabus must be carefully consulted.

long with each chapter, beginning with self-assessment questions to allow the readers to check their understanding levels, there are questions throughout the book that will help you ‘check your understanding’ and the chapters come to an end with example examination questions (answers are listed).  The knowledge checkpoints aid in the measurement of confidence a reader will have toward the material and then gauge how much study time they should dedicate toward the content for the Final examination.

his book is one of the more interesting and informational books that I have read in a while and well worth the read.

Alex Gonçalves

Security in Computing

Security in ComputingFourth Edition
Authors:  Charles P. Pfleeger, Shari Lawrence Pfleeger
Publishers:  Prentice Hall (C) 2007
Hardcover:  845 pages
ISBN13:  9780132390774

This book starts off with answers to questions like “What is the meaning of security?” and illustrations of types of attacks. The distinction is made between hackers and crackers, which I appreciate, because I think it is a shame that old-school hackers like Stallman cannot be called hackers anymore due to the misuse of the word. The book profiles different types of attackers and explain the motives behind attacks from amateurs, crackers, career criminals and terrorists.

An overview of encryption is given. Chapter 2 is dedicated to Elementary Cryptography. There are some fresh topics like Designing Trusted Operating Systems and Database and Data Mining Security. The book ends off with Chapter 12: Cryptography Explained.

Chapter 11 concerns itself with legal and ethical issues. There is an interesting sidebar about Napster in a section about copyright law. Something of particular interest to software testers is another section in the chapter that discusses Redress for Software Failures. Privacy is also tackled.

It’s a hard-hitting technical book, which assumes that the reader has good knowledge of mathematics and an understanding of general computing concepts like web servers. I recommend it for technical managers who want to broaden their understanding of security.

Walter Kruse

This book was provided for review purposes by Pearson Education.  For further details on this book please contact:

Pearson Education
Tel: +27 11 347 0700
Fax: +27 11 315 24 25
Pearson Education

The Art of Software Security Assessment

The Art of Software Security AssessmentAuthors:  Mark Dowd, John McDonald, Justin Schuh
Publisher:  Addison-Wesley (C) 2007
Paperback:  1174 pages
ISBN13:  9780321444424

This is an in-depth manual for manual code audits. In the intro, the authors assert that code audits for application security is a deeply technical skill and that there are not many people with the knowledge to do this work – hence the decision to write the book.  It contains real-world examples of defective code which allows for buffer and stack overflow exceptions.

The book is divided into 3 parts: Introduction to Software Security Assessment, Software Vulnerabilities and Software Vulnerabilities in Practice. The authors recommend that readers are proficient in at least 1 programming language, preferably a low-level language like C.

Chapter 1 reaffirms the fundamentals for someone who is somewhat familiar with code security audit. For the rest of us it is a fast-paced run through some of the concepts of information security. Interesting topics like salt values, rainbow tables and Bait-and-switch attacks are briefly explained.

Chapters 3 and 4 discuss operational review and the application review process. There are Unix and Windows specific chapters. In the Unix chapters, elements such as process vulnerabilities and file and directory privileges are examined. In the Windows chapters, attention is given to objects and DLL loading. There is a chapter on memory corruption, which discusses the buffer and stack in detail. There is a very interesting chapter on synchronisation and a chapter on strings and metacharacters.

This is definitely not a book for the faint-hearted, nor is it for the non-technical. It is bumper-filled with practical, useable information for application security analysts of varying levels of experience.

Walter Kruse

Walter Kruse is a testing consultant at IndigoCube. Comments, remarks, opinions, and critique in this piece are expressly the view of the author of the piece, and do not necessarily reflect those of the editorial board of Test Focus, its staff or its publishers. The author can be reached at info@testfocus.co.za for comments, suggestions or criticism.

This book was provided for review purposes by Pearson Education.  For further details on this book please contact:

Pearson Education
Tel: +27 11 347 0700
Fax: +27 11 315 24 25
Pearson Education