How to Break Software Security is an excellent book that's useful for both new software security students and experienced practitioners who want to advance their skills by garnering deeper insights into the creative process of software security testing. The unique combination of taxonomy, guidance for creative thinking for cybersecurity, and examples makes this book worth reading. For students and independent learners, the examples, exercises, and introduction to suggested thought processes for software security testing make this book a cornerstone for developing and improving their testing skills.

The book's foundation is the authors' insight that the best way to defend software is to learn how to attack software and think like an attacker. James A. Whittaker and Herbert H. Thompson reinforce this point throughout the book to imbue readers with their vision of the software security tester's ethic and mindset.

The authors have organized the book into three parts. In part one, the authors introduce the topic of software defense and discuss the major classes of software security attacks. In part two, the authors discuss and describe common and obscure attacks. The common attacks include overflowing input buffers and trying out common default account names and passwords. The obscure attacks include faking the data source and blocking access to libraries that the applications uses. Part three, the conclusion, sums up the book's philosophy and the authors' approach to security and security testing.

Part two is the heart of the book. For each type of attack, the authors discuss how to test software resilience and present insights into

They present these discussions with clear examples, including code, screenshots, common errors, and conditions that warrant trying the attack, as well as illustrations that help the reader better understand all of an attack's characteristics. They also provide checklists for some attacks that lay out the steps that you must perform to execute them. The appendices and accompanying CD and URL are worthwhile supplements to the main discussion.

This book would be useful in any course on software application security, software defense, or software security testing as well as in any introductory computer security course; professors at the graduate and undergraduate levels should seriously consider using it. In addition, this book belongs on every software security tester's and computer security practitioner's bookshelf because it provides the necessary background for every aspect of software security practice.

How to Break Software Security is highly useful in that it helps software defense practitioners improve software defenses, organize and conduct defense tests, and better understand and think like software attackers. The authors present a thorough and thoughtful exposition of the process, practice, breadth, and challenges encountered when testing software for security flaws. They succeed in organizing and presenting important information for the software defender. The book is well-written, easy to read, and informative. It contains few, if any, shortcomings and is a solid introduction to both the discipline and the authors' software protection philosophy.

Martin R. Stytz is on the research staff at the Institute for Defense Analyses. He received his PhD from the University of Michigan and conducts research in a variety of security and privacy arenas. Contact him at mstytz@att.net.