I don’t generally do book reviews (maybe I’ll start if I have to do this much traveling in the future - since it will give me lots of time to read). In this case, the book was really on topic, if a tad out of date. Andres Andreu wrote a book in the 2005-2006 timeframe called “Professional Pen Testing for Web Applications” (I think he could have sold another 10k copies if he had spelled out “Penetration” instead of “Pen” but that’s neither here nor there). The book is actually a really good and quick read as there are lots of pictures and examples to drive the text along.
Normally I find it tedious to get through penetration testing style books, because the authors generally only talk about one or two tools (generally nmap and insert one or two other tools here) and stick with them for the entire book. Andres does a really nice job of talking about dozens of different tools and how they are useful from a web application security perspective. One section that I found a tad cheezy though was the ethics of what you can and can’t do during an audit. I don’t know why, but I’ve always found that stuff to be obvious. For instance while it does say extortion is not okay (I hope that’s also obvious to everyone reading this), it fails to mention bribery, rubber hose cryptanalysis, intimidation, kidnapping, murder, or a host of other things that actually do work and three letter agencies worldwide have employed. So don’t go looking at that chart as saying “Andres didn’t say I couldn’t.” The chart made me and id laugh. If anyone wants to sign up for that kind of audit, just let us know. We’ve got the blowtorch and the pliers standing by. The ethics section of the book was short, and it got better quickly thereafter.
Anyway, sure, some parts of the book are out of date, as you’d expect with a book written 1-2 years ago, but a lot of the book is timeless. The general tactics put in place, how the different threat modeling works, and how you document what you find is all good information. I’ve had my own way of doing things for years, but it’s always nice to hear someone else’s perspective. The best part of the book for me, was that since it was slightly out of date, I got to hear a lot more about technologies we tend to forget about since they aren’t used that much any longer. There weren’t many blogs detailing this stuff back then to read, so this is a bit of a blast from the past. Granted, he doesn’t talk at all about a lot of the more modern stuff since it didn’t exist yet, but I found it a really interesting refresher course in the way things used to be, and the way we should probably continue to think about legacy systems.
The cons are that he doesn’t discuss manual assessment using things like telnet hardly at all, focusing more on the existing tools, at least half a chapter when you add it all up is talking about buffer overlows without going into enough detail to actually show a working example in the wild, he talks quite a bit about SSL security (which really isn’t much of a problem most of the time), and it makes a big leap that you already know how to develop programs, run programs and have access to *Nix environments. That’s true in my case, and on the cover it even says “Programmer to Programmer.” Still it’s definitely not meant for a beginner with only access to Windows and no idea what Cygwin is. Overall, it was probably a four out of five star type book when it came out, but because it’s a little out of date it’s probably more like three stars now. Still, it makes a nice addition to the bookshelf, and it got my brain thinking.