The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities

The Art of Software Security Assessment is the definitive guide to finding software vulnerabilities by reading source code. Vulnerability research is not my area of expertise, so here’s what actual software security experts have to say about the book:

The same way you can say “TAOCP” on a programming site and everyone knows you mean “Knuth”, say “TOASSA” to a security person and they know this book. This is the McGee, the Cormen/Rivest, the “Theory Of Poker” for our industry: how to find vulnerabilities by reading software.

Thomas Ptacek

This is the Security Bug Bible. Written by some of the best bug hunters in the business, this book describes software vulnerability classes in a number of programming languages and how to find them via manual source code analysis.

Dino Dai Zovi

There are a number of secure programming books on the market, but none that go as deep as this one. The depth and detail exceeds all books that I know about by an order of magnitude.

Halvar Flake

This book is primarily aimed at security professionals, but most of if will be useful to any developer who wants to better understand the process of finding software vulnerabilities. The meat of the book is the catalog of software vulnerabilities where each class of bugs is explored in incredible depth. You will learn everything there is to know about memory corruption, C language issues, Unix privileges and files, Windows objects, network protocols, and much, much more. The memory corruption chapter is especially impressive and it alone is worth the price of the book. The C programming language chapter will shatter your dreams that it’s possible to write correct C code; as it turns out, even simple arithmetic can be a dangerous minefield full of exploitable bugs.

Even if you don’t care about security, you can learn a lot from this book. For example, Unix chapters explain privileges, files, and processes better than any other dedicated book. It’s as close to a perfect technical book as possible: even though it’s 1200 pages long, you can’t find a single filler sentence in it. If you work in software security, this book is a must-read (but you probably knew that already).

Hitler: A Biography

Hitler: A Biography is an abridged version of Ian Kershaw’s previous two-volume biography of Hitler (even though it’s hard to call abridged a book that’s over 1000 pages long). Hitler: 1889-1936 Hubris and Hitler: 1936-1945 Nemesis were already the definitive reference books, but Kershaw decided to condense the two volumes into one (despite his initial reluctance) and make his magnum opus much more approachable to the general public. The result is the best single volume biography of the Nazi dictator.

Never before in history has such destruction been caused by a single person. It’s possible that the World War II could have happened even without Hitler, but such amount of evil and inhumanity would have been unimaginable without him. History of Hitler is the history of the worst political miscalculations ever; this book shows how the unique set of circumstances has shaped the world history, and how Hitler’s rise to power was all but inevitable. Kershaw does a great job debunking common myths and misconceptions about Hitler, particularly the ones regarding the evolution of Hitler’s ideology and his early role in the Nazi party. It’s difficult to write a biography of a person whose personal life was almost nonexistent, but this book still manages to reveal surprising amount of detail, especially about the Hitler’s downfall, the last few months of his life in the bunker, and his descent into complete paranoia and delusion.

If you are interested in knowing more about Hitler (or the Third Reich in general), Ian Kershaw’s books are the answer; the only question you should ask yourself is which of the two versions you want to read.

Ordinary Men: Reserve Police Battalion 101 and the Final Solution in Poland

Millions of people were killed during the Holocaust. Nazi leaders like Hitler, Himmler, Heydrich and Globocnik orchestrated the killings, but who were the actual perpetrators? Were they all fanatical Nazis, fueled by the hatred towards the Jews, or were they ordinary people who were just obeying the orders? German Order Police played important role in the Final Solution; they were initially in charge of policing the occupied territories in the East, but after the Operation Barbarossa they became increasingly involved in the mass shootings of Polish Jews. Ordinary Men is the story of one such unit: Reserve Police Battalion 101.

Reserve Police Battalion 101 was the unit of around 500 men, directly involved in killing of at least 38000 Jews, but also responsible for deportations of even more Jews to the death camps. During the first few years of war, they were mostly assigned to the guard duty in Poland, until one morning in July 1942 the orders came that 1500 Jews from the Józefów ghetto are to be killed. Only 12 of the men decided not to participate; the rest of them complied. This was the first of many mass shootings; it had an enormous emotional impact on the killers initially, but they adjusted to their new role soon after.

Christopher Browning explains how the group of ordinary men could turn into hardened killers. Browning had a gold mine of information in the form of testimonials of surviving members of the battalion during the trials for their crimes in Hamburg several decades after the war. Most people think that making moral decisions in the wartime would be easy for them, but this book shows that it’s not so black and white. That doesn’t mean that murderers are to be excused or forgiven, just that it’s possible to understand their behavior. This book is one of the most terrifying books I’ve ever read. It’s also one of the best.

Ordinary Injustice: How America Holds Court

Here we have yet another “ordinary” book, in which Amy Bach reveals the systemic problems in the US courtrooms. The book shows that the main problem is not the spectacular failures that we see everyday in the news and treat them as exceptions, but rather infinite number of mundane cases where people are hoarded like cattle through the meat grinder that is US criminal justice system.

No player in the system is innocent. People charged with minor crimes are being sent to jail, whether they are guilty or not, only because they cannot afford excessive bails imposed by judges. Defendants are forced to accept guilty pleas without a lawyer being present. Overworked and underpaid public defenders sometimes have only a few minutes to talk to the clients and decide whether to accept prosecutor’s offer or risk going to trial, and all of that without having the facts of the case that prosecutor is refusing to disclose. Prosecutors don’t seek justice, but easy victories. They also sometimes zealously prosecute people, turning a blind eye to the irrefutable evidence that the accused is actually innocent. Each of these problems is not the exception, but the norm.

There are no easy solutions that could fix the system. Indigent defense needs funding, but it’s never a priority. Prosecutors have to be held accountable for their actions, but they enjoy absolute immunity. For starters, people have to see the criminal justice system for what it really is—this book is a much needed eye-opener.

Concurrency in Go: Tools and Techniques for Developers

Concurrency in Go is the latest addition to the collection of Go books. I love reading good concurrency books, and I also really like Go, so I was naturally excited about it. Few weeks before the release, out of the blue, O’Reilly announced that they are pulling the plug on their DRM-free ebook store. That was quite a shock, and I assumed I would probably never again read a book published by O’Reilly. But then I discovered that all O’Reilly books are available DRM-free on—life as we know it could continue, after all.

Unlike other programming languages I’ve been working with, official Go documentation offers more than enough material for learning the language. A Tour of Go, Effective Go, and The Go Blog cover almost everything you need to know. However, simplicity of the language is a double-edged sword-Go offers you really great low-level primitives, but that means you often have to reinvent high-level constructs. And that was something I expected from this book: collection of patterns for writing reliable concurrent software in Go.

First half of the book introduces the concept of concurrency, and the basic primitives of the Go programming language: goroutines, channels, and synchronization types from the sync package. If you are familiar with Go (and you probably are if you are reading this book), you will not learn anything new here. Second half is much more interesting, because it delivers exactly what I was hoping for: a collection of patterns, and how to use them when writing software at scale. There is a lot of good stuff in here: cancellation, timeouts, error handling and propagation, rate limiting, supervisors, etc. Katherine didn’t try to reinvent the wheel, so you will learn to use context for cancellation, x/time/rate for rate limiting, and for wrapping errors; that is a huge plus for her in my book.

The books falls just a little bit short of being the definitive concurrency reference. Most notable is the absence of chapter on the Go memory model—I think that’s something every concurrency book has to discuss. Fortunately, it’s really simple in the case of Go: just read about it here. Also, the chapter about the Go runtime is good, but not nearly as good as the two fantastic talks by Kavya Joshi: “go test -race” Under the Hood and Understanding Channels.

Pro Git

Unlike the other version control systems, you have to understand Git’s internals in order to use it effectively. Articles such as Git from the inside out and Git from the Bottom Up provide fantastic foundations, but they are still just a starting point. I really don’t care that much about Git, and I would happily spend the rest of my life knowing only how to commit and push code, but that’s not nearly enough, unfortunately. To really master Git, I had to bite the bullet and finally read the Pro Git book.

This book explains everything (and I really mean everything) you need to know about Git: from basic commands and simple branching/merging techniques, to more advanced concepts and ultimately Git internals. You can use this book as a reference, but you can also read it from cover to cover—it’s fun and easy to read (with the exception of “Git and Other Systems” chapter, which you can safely skip unless you are currently working with some of the legacy version control systems). Chapters “Git Tools” and “Git Internals” are indispensable; section “Reset Demystified” explains reset command better than any other resource on the internet. You will also learn tons of tricks that you will never use in the real life, but which will make you look smart in the public!

In an ideal world, we wouldn’t have to read books about version control systems, but we live in the world where we have to use Git, and that makes the Pro Git book a necessity (don’t get me wrong—this is actually a great book, it’s just that I would rather have spent those few weeks of my life improving skills that really matter).

Blood in the Water: The Attica Prison Uprising of 1971 and Its Legacy

Attica Correctional Facility has always been notorious for its horrible living conditions. It was (and still is) a dangerous and overcrowded place, lacking enough food and medical care. Prisoners’ demands for better living conditions culminated on September 9, 1971, when they took control over the prison, taking 42 employees hostage. After four days of intensive negotiations, governor of New York Nelson Rockefeller decided that the state would take back the prison by force. During the chaotic and violent operation, state troopers killed 43 people—33 inmates and 10 hostages. Hundreds of prisoners were severely beaten and tortured even after the takeover was complete. Blood in the Water is the definitive history of this infamous event, and the victims’ decades-long fight for justice.

This important historical document is the result of ten years of difficult research and bureaucratic hurdles. Despite the author’s numerous FOIA requests, government often refused to disclose the information that should have been public; some of the documents were found be sheer luck in the county courts. Despite its importance, this book is not flawless.

First part of the book is fascinating. It talks about the actual rebellion (including the negotiations and the takeover) in great detail. The writing is superb; I just couldn’t put the book down. Second part of the book is not nearly as great as the first. It describes the numerous criminal and civil trials that followed in the decades after the uprising, but it’s too long and too detailed, describing many cases that were very similar in nature. The book remains great, but flawed; it could have been perfect if only the second part was much shorter.

Reversing: Secrets of Reverse Engineering

I’ve been reading books from Thomas Ptacek’s application security reading list for the last several years. Almost all of them are the best books in their respective fields, and Reversing is no exception:

The best end-to-end treatment of the theory and practice of taking compiled binary software and working it back to its design and internal function.

Thomas Ptacek

It’s such a joy reading a book from the expert in the field, someone who has deep technical expertise and knowledge about the topic that you just can’t find anywhere else. Reversing is similar to TAOSSA in that sense—you just can’t find single weak chapter in this book. Some other authors would gently introduce you to reversing with some “Hello, world!” toy example, but not Eldad Eilam. He is the real deal, and the first thing you will learn to reverse in this book is nothing less than the splay tree implementation from the Windows kernel! And after a few hundred pages, just when you think you are ready to face any real-world application, the author throws at you what initially looks like unbreakable copy protection scheme, but also shows you how seemingly impossible problems can be solved with enough dedication.

The book is a bit dated, but the fundamentals of reversing haven’t changed in the last ten years. It’s also very dense, and requires very focused reader; for the first time in years I had to use pen and paper to work through some of the examples. But it’s worth the trouble, because by the time you complete this book, you will have acquired solid foundation in reverse engineering. However, that’s only the beginning; after that, it’s a lot of practice and hard work. Get yourself a copy of Binary Ninja, and have fun.

The Box: How the Shipping Container Made the World Smaller and the World Economy Bigger

Shipping container revolutionized international trade and made globalization possible, but it’s story has largely been ignored. The Box is the first comprehensive history of arguably one of the most important inventions of the twentieth century.

This book received mostly favorable reviews from the critics. They are totally deserved—the book is superbly researched and written. However, even though I really wanted to enjoy it, I just couldn’t bring myself to care about the topic. And that’s pretty much all I have to say about The Box—Bill Gates’ review is more detailed and also much more enthusiastic.

tmux 2: Productive Mouse-Free Development

I don’t remember where the initial idea to learn tmux came from; my life was perfectly fine with iTerm2 tabs. Anyway, it’s always good to learn new things, and I prefer to learn new things from books, even though it was questionable choice in this case—probably any tutorial would have been more than sufficient. But this is a very short book, so there was no harm in reading it—except that I completely gave up on tmux after reading it.

I was really enthusiastic when I first installed tmux and created a new session with several windows. But only after ten pages or so I was completely overwhelmed by the mind-boggling amount of shortcuts that I would have to learn in order to use tmux effectively. I though that maybe I should endure the initial pain, but then came the chapter on copy-mode, and that was the moment when I completely lost my interest in tmux.

The book itself is actually fine—my unrealistic expectations were the problem. After all, you can’t expect miracles from the book describing software whose essence is memorizing hundreds of keyboard shortcuts. But if you are kind of person who likes to do everything with keyboard, or configure things until everything is to their liking, this book might be the right choice for you.