Testing code security

Testing Code Security

Volumn , Issue , 2007, Pages 1-303

  van der Linden, Maura A ^a  

^a CALIFORNIA STATE UNIVERSITY   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

EID: 84891990490     PISSN: None     EISSN: None     Source Type: Book    
DOI: None     Document Type: Book

References (60)

1. Computer Use in the United States: October 1984. United States Census Bureau. Available from http://www.census.gov/population/www/socdemo/computer/p23-155.html.
2. Computer Use in the United States: October 1989. United States Census Bureau. Available from http://www.census.gov/population/www/socdemo/computer/p23-171.html.
3. Computer Use in the United States: October 1993. United States Census Bureau. Available from http://www.census.gov/population/www/socdemo/computer/computer93.html.
4. Computer Use in the United States: 1997. United States Census Bureau. Available from http://www.census.gov/population/www/socdemo/computer/97tabs.html.
5. Computer and Internet Use in the United States: September 2001. United States Census Bureau. Available from http://www.census.gov/population/www/socdemo/computer/ppl-175.html.
6. Computer and Internet Use in the United States: October 2003. United States Census Bureau. Available from http://www.census.gov/population/www/socdemo/computer/2003.html.
7. Computer and Internet Use in the United States: October 2003 Special Studies. United States Census Bureau. Available from http://www.census.gov/prod/2005pubs/p23-208.pdf.
8. Howard, M. and Lipner, S. The Trustworthy Computing Security Development Lifecycle. March 2005, Microsoft Corporation. Available from http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecur e/html/sdl.asp.
9. Alberts, C., Dorofee, A., Stevens, J., and Woody, C. Introduction to the OCTAVE® Approach. August 2003. Available from http://www.cert.org/octave/pubs.html.
10. Bernz. The Complete Social Engineering FAQ. August 17, 1999. Available from http://packetstormsecurity.org/docs/social-engineering/.
11. Granger, S. Social Engineering Fundamentals: Hacker Tactics. 2001. Available from http://www.securityfocus.com/infocus/1527.
12. Howard, M. and Lipner, S. The Trustworthy Computing Security Development Lifecycle. March 2005, Microsoft Corporation. Available from http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/sdl.asp.
13. McGraw, G. XP and Software Security?! You gotta be kidding. 2003. Cigital. Available from http://www.cigital.com/presentations/xpuniverse.
14. Nyman, J. Positive and Negative Testing. 2002. GlobalTester, TechQA. Available from http://www.sqatester.com/methodology/PositiveandNegativeTesting.htm.
15. Patch Management in Healthcare. March 29, 2005. Symantec Corporation. Available from http://enterprisesecurity.symantec.com/industry/healthcare/article.cfm?articleid=5502.
16. Cappelli, D.M., Keeney, M., J.D., Ph.D., Kowalski, E., Moore, A., Shimeall, T., and Rogers, S. Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors. U.S. Secret Service and CERT® Coordination Center, May 2005. Available from http://www.cert.org/archive/pdf/insidercross051105.pdf.
17. Cappelli, D.M., Desai, A.G., Moore, A.P., Shimeall, T.J., Weaver, E.A., and Willke, B.J. Management and Education of the Risk or Insider Threat (MERIT): System Dynamics Modeling of Computer System Sabotage. CERT Program, Software Engineering Institute and CyLab at Carnegie Mellon University. Available from http://www.cert.org/archive/pdf/merit.pdf.
18. Howard, M. and LeBlanc, D. Writing Secure Code, 2nd ed. Microsoft Press, Redmond, Washington, 2003.
19. Octave. Carnegie Mellon Software Engineering Institute. Available from http://www.cert.org/octave/.
20. Snider, W. and Swiderski, F. Threat Modeling. Microsoft Press, Redmond, Washington, 2004.
21. Baker, B. and Pincus, J. Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns. IEEE Security and Privacy, 2004, pp. 20-27. Available online at http://www.lib.duke.edu/libguide/cite/printed_mag.htm.
22. Braverman, M. Win32/Blaster: A Case Study From Microsoft's Perspective. Virus Bulletin Conference. October 2005. Virus Bulletin Ltd. Available from http://download.microsoft.com/download/b/3/b/b3ba58e0-2b3b-4aa5-a7b0-c53c42b270c6/Blaster_Case_Study_White_Paper.pdf.
23. CERT Advisory CA-2002-27 Apache/mod_ssl Worm, CERT Coordination Center, 2002, Available from http://www.cert.org/advisories/CA-2002-27.html.
24. CERT Vulnerability Note VU#102795. CERT Coordination Center, 2002, Available from http://www.kb.cert.org/vuls/id/102795.
25. Donaldson, M.E. Inside the Buffer Overflow Attack: Mechanism, Method and Prevention. April 2002. Available from http://www.sans.org/reading_room/whitepapers/securecode/386.php.
26. Ferrie, P., Perriot, F., and Szor, P. Virus Analysis 3 Blast Off! Virus Bulletin. September 2003. Available online at http://pferrie.tripod.com/vb/blaster.pdf#search=%22win32%20blaster%20analysis%22.
27. Howard, M. Fix Those Buffer Overruns! May 2002. Available from http://msdn.microsoft.com/library.
28. Johnston, M. Revenge Is Sweet: Using the oc192-dcom.c exploit to accomplish revenge. SANS Institute. 2004. Available from http://www.giac.org/certified_professionals/practicals/gcih/0609.php.
29. Perriot, F. and Szor, P. An Analysis of the Slapper Worm Exploit. Symantec Security Response, 2003. Available from http://www.symantec.com/avcenter/reference/analysis.slapper.worm.pdf#search=%22slapper%20worm%22.
30. Seeley, D. A Tour of the Worm. Available from http://world.std.com/~franl/worm.html. (as posted by Francis Litterio)
31. Spafford, E. The Internet Worm Program: An Analysis. Purdue Technical Report CSDTR-823. Available from http://homes.cerias.purdue.edu/~spaf/tech-reps/823.pdf.
32. Klein, A. DOM Based Cross Site Scripting or XSS of the Third Kind. Web Application Security Consortium July 2005. Available from http://www.webappsec.org/projects/articles/071105.shtml.
33. Gibson, S. The Strange Tale of the Denial of Service Attacks Against GRC.Com. Gibson Research Corporation. September 17, 2005. Available from http://www.grc.com/dos/grcdos.htm.
34. Kenney, M. Ping of Death. Insecure.org. October 21, 1996. Available from http://insecure.org/sploits/ping-o-death.html.
35. CERT® Advisory CA-2000-13: Two Input Validation Problems In FTPD. Released July 7, 2000. Last updated November 21, 2000. Carnegie Mellon Software Engineering Institute CERT® Coordination Center. Available from http://www.cert.org/advisories/CA-2000-13.html.
36. CERT® Advisory CA-2000-17: Input Validation Problem in rpc.statd. Released August 18, 2000. Last updated September 6, 2000. Carnegie Mellon Software Engineering Institute CERT® Coordination Center. Available from http://www.cert.org/advisories/CA-2000-17.html.
37. CERT® Advisory CA-2000-22 Input Validation Problems in LPRing. Released December 12, 2000. Last updated January 27, 2003. Carnegie Mellon Software Engineering Institute CERT® Coordination Center. Available from http://www.cert.org/advisories/CA-2000-22.html.
38. CERT® Incident Note IN-2001-01: Widespread Compromises via "ramen" Toolkit. January 18, 2001. Carnegie Mellon Software Engineering Institute CERT® Coordination Center. Available from http://www.cert.org/incident_notes/IN-2001-01.html.
39. Multiple Linux Vendor rpc.statd Remote Format String Vulnerability. July 16, 2000. Security Focus. Available from http://www.securityfocus.com/bid/1480.
40. Multiple Vendor ftpd setproctitle() Format String Vulnerability. July 5, 2001. Security Focus. Available from http://www.securityfocus.com/bid/1425.
41. scut/team teso. Exploiting Format String Vulnerabilities. March 24, 2001. Available from http://julianor.tripod.com/teso-fs1-1.pdf.
42. CERT® Advisory CA-2002-25: Integer Overflow In XDR Library. Original Release Date August 5, 2002. Last updated October 3, 2002. Available from http://www.cert.org/advisories/CA-2002-25.html.
43. Howard, M. Reviewing Code for Integer Manipulation Vulnerabilities. April 28, 2003, Microsoft Corporation. Available from http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html/secure04102003.asp.
44. Symantic Security Response Newsletter. January-February 2004. Available from http://www.ldeo.columbia.edu/ldeo/it/Symantec/News-Jan2004.
45. Lam, K., LeBlanc, D., and Smith, B. Theft on the Web: Prevent Session Hijacking. Technet Magazine, Winter 2005. Available from http://www.microsoft.com/technet/technetmag/issues/2005/01/SessionHijacking/default.aspx.
46. CERT® Advisory CA-1993-12: Novell LOGIN.EXE Vulnerability. Original Release Date September 16, 1993. Last updated September 19, 1997. Available from http://www.cert.org/advisories/CA-1993-12.html.
47. CERT® Advisory CA-1995-15: SGI Ip Vulnerability. Original Release Date November 8, 1995. Last updated September 23, 1997. Available from http://www.cert.org/advisories/CA-1995-15.html.
48. Session Hijacking, Imperva Application Defense Center. Available from http://www.imperva.com/application_defense_center/glossary/session_hijacking.html.
49. Friedl, S. SQL Injection Attacks by Example. January 2005. Available from http://www.unixwiz.net/techtips/sql-injection.html.
50. SQL Injection Walkthrough. SecuriTeam, May 2002. Available from http://www. securiteam.com/securityreviews/5DP0N1P76E.html.
51. Forrester, J.E. and Miller, B.P. An Empirical Study of the Robustness of Windows NT Applications using Random Testing. 2000. University of Wisconsin-Madison. Available from http://www.cs.wisc.edu/~bart/fuzz/fuzz-nt.html.
52. Fredriksen, L., Miller, B.S., and So, B. An Empirical Study of the Reliability of UNIX Utilities. 1989. Miller, Fredriksen, and So. Available from ftp://ftp.cs.wisc.edu/paradyn/technical_papers/fuzz.pdf.
53. Koski, D., Lee, C.P., Maganty, V., Miller, B.P., Murthy, R., Natarajan, A., and Steidl, J. Fuzzing Revisited: A Re-examination of the Reliability of UNIX Utilities and Services. October 1995. University of Wisconsin-Madison. Available from ftp://ftp.cs.wisc.edu/paradyn/technical_papers/fuzz-revisited.pdf.
54. Alberts, C. and Dorofee, A. Managing Information Security Risks. Addison-Wesley, Boston, MA, 2002.
55. Chase, S.G. and Thompson, H.H. The Software Vulnerability Guide. Charles River Media, Hingham, MA, 2005.
56. Erickson, J. Hacking: The Art of Exploitation.No Starch Press, San Francisco, CA, 2003.
57. Fadia, A. The Unofficial Guide to Ethical Hacking, 2nd ed. Thomson Course Technology, Boston, MA, 2006.
58. Gallagher, T., Jeffries, B., and Landauer, L. Hunting Security Bugs, Microsoft Press, Redmond, WA, 2006.
59. McGraw, G. Software Security: Building Security In. Pearson Education, Boston, MA, 2006.
60. Swiderski, F. and Snyder, W.Threat Modeling. Microsoft Press, Redmond, WA, 2004.