A Bug Hunter’s Diary

For individuals who make a living developing and maintaining software systems, finding bugs in their own code is almost a daily ritual. Working on software developing projects comes with great responsibility, as system owners expect stable, performant and above all else, secure software systems to be delivered to them.

This book teaches readers how to develop the necessary skills and a right mindset to discover, analyze and fix security-related bugs in their software.

Author: Tobias Klein
Pages: 208
Publisher: No Starch Press
ISBN: 1593273851

Introduction

For individuals who make a living developing and maintaining software systems, finding bugs in their own code is almost a daily ritual. Working on software developing projects comes with great responsibility, as system owners expect stable, performant and above all else, secure software systems to be delivered to them.

This book teaches readers how to develop the necessary skills and a right mindset to discover, analyze and fix security-related bugs in their software.

About the author

Tobias Klein is a security researcher and founder of NESO Security Labs, an information security consulting and research company. He is the author of two information security books published in the German language.

Inside the book

The book starts with a brief overview of a bug hunting process and the first chapter serves as an introduction to common terminology and techniques.

Each of the following chapters describes the life cycle of seven interesting, real-life software security bugs/vulnerabilities. In each chapter the author explains how he discovered the bug, how to exploit it and how the vendor patched it in the end.

The chapters touch on bugs in a popular VLC media player, the Solaris operating system kernel, an ActiveX control for Microsoft’s Internet Explorer, a Microsoft Windows driver, the Mac OS X kernel, the iPhone audio system, and in an FFmpeg multimedia library used by many popular browsers.

This book is not a “cookbook” for bug hunting and, in my opinion, there will never be one. It is also not a one-stop reference on the bug hunting subject and you are encouraged to use other sources to expand the knowledge on the topics covered through the chapters.

To fully understand all the subject areas, the reader has to be very proficient with C programming and some operating system internals.

What makes this book stand apart from others is the fact that it offers insight into the approaches, techniques and, more importantly, the way of thinking used by the author to find specific bugs in real-life software products.

Many of us are self-educated on the subject and we know how hard and tedious it can be when you have to learn it all alone. This book offers its author as a mentor and guide through the bug hunting process.