What is it that differentiates security bugs from run-of-the-mill functional bugs? What knowledge, insight and intuition must testers develop in order to train themselves to find and recognize security vulnerabilities?

We sought to answer this question by analyzing thousands of security vulnerabilities that shipped in major products, from operating systems to browser plug-ins, routers to firewalls. We attempted to understand each bug in the context of its underlying causal faults , its failure symptoms and the best method to discover its existence. Thus, we would end up with understanding how security bugs come into being, how to look for vulnerabilities' telltale signature and how to go about finding vulnerabilities in the first place. The end result was a body of knowledge called How to Break Software Security .

This talk is a fun, entertaining and educational journey through the security testing techniques that make up How to Break Software Security . You will learn many new and novel ways to force software applications (of whatever variety) to fail in ways that are exploitable by hackers.

The life-preserver model of software behavior. What does software really do and how can it fail doing it?
Why security bugs are often invisible to the human eye.
19 ways to break software in ways that are remotely exploitable.
Ways to tell of your software is going to fail—before it actually does.
How to simulate a faulty environment in order to test error paths and exception handlers.

And much, much more. How to Break Software Security is more than a discussion about software vulnerabilities. It's about what it takes to increase your skills to the Jedi level—may the force be with you.

James A. Whittaker is a professor of computer science at the Florida Institute of Technology. He earned his Ph.D. in computer science from the University of Tennessee in 1992. His research interests are software testing, software security, software vulnerability testing and anti cyber warfare technology. He is the author of How to Break Software , How to Break Software Security (with Hugh Thompson) and over 50 peer-reviewed papers on software development and computer security. He holds patents on various inventions in software testing and defensive security applications and has attracted millions in funding, sponsorship and license agreements while a professor at Florida Tech. He also has served as a testing and security consultant for Microsoft, IBM, Rational and many more US companies. In 2001 he was appointed to Microsoft's Trustworthy Computing Academic Advisory Board and was named a “Top Scholar” by the editors of the Journal of Systems and Software based on his research publications in software engineering. His research team at Florida Tech is known for its testing technologies and tools, which include the highly acclaimed runtime fault injection tool Holodeck . His research group is also well known for their development of exploits against software security, including cracking encryption, passwords and infiltrating protected networks via novel attacks against software defenses.

How To Break Software Security