[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"doc-detail-43332-en":3,"doc-seo-43332-105":30,"detail-sidebar-cat-0-en-105":92},{"code":4,"msg":5,"data":6},0,"success",{"doc_id":7,"user_id":8,"nickname":9,"user_avatar":10,"doc_module":4,"category_id":11,"category_name":12,"doc_title":13,"doc_description":14,"doc_content":15,"file_id":16,"file_url":17,"file_type":18,"file_size":19,"view_count":20,"is_deleted":4,"is_public":21,"is_downloadable":21,"audit_status":21,"page_count":22,"language":23,"language_code":24,"site_id":25,"html_lang":24,"table_of_contents":26,"faqs":27,"seo_title":13,"seo_description":14,"update_tm":28,"read_time":29},43332,2336464648746,"Skyler","https://ap-avatar.wpscdn.com/davatar_276721f389ce27ea32af1340a28f341c",6,"Technology","The Art of Software Security Assessment Identifying and Preventing Software Vulnerabilities","The Art of Software Security Assessment presents a structured approach to finding and addressing software vulnerabilities across the software development life cycle. It covers vulnerability fundamentals, distinctions between auditing and black box testing, and classification of issues across design, implementation, and operational areas. The book details design reviews, including enforcing security policies such as authentication, authorization, confidentiality, integrity, and availability, plus threat modeling. It also explains operational review topics like attack surface, insecure defaults, access control, and secure channels, followed by application review process steps for scoping, assessment, and information collection.","T H E A R T O F  \nSOFTWARE SECURITY ASSESSMENT  \nThis page intentionally left blank  \nT H E A R T O F  \nSOFTWARE SECURITY ASSESSMENT  \nIDENTIFYING AND PREVENTING SOFTWARE VULNERABILITIES  \nMARK DOWD JOHN MCDONALD JUSTIN SCHUH  \nUpper Saddle River, NJ • Boston • Indianapolis • San Francisco New York • Toronto • Montreal • London • Munich • Paris • Madrid Cape Town • Sydney • Tokyo • Singapore • Mexico City  \nMany of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and the publisher was aware of a trademark claim, the designations have been printed with initial capital letters or in all capitals.  \nThe authors and publisher have taken care in the preparation of this book, but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for incidental or consequential damages in connection with or arising out of the use of the information or programs contained herein.  \nThe publisher offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales, which may include electronic versions and/or custom covers and content particular to your business, training goals, marketing focus, and branding interests. For more information, please contact:  \nU.S. Corporate and Government Sales  \n(800) 382-3419  \n[corpsales@pearsontechgroup.com](corpsales@pearsontechgroup.com)[ ](corpsales@pearsontechgroup.com)For sales outside the United States please contact:  \nInternational Sales  \n[international@pearsoned.com](international@pearsoned.com)  \nThis Book Is Safari Enabled  \nThe Safari® Enabled icon on the cover of your favorite technology book means the book is available through Safari Bookshelf. When you buy this book, you get free access to the online edition for 45  \ndays. Safari Bookshelf is an electronic reference library that lets you easily search thousands of technical books, find code samples, download chapters, and access technical information whenever and wherever you need it. To gain 45-day Safari Enabled access to this book:  \n• Go to [http://www.awprofessional.com/safarienabled](http://www.awprofessional.com/safarienabled)  \n• Complete the brief registration form  \n• Enter the coupon code 8IDA-PB2D-7PCZ-PGE6-BP6E  \nIf you have difficulty registering on Safari Bookshelf or accessing the online edition, please e-mail customer[service@safaribooksonline.com](service@safaribooksonline.com).  \n[Visit us on the Web: www.awprofessional.com](Visit us on the Web: www.awprofessional.com)[ ](Visit us on the Web: www.awprofessional.com)[Copyright](Copyright) © [2007 Pearson Education](2007 Pearson Education), Inc.  \nAll rights reserved. Printed in the United States of America. This publication is protected by copyright, and permission must be obtained from the publisher prior to any prohibited reproduction, storage in a retrieval system, or transmission in any form or by any means, electronic, mechanical, photocopying, recording, or likewise. For information regarding permissions, write to:  \nPearson Education, Inc.  \nRights and Contracts Department  \n75 Arlington Street, Suite 300  \nBoston, MA 02116  \nFax: (617) 848-7047  \nISBN 0-321-44442-6  \nText printed in the United States on recycled paper at Edwards Brothers in Ann Arbor, Michigan. First printing, November 2006  \nLibrary of Congress Cataloging-in-Publication Data  \nDowd, Mark.  \nThe art of software security assessment : identifying and preventing software vulnerabilities / Mark Dowd, John McDonald, and Justin Schuh.  \n[p. cm](p. cm).  \nISBN 0-321-44442-6 (pbk. : alk. paper) 1. Computer security. 2. Computer software—Development.  \n3. Computer networks—Security measures. I. McDonald, John, 1977-II. Schuh, Justin. III. Title. QA76 .9.A25D75 2006  \n005.8—dc22  \n2006023446  \nTable of Contents  \nABOUT THE AUTHORS xv PREFACE xvii ACKNOWLEDGMENTS xxi  \nI Introduction to Software Security Asse","cbCaijmrjU1WlMbF","https://ap.wps.com/l/cbCaijmrjU1WlMbF","pdf",7848393,7,1,1201,"English","en",105,"# I Introduction to Software Security Assessment\n## 1 Software Vulnerability Fundamentals\n## 2 Design Review\n## 3 Operational Review\n## 4 Application Review Process","[{\"question\":\"软件漏洞评估的核心基础包括哪些内容？\",\"answer\":\"内容覆盖漏洞基础、安全策略与安全期望、审计的必要性，以及与黑盒测试的对比。同时还包括漏洞的分类与通用关联要点，如输入与数据流、信任关系、接口与环境攻击等。\"},{\"question\":\"设计评审在安全中如何发挥作用？\",\"answer\":\"设计评审围绕软件设计基础展开，强调算法与分解、信任关系，以及安全设计原则。章节进一步讲解如何强制安全策略，并以认证、授权、问责、机密性、完整性与可用性为重点，同时结合威胁建模与发现记录。\"},{\"question\":\"操作性评审主要关注哪些方面？\",\"answer\":\"操作性评审聚焦暴露面（attack surface）、不安全默认项、访问控制、非必要服务与安全通道等。还包括欺骗与识别、网络画像以及面向 Web 的考量，例如 HTTP 相关处理、目录索引、文件处理、认证与过度详细的错误信息等。\"}]",1783380134,3027,{"code":4,"msg":31,"data":32},"ok",{"site_id":25,"language":24,"slug":33,"title":13,"keywords":34,"description":14,"schema_data":35,"social_meta":87,"head_meta":89,"extra_data":91,"updated_unix":28},"the-art-of-software-security-assessment-identifying-and-preventing-software-vulnerabilities","",{"@graph":36,"@context":86},[37,54,69],{"@type":38,"itemListElement":39},"BreadcrumbList",[40,44,48,51],{"item":41,"name":42,"@type":43,"position":21},"https://docshare.wps.com","Home","ListItem",{"item":45,"name":46,"@type":43,"position":47},"https://docshare.wps.com/document/","Document",2,{"item":49,"name":12,"@type":43,"position":50},"https://docshare.wps.com/document/technology/",3,{"item":52,"name":13,"@type":43,"position":53},"https://docshare.wps.com/document/the-art-of-software-security-assessment-identifying-and-preventing-software-vulnerabilities/43332/",4,{"url":52,"name":13,"@type":55,"author":56,"headline":13,"publisher":58,"fileFormat":61,"inLanguage":24,"description":14,"dateModified":62,"datePublished":63,"encodingFormat":61,"isAccessibleForFree":64,"interactionStatistic":65},"DigitalDocument",{"name":9,"@type":57},"Person",{"url":41,"name":59,"@type":60},"DocShare","Organization","application/pdf","2026-07-15","2026-07-06",true,{"@type":66,"interactionType":67,"userInteractionCount":20},"InteractionCounter",{"@type":68},"ViewAction",{"@type":70,"mainEntity":71},"FAQPage",[72,78,82],{"name":73,"@type":74,"acceptedAnswer":75},"软件漏洞评估的核心基础包括哪些内容？","Question",{"text":76,"@type":77},"内容覆盖漏洞基础、安全策略与安全期望、审计的必要性，以及与黑盒测试的对比。同时还包括漏洞的分类与通用关联要点，如输入与数据流、信任关系、接口与环境攻击等。","Answer",{"name":79,"@type":74,"acceptedAnswer":80},"设计评审在安全中如何发挥作用？",{"text":81,"@type":77},"设计评审围绕软件设计基础展开，强调算法与分解、信任关系，以及安全设计原则。章节进一步讲解如何强制安全策略，并以认证、授权、问责、机密性、完整性与可用性为重点，同时结合威胁建模与发现记录。",{"name":83,"@type":74,"acceptedAnswer":84},"操作性评审主要关注哪些方面？",{"text":85,"@type":77},"操作性评审聚焦暴露面（attack surface）、不安全默认项、访问控制、非必要服务与安全通道等。还包括欺骗与识别、网络画像以及面向 Web 的考量，例如 HTTP 相关处理、目录索引、文件处理、认证与过度详细的错误信息等。","https://schema.org",{"og:url":52,"og:type":88,"og:title":13,"og:site_name":59,"og:description":14},"article",{"robots":90,"canonical":52},"index,follow",{"doc_id":7,"site_id":25},{"code":4,"msg":5,"data":93},[94,98,102,106,111,114,118,123,128,131,135],{"id":21,"doc_module":4,"doc_module_name":46,"category_name":95,"show_sort_weight":96,"slug":97},"Story & Novel",90,"story-novel",{"id":47,"doc_module":4,"doc_module_name":46,"category_name":99,"show_sort_weight":100,"slug":101},"Literature",80,"literature",{"id":53,"doc_module":4,"doc_module_name":46,"category_name":103,"show_sort_weight":104,"slug":105},"Exam",70,"exam",{"id":107,"doc_module":4,"doc_module_name":46,"category_name":108,"show_sort_weight":109,"slug":110},5,"Comic",60,"comic",{"id":11,"doc_module":4,"doc_module_name":46,"category_name":12,"show_sort_weight":112,"slug":113},50,"technology",{"id":20,"doc_module":4,"doc_module_name":46,"category_name":115,"show_sort_weight":116,"slug":117},"Healthcare",40,"healthcare",{"id":119,"doc_module":4,"doc_module_name":46,"category_name":120,"show_sort_weight":121,"slug":122},8,"Research & Report",30,"research-report",{"id":124,"doc_module":4,"doc_module_name":46,"category_name":125,"show_sort_weight":126,"slug":127},9,"Religion & Spirituality",20,"religion-spirituality",{"id":126,"doc_module":4,"doc_module_name":46,"category_name":129,"show_sort_weight":126,"slug":130},"World Cup","world-cup",{"id":132,"doc_module":4,"doc_module_name":46,"category_name":133,"show_sort_weight":132,"slug":134},10,"Lifestyle","lifestyle",{"id":136,"doc_module":4,"doc_module_name":46,"category_name":137,"show_sort_weight":107,"slug":138},19,"General","general"]