<pre>Author/s : Greg Hoglund and Gary McGraw Publisher : Addison-Wesley Category :Other Review by : Ernest Friedman-Hill Rating : 6 horseshoes</pre> "Exploiting Software" purports to be a book aimed at helping software professionals understand the security risks they face; it uses the pedagogical device of teaching how software can be attacked to achieve the goal of explaining how secure software should be built. Unfortunately, I think it fails both as a guide to building secure software and as a guide to being a black hat hacker. Most of "Exploiting Software" reads more like a book proposal than a completed work: too detailed in places (do we really need a dozen pages on writing plugins for the IDA Pro Disassembler?), not detailed enough in others, and generally not well organized. Far too often, the reader is simply told that an exploit exists, and is then directed to the original source for details. Worse, the original sources are often white papers, personal web sites, and conference proceedings -- things that are either hard to obtain, unlikely to be available for long, or both. As a result, the reader learns nothing. The preface to "Exploiting Software" explains that this is a companion volume to "Building Secure Software," written by the same Gary McGraw with another co-author, and this helps to explain the main failings of this book. While the last two chapters, "Buffer overflow" and "Rootkits", are better than the rest -- they provide plenty of concrete details -- two chapters aren't enough to vindicate this fairly shallow work. For $49.99, I expect a book that can stand on its own.