Ross J. Anderson The world has changed radically since the first edition of this book was published in 2001. Spammers, virus writers, phishermen, money launderers, and spies now trade busily with each other in a lively online criminal economy and as they specialize, they get better. In this indispensable, fully updated guide, Ross Anderson reveals how to build systems that stay dependable whether faced with error or malice. Here?s straight talk on critical topics such as technical engineering basics, types of attack, specialized protection mechanisms, security psychology, policy, and more.

Andres Andreu There is no such thing as "perfect security" when it comes to keeping all systems intact and functioning properly. Good penetration (pen) testing creates a balance that allows a system to be secure while simultaneously being fully functional. With this book, you'll learn how to become an effective penetrator (i.e., a white hat or ethical hacker) in order to circumvent the security features of a Web application so that those features can be accurately evaluated and adequate security precautions can be put in place.

After a review of the basics of web applications, you'll be introduced to web application hacking concepts and techniques such as vulnerability analysis, attack simulation, results analysis, manuals, source code, and circuit diagrams. These web application hacking concepts and techniques will prove useful information for ultimately securing the resources that need your protection.

What you will learn from this book
* Surveillance techniques that an attacker uses when targeting a system for a strike
* Various types of issues that exist within the modern day web application space
* How to audit web services in order to assess areas of risk and exposure
* How to analyze your results and translate them into documentation that is useful for remediation
* Techniques for pen-testing trials to practice before a live project

Who this book is for

This book is for programmers, developers, and information security professionals who want to become familiar with web application security and how to audit it.

Wrox Professional guides are planned and written by working programmers to meet the real-world needs of programmers, developers, and IT professionals. Focused and relevant, they address the issues technology professionals face every day. They provide examples, practical solutions, and expert education in new technologies, all designed to help programmers do a better job.

Mike Andrews, James A. Whittaker Since its early days as an information exchange tool limited to academe, researchers, and the military, the web has grown into a commerce engine that is now omnipresent in all facets of our lifes. More websites are created daily and more applications are developed to allow users to learn, research, and purchase online. As a result, web development is often rushed, which increases the risk of attacks from hackers. Furthermore, the need for secure applications has to be balanced with the need for usability, performance, and reliability. In this book, Whittaker and Andrews demonstrate how rigorous web testing can help prevent and prepare for such attacks. They point out that methodical testing must include identifying threats and attack vectors to establish and then implement the appropriate testing techniques, manual or automated.

Ken Arnold, James Gosling, David Holmes Direct from the creators of the Java™ programming language, the completely revised fourth edition of The Java™ Programming Language is an indispensable resource for novice and advanced programmers alike.

Developers around the world have used previous editions to quickly gain a deep understanding of the Java programming language, its design goals, and how to use it most effectively in real-world development. Now, Ken Arnold, James Gosling, and David Holmes have updated this classic to reflect the major enhancements in Java™ 2 Standard Edition 5.0 (J2SE™ 5.0).

The authors systematically cover most classes in Java’s main packages, java.lang.*, java.util, and java.io, presenting in-depth explanations of why these classes work as they do, with informative examples. Several new chapters and major sections have been added, and every chapter has been updated to reflect today’s best practices for building robust, efficient, and maintainable Java software.

Key changes in this edition include New chapters on generics, enums, and annotations, the most powerful new language features introduced in J2SE 5.0Changes to classes and methods throughout to reflect the addition of genericsMajor new sections on assertions and regular expressionsCoverage of all the new language features, from autoboxing and variable argument methods to the enhanced for-loop and covariant return typesCoverage of key new classes, such as Formatter and Scanner

The Java™ Programming Language, Fourth Edition, is the definitive tutorial introduction to the Java language and essential libraries and an indispensable reference for all programmers, including those with extensive experience. It brings together insights you can only get from the creators of Java: insights that will help you write software of exceptional quality.

Jacob Babbin, Dave Kleiman, Everett F. Carter Jr., Jeremy Faircloth, Mark Burnett, Esteban Gutierrez This book teaches IT professionals how to analyze, manage, and automate their security log files to generate useful, repeatable information that can be use to make their networks more efficient and secure using primarily open source tools. The book begins by discussing the "Top 10" security logs that every IT professional should be regularly analyzing. These 10 logs cover everything from the top workstations sending/receiving data through a firewall to the top targets of IDS alerts. The book then goes on to discuss the relevancy of all of this information. Next, the book describes how to script open source reporting tools like Tcpdstats to automatically correlate log files from the various network devices to the "Top 10" list. By doing so, the IT professional is instantly made aware of any critical vulnerabilities or serious degradation of network performance. All of the scripts presented within the book will be available for download from the Syngress Solutions Web site.

Almost every operating system, firewall, router, switch, intrusion detection system, mail server, Web server, and database produces some type of "log file." This is true of both open source tools and commercial software and hardware from every IT manufacturer. Each of these logs is reviewed and analyzed by a system administrator or security professional responsible for that particular piece of hardware or software. As a result, almost everyone involved in the IT industry works with log files in some capacity.

* Provides turn-key, inexpensive, open source solutions for system administrators to analyze and evaluate the overall performance and security of their network
* Dozens of working scripts and tools presented throughout the book are available for download from Syngress Solutions Web site.
* Will save system administrators countless hours by scripting and automating the most common to the most complex log analysis tasks

Christian Bauer, Gavin King Java Persistence with Hibernate is considerably more than simply a second edition to Hibernate in Action. It provides a comprehensive overview of all the capabilities of the Java Persistence API in addition to those of Hibernate 3, as well as a detailed comparative analysis of the two. It describes how Hibernate has been used to implement the Java Persistence standard, and how to leverage the Hibernate extensions to Java Persistence.

— From the Forward by LINDA DEMICHIEL Specification Lead, Enterprise JavaBeans 3.0 and Java Persistence Sun Microsystems

Persistence, the ability of data to outlive an instance of a program, is central to modern applications. Hibernate, the most popular Java persistence tool, provides automatic and transparent object/relational mapping so it's a snap to work with SQL databases in Java applications. Hibernate conforms to the new EJB 3.0 and Java Persistence 1.0 standards.

Java Persistence with Hibernate explores Hibernate by developing an application that ties together hundreds of individual examples. You'll immediately dig into the rich programming model of Hibernate 3.2 and Java Persistence, working through queries, fetching strategies, caching, transactions, conversations, and more. You'll also appreciate the well-illustrated discussion of best practices in database design, object/relational mapping, and optimization techniques.

In this 2nd edition of Manning's bestselling Hibernate in Action, authors Christian Bauer and Gavin King — the founder of the Hibernate project — cover Hibernate 3.2 in detail along with the EJB 3.0 and Java Persistence 1.0 standards.

What's Inside:

—Authoritative source for any developer using Java with SQL databases.
—Covers the latest major Hibernate version in great detail
—Explores the new EJB 3.0 Java Persistence standard.
—Written by the Hibernate founder and project lead.
—Object/relational mapping concepts
—Real-world tasks and examples
—Application design and development processes with ORM

Michael D. Bauer Building Secure Servers with Linux will help you master the principles of reliable system and network security by combining practical advice with a firm knowledge of the technical tools needed to ensure security. The book focuses on the most common use of Linux—as a hub offering services to an organization or the larger Internet. The book does not cover firewalls, but covers the more common situation where an organization protects its hub using other systems as firewalls, often proprietary firewalls. Writing for Linux users with little security expertise, the author explains security concepts and techniques in clear language beginning with the fundamentals. An all-inclusive resource for Linux users who wish to harden their systems, the book covers general security as well as key services such as DNS, the Apache Web server, mail, file transfer, and secure shell. With this book in hand, you'll have everything you need to ensure robust security of your Linux system.

Matt Bishop In this authoritative book, widely respected practitioner and teacher Matt Bishop presents a clear and useful introduction to the art and science of information security. Bishop's insights and realistic examples will help any practitioner or student understand the crucial links between security theory and the day-to-day security challenges of IT environments.

Bishop explains the fundamentals of security: the different types of widely used policies, the mechanisms that implement these policies, the principles underlying both policies and mechanisms, and how attackers can subvert these tools—as well as how to defend against attackers. A practicum demonstrates how to apply these ideas and mechanisms to a realistic company.

Coverage includes Confidentiality, integrity, and availabilityOperational issues, cost-benefit and risk analyses, legal and human factorsPlanning and implementing effective access controlDefining security, confidentiality, and integrity policiesUsing cryptography and public-key systems, and recognizing their limitsUnderstanding and using authentication: from passwords to biometricsSecurity design principles: least-privilege, fail-safe defaults, open design, economy of mechanism, and moreControlling information flow through systems and networksAssuring security throughout the system lifecycleMalicious logic: Trojan horses, viruses, boot sector and executable infectors, rabbits, bacteria, logic bombs—and defenses against themVulnerability analysis, penetration studies, auditing, and intrusion detection and preventionApplying security principles to networks, systems, users, and programs

Introduction to Computer Security is adapted from Bishop's comprehensive and widely praised book, Computer Security: Art and Science. This shorter version of the original work omits much mathematical formalism, making it more accessible for professionals and students who have a less formal mathematical background, or for readers with a more practical than theoretical interest.

Roland Bouman, Jos van Dongen Your all-in-one resource for using Pentaho with MySQL for Business Intelligence and Data Warehousing

Open-source Pentaho provides business intelligence (BI) and data warehousing solutions at a fraction of the cost of proprietary solutions. Now you can take advantage of Pentaho for your business needs with this practical guide written by two major participants in the Pentaho community.

The book covers all components of the Pentaho BI Suite. You'll learn to install, use, and maintain Pentaho-and find plenty of background discussion that will bring you thoroughly up to speed on BI and Pentaho concepts. Of all available open source BI products, Pentaho offers the most comprehensive toolset and is the fastest growing open source product suiteExplains how to build and load a data warehouse with Pentaho Kettle for data integration/ETL, manually create JFree (pentaho reporting services) reports using direct SQL queries, and create Mondrian (Pentaho analysis services) cubes and attach them to a JPivot cube browserReview deploying reports, cubes and metadata to the Pentaho platform in order to distribute BI solutions to end-usersShows how to set up scheduling, subscription and automatic distribution

The companion Web site provides complete source code examples, sample data, and links to related resources.

Bill Burke Learn how to design and develop distributed web services in Java using RESTful architectural principals and the JAX-RS specification in Java EE 6. With this hands-on reference, you'll focus on implementation rather than theory, and discover why the RESTful method is far better than technologies like CORBA and SOAP.

It's easy to get started with services based on the REST architecture. RESTful Java with JAX-RS includes a technical guide that explains REST and JAX-RS, how they work, and when to use them. With the RESTEasy workbook that follows, you get step-by-step instructions for installing, configuring, and running several working JAX-RS examples using the JBoss RESTEasy implementation of JAX-RS.

Work on the design of a distributed RESTful interface, and develop it in Java as a JAX-RS serviceDispatch HTTP requests in JAX-RS, and learn how to extract information from themDeploy your web services within Java Enterprise Edition using the Application class, Default Component Model, EJB Integration, Spring Integration, and JPADiscover several options for securing your web servicesLearn how to implement RESTful design patterns using JAX-RSWrite RESTful clients in Java using libraries and frameworks such as java.net.URL, Apache HTTP Client, and RESTEasy Proxy

Eric Clayberg, Dan Rubel A new edition of this title is available, ISBN-10: 0321553462 ISBN-13: 9780321553461

 

 

"I'm often asked, 'What are the best books about Eclipse?' Number one on my list, every time, is Eclipse: Building Commercial-Quality Plug-ins. I find it to be the clearest and most relevant book about Eclipse for the real-world software developer. Other Eclipse books focus on the internal Eclipse architecture or on repeating the Eclipse documentation, whereas this book is laser focused on the issues and concepts that matter when you're trying to build a product."
— Bjorn Freeman-Benson
Director, Open Source Process, Eclipse Foundation

"As the title suggests, this massive tome is intended as a guide to best practices for writing Eclipse plug-ins. I think in that respect it succeeds handily. Before you even think about distributing a plug-in you've written, read this book."
— Ernest Friedman-Hill
Sheriff, JavaRanch.com

"Eclipse: Building Commercial-Quality Plug-ins was an invaluable training aid for all of our team members. In fact, training our team without the use of this book as a base would have been virtually impossible. It is now required reading for all our developers and helped us deliver a brand-new, very complex product on time and on budget thanks to the great job this book does of explaining the process of building plug-ins for Eclipse."
— Bruce Gruenbaum

"This is easily one of the most useful books I own. If you are new to developing Eclipse plug-ins, it is a 'must-have' that will save you lots of time and effort. You will find lots of good advice in here, especially things that will help add a whole layer of professionalism and completeness to any plug-in. The book is very focused, well-structured, thorough, clearly written, and doesn't contain a single page of 'waffly page filler.' The diagrams explaining the relationships between the different components and manifest sections are excellent and aid in understanding how everything fits together. This book goes well beyond Actions, Views, and Editors, and I think everyone will benefit from the authors' experience. I certainly have."
— Tony Saveski

"The authors of this seminal book have decades of proven experience with the most productive and robust software engineering technologies ever developed. Their experiences have now been well applied to the use of Eclipse for more effective Java development. A must-have for any serious software engineering professional!"
— Ed Klimas

"Just wanted to also let you know this is an excellent book! Thanks for putting forth the effort to create a book that is easy to read and technical at the same time!"
— Brooke Hedrick

"The key to developing great plug-ins for Eclipse is understanding where and how to extend the IDE, and that's what this book gives you. It is a must for serious plug-in developers, especially those building commercial applications. I wouldn't be without it."
— Brian Wilkerson

"If you're looking for just one Eclipse plug-in development book that will be your guide, this is the one. While there are other books available on Eclipse, few dive as deep as Eclipse: Building Commercial-Quality Plug-ins."
— Simon Archer

Eclipse has established itself as a dominant force in the application-development space. Key to the success of Eclipse is the ability of developers to extend its functionality using plug-ins.

This new edition of Eclipse: Building Commercial-Quality Plug-ins is the definitive, start-to-finish guide to building commercial-quality Eclipse plug-ins, with an emphasis on adding the sophistication and polish that paying customers demand. The book provides both a quick introduction to using Eclipse for new users and a reference for experienced Eclipse users wishing to expand their knowledge and improve the quality of their Eclipse-based products.

Revised to take advantage of pure Eclipse 3.1 and 3.2 APIs, this widely praised bestseller presents detailed, practical coverage of every aspect of plug-in development and specific solutions for the challenges developers are most likely to encounter. All code examples, relevant API listings, diagrams, and screen captures have been updated.

Some Eclipse concepts—such as actions, views, and editors—have not changed radically, but now have additional functionality and capabilities. Other areas, such as the Eclipse plug-in infrastructure, have changed drastically due to the Eclipse shift towards an OSGi-based infrastructure. This edition is fully updated to address these new advances for Eclipse developers. Includes a quick introduction to Eclipse for experienced Java programmersServes as a systematic reference for experienced Eclipse usersIntroduces all the tools you need to build Eclipse and Rational plug-insExplains the Eclipse architecture and the structure of plug-ins and extension pointsOffers practical guidance on building Eclipse user interfaces with SWT and JFaceShows how to use change tracking, perspectives, builders, markers, natures, and moreCovers internationalization, help systems, features, and branding

This book is designed for anyone who wants a deep understanding of Eclipse, and every experienced developer interested in extending Eclipse or the Rational Software Development Platform.

Douglas Crockford Most programming languages contain good and bad parts, but JavaScript has more than its share of the bad, having been developed and released in a hurry before it could be refined. This authoritative book scrapes away these bad features to reveal a subset of JavaScript that's more reliable, readable, and maintainable than the language as a whole-a subset you can use to create truly extensible and efficient code.

Considered the JavaScript expert by many people in the development community, author Douglas Crockford identifies the abundance of good ideas that make JavaScript an outstanding object-oriented programming language-ideas such as functions, loose typing, dynamic objects, and an expressive object literal notation. Unfortunately, these good ideas are mixed in with bad and downright awful ideas, like a programming model based on global variables.

When Java applets failed, JavaScript became the language of the Web by default, making its popularity almost completely independent of its qualities as a programming language. In JavaScript: The Good Parts, Crockford finally digs through the steaming pile of good intentions and blunders to give you a detailed look at all the genuinely elegant parts of JavaScript, including:

SyntaxObjectsFunctionsInheritanceArraysRegular expressionsMethodsStyleBeautiful features

The real beauty? As you move ahead with the subset of JavaScript that this book presents, you'll also sidestep the need to unlearn all the bad parts. Of course, if you want to find out more about the bad parts and how to use them badly, simply consult any other JavaScript book.

With JavaScript: The Good Parts, you'll discover a beautiful, elegant, lightweight and highly expressive language that lets you create effective code, whether you're managing object libraries or just trying to get Ajax to run fast. If you develop sites or applications for the Web, this book is an absolute must.

Tim Crothers * Configuring an intrusion detection system (IDS) is very challenging, and if improperly configured an IDS is rendered ineffective
* Packed with real-world tips and practical techniques, this book shows IT and security professionals how to implement, optimize, and effectively use IDS
* Features coverage of the recently revised IETF IDS specification
* Covers IDS standards, managing traffic volume in the IDS, intrusion signatures, log analysis, and incident handling
* Provides step-by-step instructions for configuration procedures

Nitesh Dhanjani, Billy Rios, Brett Hardin With the advent of rich Internet applications, the explosion of social media, and the increased use of powerful cloud computing infrastructures, a new generation of attackers has added cunning new techniques to its arsenal. For anyone involved in defending an application or a network of systems, Hacking: The Next Generation is one of the few books to identify a variety of emerging attack vectors.

You'll not only find valuable information on new hacks that attempt to exploit technical flaws, you'll also learn how attackers take advantage of individuals via social networking sites, and abuse vulnerabilities in wireless technologies and cloud infrastructures. Written by seasoned Internet security professionals, this book helps you understand the motives and psychology of hackers behind these attacks, enabling you to better prepare and defend against them.

Learn how "inside out" techniques can poke holes into protected networksUnderstand the new wave of "blended threats" that take advantage of multiple application vulnerabilities to steal corporate dataRecognize weaknesses in today's powerful cloud infrastructures and how they can be exploitedPrevent attacks against the mobile workforce and their devices containing valuable dataBe aware of attacks via social networking sites to obtain confidential information from executives and their assistantsGet case studies that show how several layers of vulnerabilities can be used to compromise multinational corporations

Dru Lavigne dru In the world of Unix operating systems, the various BSDs come with a long heritage of high-quality software and well-designed solutions, making them a favorite OS of a wide range of users. Among budget-minded users who adopted BSD early on to developers of some of today's largest Internet sites, the popularity of BSD systems continues to grow. If you use the BSD operating system, then you know that the secret of its success is not just in its price tag: practical, reliable, extraordinarily stable and flexible, BSD also offers plenty of fertile ground for creative, time-saving tweaks and tricks, and yes, even the chance to have some fun.

"Fun?" you ask. Perhaps "fun" wasn't covered in the manual that taught you to install BSD and administer it effectively. But BSD Hacks, the latest in O'Reilly's popular Hacks series, offers a unique set of practical tips, tricks, tools—and even fun—for administrators and power users of BSD systems.

BSD Hacks takes a creative approach to saving time and getting more done, with fewer resources. You'll take advantage of the tools and concepts that make the world's top Unix users more productive. Rather than spending hours with a dry technical document learning what switches go with a command, you'll learn concrete, practical uses for that command.

The book begins with hacks to customize the user environment. You'll learn how to be more productive in the command line, timesaving tips for setting user-defaults, how to automate long commands, and save long sessions for later review. Other hacks in the book are grouped in the following areas:

Customizing the User Environment

Dealing with Files and Filesystems

The Boot and Login Environments

Backing Up

Networking Hacks

Securing the System

Going Beyond the Basics

Keeping Up-to-Date

Grokking BSD

If you want more than your average BSD user—you want to explore and experiment, unearth shortcuts, create useful tools, and come up with fun things to try on your own—BSD Hacks is a must-have. This book will turn regular users into power users and system administrators into super system administrators.

Richard Earp, Sikha Bagui Starts with very simple Oracle SQL concepts and slowly builds into more complex query development and PL/SQL. Covers SQL as it is invoked via SQL Plus, a command-line system to launch interactive queries. Provides an appendix for UNIX users of Oracle. Softcover.

Niels Ferguson, Bruce Schneier Security is the number one concern for businesses worldwide. The gold standard for attaining security is cryptography because it provides the most reliable tools for storing or transmitting digital information. Written by Niels Ferguson, lead cryptographer for Counterpane, Bruce Schneier's security company, and Bruce Schneier himself, this is the much anticipated follow-up book to Schneier's seminal encyclopedic reference, Applied Cryptography, Second Edition (0-471-11709-9), which has sold more than 150,000 copies.
Niels Ferguson (Amsterdam, Netherlands) is a cryptographic engineer and consultant at Counterpane Internet Security. He has extensive experience in the creation and design of security algorithms, protocols, and multinational security infrastructures. Previously, Ferguson was a cryptographer for DigiCash and CWI. At CWI he developed the first generation of off-line payment protocols. He has published numerous scientific papers.
Bruce Schneier (Minneapolis, MN) is Founder and Chief Technical Officer at Counterpane Internet Security, a managed-security monitoring company. He is also the author of Secrets and Lies: Digital Security in a Networked World (0-471-25311-1).

Seth Fogie, Jeremiah Grossman, Robert Hansen, Anton Rager, Petko D. Petkov Cross Site Scripting Attacks starts by defining the terms and laying out the ground work. It assumes that the reader is familiar with basic web programming (HTML) and JavaScript. First it discusses the concepts, methodology, and technology that makes XSS a valid concern. It then moves into the various types of XSS attacks, how they are implemented, used, and abused. After XSS is thoroughly explored, the next part provides examples of XSS malware and demonstrates real cases where XSS is a dangerous risk that exposes internet users to remote access, sensitive data theft, and monetary losses. Finally, the book closes by examining the ways developers can avoid XSS vulnerabilities in their web applications, and how users can avoid becoming a victim. The audience is web developers, security practitioners, and managers.

*XSS Vulnerabilities exist in 8 out of 10 Web sites
*The authors of this book are the undisputed industry leading authorities
*Contains independent, bleeding edge research, code listings and exploits that can not be found anywhere else

Brian Goetz, Tim Peierls, Joshua Bloch, Joseph Bowbeer, David Holmes, Doug Lea "I was fortunate indeed to have worked with a fantastic team on the design and implementation of the concurrency features added to the Java platform in Java 5.0 and Java 6. Now this same team provides the best explanation yet of these new features, and of concurrency in general. Concurrency is no longer a subject for advanced users only. Every Java developer should read this book."
—Martin Buchholz
JDK Concurrency Czar, Sun Microsystems

"For the past 30 years, computer performance has been driven by Moore's Law; from now on, it will be driven by Amdahl's Law. Writing code that effectively exploits multiple processors can be very challenging. Java Concurrency in Practice provides you with the concepts and techniques needed to write safe and scalable Java programs for today's—and tomorrow's—systems."
—Doron Rajwan
Research Scientist, Intel Corp

"This is the book you need if you're writing—or designing, or debugging, or maintaining, or contemplating—multithreaded Java programs. If you've ever had to synchronize a method and you weren't sure why, you owe it to yourself and your users to read this book, cover to cover."
—Ted Neward
Author of Effective Enterprise Java

"Brian addresses the fundamental issues and complexities of concurrency with uncommon clarity. This book is a must-read for anyone who uses threads and cares about performance."
—Kirk Pepperdine
CTO, JavaPerformanceTuning.com

"This book covers a very deep and subtle topic in a very clear and concise way, making it the perfect Java Concurrency reference manual. Each page is filled with the problems (and solutions!) that programmers struggle with every day. Effectively exploiting concurrency is becoming more and more important now that Moore's Law is delivering more cores but not faster cores, and this book will show you how to do it."
—Dr. Cliff Click
Senior Software Engineer, Azul Systems

"I have a strong interest in concurrency, and have probably written more thread deadlocks and made more synchronization mistakes than most programmers. Brian's book is the most readable on the topic of threading and concurrency in Java, and deals with this difficult subject with a wonderful hands-on approach. This is a book I am recommending to all my readers of The Java Specialists' Newsletter, because it is interesting, useful, and relevant to the problems facing Java developers today."
—Dr. Heinz Kabutz
The Java Specialists' Newsletter

"I've focused a career on simplifying simple problems, but this book ambitiously and effectively works to simplify a complex but critical subject: concurrency. Java Concurrency in Practice is revolutionary in its approach, smooth and easy in style, and timely in its delivery—it's destined to be a very important book."
—Bruce Tate
Author of Beyond Java

"Java Concurrency in Practice is an invaluable compilation of threading know-how for Java developers. I found reading this book intellectually exciting, in part because it is an excellent introduction to Java's concurrency API, but mostly because it captures in a thorough and accessible way expert knowledge on threading not easily found elsewhere."
—Bill Venners
Author of Inside the Java Virtual Machine

Threads are a fundamental part of the Java platform. As multicore processors become the norm, using concurrency effectively becomes essential for building high-performance applications. Java SE 5 and 6 are a huge step forward for the development of concurrent applications, with improvements to the Java Virtual Machine to support high-performance, highly scalable concurrent classes and a rich set of new concurrency building blocks. In Java Concurrency in Practice, the creators of these new facilities explain not only how they work and how to use them, but also the motivation and design patterns behind them.

However, developing, testing, and debugging multithreaded programs can still be very difficult; it is all too easy to create concurrent programs that appear to work, but fail when it matters most: in production, under heavy load. Java Concurrency in Practice arms readers with both the theoretical underpinnings and concrete techniques for building reliable, scalable, maintainable concurrent applications. Rather than simply offering an inventory of concurrency APIs and mechanisms, it provides design rules, patterns, and mental models that make it easier to build concurrent programs that are both correct and performant.

This book covers: Basic concepts of concurrency and thread safetyTechniques for building and composing thread-safe classesUsing the concurrency building blocks in java.util.concurrentPerformance optimization dos and don'tsTesting concurrent programsAdvanced topics such as atomic variables, nonblocking algorithms, and the Java Memory Model

Li Gong, Gary Ellison, Mary Dageforde Guide to the Java security platform, covering security architecture, deployment, customization, and new developments. For all user levels. Softcover.

James Gosling, Bill Joy, Guy Steele, Gilad Bracha Written by the inventors of the technology, The Java™ Language Specification, Third Edition, is the definitive technical reference for the Java™ programming language. If you want to know the precise meaning of the language's constructs, this is the source for you.

The book provides complete, accurate, and detailed coverage of the Java programming language. It provides full coverage of all new features added since the previous edition, including generics, annotations, asserts, autoboxing, enums, for-each loops, variable arity methods, and static import clauses.

Kimberly Graves Prepare for the CEH certification exam with this official review guide and learn how to identify security risks to networks and computers. This easy-to-use guide is organized by exam objectives for quick review so you’ll be able to get the serious preparation you need for the challenging Certified Ethical Hacker certification exam 312-50. As the only review guide officially endorsed by EC-Council, this concise book covers all of the exam objectives and includes a CD with a host of additional study tools.

Michael Gregg The CEH certification shows knowledge of network penetration testing skills. The CEH exam takes three hours and 125 questions, requiring a broad and deep knowledge of network security issues. The CEH Exam Prep is the perfect solution for this challenge, giving you the solid, in-depth coverage you'll need to score higher on the exam.

 

Along with the most current CEH content, the book also contains the elements that make Exam Preps such strong study aides: comprehensive coverage of exam topics, end-of-chapter review, practice questions, Exam Alerts, Fast Facts, plus an entire practice exam to test your understanding of the material. The book also features MeasureUp's innovative testing software, to help you drill and practice your way to higher scores.

Billy Hoffman, Bryan Sullivan The Hands-On, Practical Guide to Preventing Ajax-Related Security Vulnerabilities

 

More and more Web sites are being rewritten as Ajax applications; even traditional desktop software is rapidly moving to the Web via Ajax. But, all too often, this transition is being made with reckless disregard for security. If Ajax applications aren’t designed and coded properly, they can be susceptible to far more dangerous security vulnerabilities than conventional Web or desktop software. Ajax developers desperately need guidance on securing their applications: knowledge that’s been virtually impossible to find, until now.

            Ajax Security systematically debunks today’s most dangerous myths about Ajax security, illustrating key points with detailed case studies of actual exploited Ajax vulnerabilities, ranging from MySpace’s Samy worm to MacWorld’s conference code validator. Even more important, it delivers specific, up-to-the-minute recommendations for securing Ajax applications in each major Web programming language and environment, including .NET, Java, PHP, and even Ruby on Rails. You’ll learn how to:

 

·        Mitigate unique risks associated with Ajax, including overly granular Web services, application control flow tampering, and manipulation of program logic

·        Write new Ajax code more safely—and identify and fix flaws in existing code

·        Prevent emerging Ajax-specific attacks, including JavaScript hijacking and persistent storage theft

·        Avoid attacks based on XSS and SQL Injection—including a dangerous SQL Injection variant that can extract an entire backend database with just two requests

·        Leverage security built into Ajax frameworks like Prototype, Dojo, and ASP.NET AJAX Extensions—and recognize what you still must implement on your own

·        Create more secure “mashup” applications

 

Ajax Security will be an indispensable resource for developers coding or maintaining Ajax applications; architects and development managers planning or designing new Ajax software, and all software security professionals, from QA specialists to penetration testers.

Paco Hope, Ben Walther Among the tests you perform on web applications, security testing is perhaps the most important, yet it's often the most neglected. The recipes in the Web Security Testing Cookbook demonstrate how developers and testers can check for the most common web security issues, while conducting unit tests, regression tests, or exploratory tests. Unlike ad hoc security assessments, these recipes are repeatable, concise, and systematic-perfect for integrating into your regular test suite.

Recipes cover the basics from observing messages between clients and servers to multi-phase tests that script the login and execution of web application features. By the end of the book, you'll be able to build tests pinpointed at Ajax functions, as well as large multi-step tests for the usual suspects: cross-site scripting and injection attacks. This book helps you: Obtain, install, and configure useful-and free-security testing toolsUnderstand how your application communicates with users, so you can better simulate attacks in your testsChoose from many different methods that simulate common attacks such as SQL injection, cross-site scripting, and manipulating hidden form fieldsMake your tests repeatable by using the scripts and examples in the recipes as starting points for automated tests

Don't live in dread of the midnight phone call telling you that your site has been hacked. With Web Security Testing Cookbook and the free tools used in the book's examples, you can incorporate security coverage into your test suite, and sleep in peace.

Sverre H. Huseby This book is much more than a wake-up call. It is also an eye-opener. Even for those who are already awake to the problems of Web server security, it is a serious guide for what to do and what not to do, with many well-chosen examples. The set of fundamental rules is highly relevant.

Peter G. Neumann, Author of Computer-Related Risks,and moderator of the Internet Risks Forum (risks.org).

This concise and practical book will show where code vulnerabilities lie and how best to fix them. Its value is in showing where code may be exploited to gain access to - or break - systems, but without delving into specific architectures, programming or scripting languages or applications. It provides illustrations with real code.

Innocent Code is an entertaining read showing how to change your mindset from website construction to website destruction so as to avoid writing dangerous code. Abundant examples from susceptible sites will bring the material alive and help you to guard against:

· SQL Injection, shell command injection and other attacks based on mishandling meta-characters

· bad input

· cross-site scripting

· attackers who trick users into performing actions

· leakage of server-side secrets

· hidden enemies such as project deadlines, salesmen, messy code and tight budgets

All web programmers need to take precautions against producing websites vulnerable to malicious attack. This is the book which tells you how without trying to turn you into a security specialist.

Merike Kaeo

Greg Knaddison The first book to reveal the vulnerabilities and security issues that exist in the sites that have been built with Drupal?and how to prevent them from continuing Drupal is an open source framework and content management system that allows users to create and organize content, customize presentation, automate tasks, and manage site visitors and contributors. Authored by a Drupal expert, this is the first book to reveal the vulnerabilities and security issues that exist in the sites that have been built with Drupal?and how to prevent them from continuing. The main goal of this guide is to explain how to write code that avoids an attack in the Drupal environment, while also addressing how to proceed if vulnerability has been spotted and then regain control of security.

Jon Loeliger Version Control with Git takes you step-by-step through ways to track, merge, and manage software projects, using this highly flexible, open source version control system.

Git permits virtually an infinite variety of methods for development and collaboration. Created by Linus Torvalds to manage development of the Linux kernel, it's become the principal tool for distributed version control. But Git's flexibility also means that some users don't understand how to use it to their best advantage. Version Control with Git offers tutorials on the most effective ways to use it, as well as friendly yet rigorous advice to help you navigate Git's many functions.

With this book, you will:

Learn how to use Git in several real-world development environmentsGain insight into Git's common-use cases, initial tasks, and basic functionsUnderstand how to use Git for both centralized and distributed version controlUse Git to manage patches, diffs, merges, and conflictsAcquire advanced techniques such as rebasing, hooks, and ways to handle submodules (subprojects)Learn how to use Git with Subversion

Git has earned the respect of developers around the world. Find out how you can benefit from this amazing tool with Version Control with Git.

Michael W. Lucas FreeBSD—the powerful, flexible, and free Unix-like operating system—is the preferred server for many enterprises. But it can be even trickier to use than either Unix or Linux, and harder still to master.

Absolute FreeBSD, 2nd Edition is your complete guide to FreeBSD, written by FreeBSD committer Michael W. Lucas. Lucas considers this completely revised and rewritten second edition of his landmark work to be his best work ever; a true product of his love for FreeBSD and the support of the FreeBSD community. Absolute FreeBSD, 2nd Edition covers installation, networking, security, network services, system performance, kernel tweaking, filesystems, SMP, upgrading, crash debugging, and much more, including coverage of how to: Use advanced security features like packet filtering, virtual machines, and host-based intrusion detectionBuild custom live FreeBSD CDs and bootable flashManage network services and filesystemsUse DNS and set up email, IMAP, web, and FTP services for both servers and clientsMonitor your system with performance-testing and troubleshooting toolsRun diskless systemsManage schedulers, remap shared libraries, and optimize your system for your hardware and your workloadBuild custom network appliances with embedded FreeBSDImplement redundant disks, even without special hardwareIntegrate FreeBSD-specific SNMP into your network management system.

Whether you're just getting started with FreeBSD or you've been using it for years, you'll find this book to be the definitive guide to FreeBSD that you've been waiting for.

Gary Mak Spring addresses most aspects of Java/Java EE application development and offers simple solutions to them. By using Spring, you will be lead to use industry best practices to design and implement your applications. The releases of Spring 2.x have added many improvements and new features to the 1.x versions. Spring Recipes: A Problem–Solution Approach focuses on the latest Spring 2.5 features for building enterprise Java applications.

Spring Recipes covers Spring 2.5 from basic to advanced, including Spring IoC container, Spring AOP and AspectJ, Spring data access support, Spring transaction management, Spring Web and Portlet MVC, Spring testing support, Spring support for remoting, EJB, JMS, JMX, E–mail, scheduling, and scripting languages. This book also introduces several common Spring Portfolio projects that will bring significant value to your application development, including Spring Security, Spring Web Flow, and Spring Web Services.

The topics in this book are introduced by complete and real–world code examples that you can follow step by step. Instead of abstract descriptions on complex concepts, you will find live examples in this book. When you start a new project, you can consider copying the code and configuration files from this book, and then modifying them for your needs. This can save you a great deal of work over creating a project from scratch. What you’ll learn Installing the Spring framework and Spring IDE, using the Spring IoC container and the Spring application context.

Understanding AOP concepts, using classic and new Spring AOP, integrating Spring with AspectJ, and load–time weaving aspects.Using Spring to simplify data access (with JDBC, Hibernate, and JPA) and manage transactions programmatically and declaratively.Building web applications and portlets with Spring Web MVC and Portlet MVC, and integrating Spring with Struts, JSF, and DWR.Understanding the unit testing and integration testing concepts, and Spring’s unit and integration testing support (on JUnit 3.8, JUnit 4, and TestNG).Using Spring’s support for remoting technologies (RMI, Hessian, Burlap, and HTTP Invoker), EJB, JMS, JMX, E-mail, scheduling, and scripting languages.Understanding security concepts (authentication, authorization, and access control), and securing web applications using Spring Security.Managing complex web application page flows using Spring Web Flow, and integrating Spring Web Flow with JSF.Exposing contract–last web services using XFire, and developing contract–first web services using Spring Web Services.Who this book is for

This book is for Java developers who would like to gain hands–on experience rapidly on Java/Java EE development using the Spring framework. If you are already a developer using Spring in your projects, you can also use this book as a reference, and you’ll find the code examples very useful.

You don’t need much Java EE experience to read this book. However, it assumes that you know the basics of object–oriented programming with Java (e.g., creating a class/interface, implementing an interface, extending a base class, running a main class, setting up your classpath, and so on). It also assumes you have basic knowledge on web and database concepts and know how to create dynamic web pages and query databases with SQL statements.

Raffael Marty APPLIED SECURITY VISUALIZATION

 

“Collecting log data is one thing, having relevant information is something else. The art to transform all kinds of log data into meaningful security information is the core of this book. Raffy illustrates in a straight forward way, and with hands-on examples, how such a challenge can be mastered. Let's get inspired.”

–Andreas Wuchner, Head of Global IT Security, Novartis

 

Use Visualization to Secure Your Network Against the Toughest, Best-Hidden Threats

 

As networks become ever more complex, securing them becomes more and more difficult. The solution is visualization. Using today’s state-of-the-art data visualization techniques, you can gain a far deeper understanding of what’s happening on your network right now. You can uncover hidden patterns of data, identify emerging vulnerabilities and attacks, and respond decisively with countermeasures that are far more likely to succeed than conventional methods.

 

In Applied Security Visualization, leading network security visualization expert Raffael Marty introduces all the concepts, techniques, and tools you need to use visualization on your network. You’ll learn how to identify and utilize the right data sources, then transform your data into visuals that reveal what you really need to know. Next, Marty shows how to use visualization to perform broad network security analyses, assess specific threats, and even improve business compliance.

 

He concludes with an introduction to a broad set of visualization tools. The book’s CD also includes DAVIX, a compilation of freely available tools for security visualization.

 

You'll learn how to:

• Intimately understand the data sources that are essential for effective visualization

• Choose the most appropriate graphs and techniques for your IT data

• Transform complex data into crystal-clear visual representations

• Iterate your graphs to deliver even better insight for taking action

• Assess threats to your network perimeter, as well as threats imposed by insiders

• Use visualization to manage risks and compliance mandates more successfully

• Visually audit both the technical and organizational aspects of information and network security

• Compare and master today’s most useful tools for security visualization

 

Contains the live CD Data Analysis and Visualization Linux (DAVIX). DAVIX is a compilation of powerful tools for visualizing networks and assessing their security. DAVIX runs directly from the CD-ROM, without installation.

 

Raffael Marty is chief security strategist and senior product manager for Splunk, the leading provider of large-scale, high-speed indexing and search technology for IT infrastructures. As customer advocate and guardian, he focuses on using his skills in data visualization, log management, intrusion detection, and compliance. An active participant on industry standards committees such as CEE (Common Event Expression) and OVAL (Open Vulnerability and Assessment Language), Marty created the Thor and AfterGlow automation tools, and founded the security visualization portal secviz.org. Before joining Splunk, he managed the solutions team at ArcSight, served as IT security consultant for PriceWaterhouseCoopers, and was a member of the IBM Research Global Security Analysis Lab.

Jeanna N. Matthews, Eli M. Dow, Todd Deshane, Wenjin Hu, Jeremy Bongio, Patrick F. Wilbur, Brendan Johnson “This accessible and immediately useful book expertly provides the Xen community with everything it needs to know to download, build, deploy and manage Xen implementations.”

—Ian Pratt, Xen Project Leader VP Advanced Technology, Citrix Systems

 

The Real–World, 100% Practical Guide to Xen Virtualization in Production Environments

 

Using free, open source Xen virtualization software, you can save money, gain new flexibility, improve utilization, and simplify everything from disaster recovery to software testing. Running Xen brings together all the knowledge you need to create and manage high–performance Xen virtual machines in any environment. Drawing on the unparalleled experience of a world–class Xen team, it covers everything from installation to administration—sharing field-tested insights, best practices, and case studies you can find nowhere else.

The authors begin with a primer on virtualization: its concepts, uses, and advantages. Next, they tour Xen’s capabilities, explore the Xen LiveCD, introduce the Xen hypervisor, and walk you through configuring your own hard–disk–based Xen installation. After you’re running, they guide you through each leading method for creating “guests” and migrating existing systems to run as Xen guests. Then they offer comprehensive coverage of managing and securing Xen guests, devices, networks, and distributed resources. Whether you’re an administrator, data center manager, developer, system integrator, or ISP, Running Xen will help you achieve your goals with Xen–reliably, efficiently, with outstanding performance, and at a surprisingly low cost.

 

•Understanding the Xen hypervisor: what it does, and how it works

•Using pre-built system images, including compressed file systems

•Managing domains with the xm console

•Populating and storing guest images

•Planning, designing, and configuring networks in Xen

•Utilizing Xen security: special purpose VMs, virtual network segments, remote access, firewalls, network monitors, sHype access control, Xen Security Modules (XSM), and more

•Managing guest resources: memory, CPU, and I/O

•Employing Xen in the enterprise: tools, products, and techniques

Maurice Naftalin Maurice, Philip Wadler This comprehensive guide shows you how to master the most important changes to Java since it was first released. Generics and the greatly expanded collection libraries have tremendously increased the power of Java 5 and Java 6. But they have also confused many developers who haven't known how to take advantage of these new features.

Java Generics and Collections covers everything from the most basic uses of generics to the strangest corner cases. It teaches you everything you need to know about the collections libraries, so you'll always know which collection is appropriate for any given task, and how to use it.

Topics covered include: Fundamentals of generics: type parameters and generic methodsOther new features: boxing and unboxing, foreach loops, varargsSubtyping and wildcardsEvolution not revolution: generic libraries with legacy clients and generic clients with legacy librariesGenerics and reflectionDesign patterns for genericsSets, Queues, Lists, Maps, and their implementationsConcurrent programming and thread safety with collectionsPerformance implications of different collections

Generics and the new collection libraries they inspired take Java to a new level. If you want to take your software development practice to a new level, this book is essential reading.

Philip Wadler is Professor of Theoretical Computer Science at the University of Edinburgh, where his research focuses on the design of programming languages. He is a co-designer of GJ, work that became the basis for generics in Sun's Java 5.0.

Maurice Naftalin is Technical Director at Morningside Light Ltd., a software consultancy in the United Kingdom. He has most recently served as an architect and mentor at NSB Retail Systems plc, and as the leader of the client development team of a major UK government social service system.

"A brilliant exposition of generics. By far the best book on the topic, it provides a crystal clear tutorial that starts with the basics and ends leaving the reader with a deep understanding of both the use and design of generics."
Gilad Bracha, Java Generics Lead, Sun Microsystems

Stuart McClure, Joel Scambray, George Kurtz The world's bestselling computer security book—fully expanded and updated

"Right now you hold in your hand one of the most successful security books ever written. Rather than being a sideline participant, leverage the valuable insights Hacking Exposed 6 provides to help yourself, your company, and your country fight cyber-crime." —From the Foreword by Dave DeWalt, President and CEO, McAfee, Inc.

"For security to be successful in any company, you must ‘think evil' and be attuned to your ‘real risk'...Hacking Expose 6 defines both." —Patrick Heim, CISO, Kaiser Permanente

"The definitive resource to understanding the hacking mindset and the defenses against it." —Vince Rossi, CEO & President, St. Bernard Software

"Identity theft costs billions every year and unless you understand the threat, you will be destined to be a victim of it. Hacking Exposed 6 gives you the tools you need to prevent being a victim." —Bill Loesch, CTO, Guard ID Systems

"This book is current, comprehensive, thoughtful, backed by experience, and appropriately free of vendor-bias-prized features for any security practitioner in need of information." —Kip Boyle, CISO, PEMCO Mutual Insurance Company

"The Hacking Exposed series has become the definitive reference for security professionals from the moment it was first released, and the 6th edition maintains its place on my bookshelf," —Jeff Moss, Founder of the popular Black Hat Security Conference

Meet the formidable demands of security in today's hyperconnected world with expert guidance from the world-renowned Hacking Exposed team. Following the time-tested "attack-countermeasure" philosophy, this 10th anniversary edition has been fully overhauled to cover the latest insidious weapons in the hacker's extensive arsenal.

New and updated material: New chapter on hacking hardware, including lock bumping, access card cloning, RFID hacks, USB U3 exploits, and Bluetooth device hijackingUpdated Windows attacks and countermeasures, including new Vista and Server 2008 vulnerabilities and Metasploit exploitsThe latest UNIX Trojan and rootkit techniques and dangling pointer and input validation exploitsNew wireless and RFID security tools, including multilayered encryption and gatewaysAll-new tracerouting and eavesdropping techniques used to target network hardware and Cisco devicesUpdated DoS, man-in-the-middle, DNS poisoning, and buffer overflow coverageVPN and VoIP exploits, including Google and TFTP tricks, SIP flooding, and IPsec hackingFully updated chapters on hacking the Internet user, web hacking, and securing code

Kevin D. Mitnick, William L. Simon

Glyn Moody A high-velocity chronicle of the open source movement-and its impact on computing, business, and culture.

The open source saga has many fascinating chapters. It is partly the story of Linus Torvalds, the master hacker who would become chief architect of the Linux operating system. It is also the story of thousands of devoted programmers around the world who spontaneously worked in tandem to complete the race to shape Linux into the ultimate killer app. Rebel Code traces the remarkable roots of this unplanned revolution. It echoes the twists and turns of Linux's improbable development, as it grew through an almost biological process of accretion and finally took its place at the heart of a jigsaw puzzle that would become the centerpiece of open source. With unprecedented access to the principal players, Moody has written a powerful tale of individual innovation versus big business. Rebel Code provides a from-the-trenches perspective and looks ahead to how open source is challenging long-held conceptions of technology, commerce, and culture.

Michael Morrison So you're ready to make the leap from writing HTML and CSS web pages to creating dynamic web applications. You want to take your web skills to the next level. And you're finally ready to add "programmer" to the resume. It sounds like you're ready to learn the Web's hottest programming language: JavaScript. Head First JavaScript is your ticket to going beyond copying and pasting the code from someone else's web site, and writing your own interactive web pages.

With Head First JavaScript, you learn: The basics of programming, from variables to types to loopingHow the web browser runs your code, and how you can talk to the browser with your codeWhy you'll never have to worry about casting, overloading, or polymorphism when you're writing JavaScript codeHow to use the Document Object Model to change your web pages without making your users click buttonsIf you've ever read a Head First book, you know what to expect — a visually rich format designed for the way your brain works. Head First JavaScript is no exception. It starts where HTML and CSS leave off, and takes you through your first program into more complex programming concepts — like working directly with the web browser's object model and writing code that works on all modern browsers.

Don't be intimidated if you've never written a line of code before! In typical Head First style, Head First JavaScript doesn't skip steps, and we're not interested in having you cut and paste code. You'll learn JavaScript, understand it, and have a blast along the way. So get ready... dynamic and exciting web pages are just pages away.

Angela Orebaugh, Simon Biles, Jacob Babbin If you are a network administrator, you're under a lot of pressure to ensure that mission-critical systems are completely safe from malicious code, buffer overflows, stealth port scans, SMB probes, OS fingerprinting attempts, CGI attacks, and other network intruders. Designing a reliable way to detect intruders before they get in is an essential—but often overwhelming—challenge. Snort, the defacto open source standard of intrusion detection tools, is capable of performing real-time traffic analysis and packet logging on IP network. It can perform protocol analysis, content searching, and matching. Snort can save countless headaches; the new Snort Cookbook will save countless hours of sifting through dubious online advice or wordy tutorials in order to leverage the full power of SNORT.

Each recipe in the popular and practical problem-solution-discussion O'Reilly cookbook format contains a clear and thorough description of the problem, a concise but complete discussion of a solution, and real-world examples that illustrate that solution. The Snort Cookbook covers important issues that sys admins and security pros will us everyday, such as: installationoptimizationloggingalertingrules and signaturesdetecting virusescountermeasuresdetecting common attacksadministrationhoneypotslog analysisBut the Snort Cookbook offers far more than quick cut-and-paste solutions to frustrating security issues. Those who learn best in the trenches—and don't have the hours to spare to pore over tutorials or troll online for best-practice snippets of advice—will find that the solutions offered in this ultimate Snort sourcebook not only solve immediate problems quickly, but also showcase the best tips and tricks they need to master be security gurus—and still have a life.

Brandon Palmer, Jose Nazario "This book works in tandem with the OpenBSD's manual pages. As a result, it will help many users grow and get the most from the system."—Theo de Raadt, OpenBSD project leader.

"The OpenBSD system intimidates many administrators who would benefit from using it. This book lets people start much higher up on the curve. Secure Architectures with OpenBSD not only presents the hows, but also shows some of the whys that only insiders know."—Mike Frantzen, NFR Security

"Secure Architectures with OpenBSD explains all of the tasks an administrator has to know about to successfully maintain an OpenBSD server. It helps the reader save time by condensing the vast amount of information available in man pages into a compact form, reducing unneeded information, and explaining other things in much more detail and prose than a man page can afford."—Daniel Hartmeier, the OpenBSD Project

"This book will become the de facto text for OpenBSD administration. Unix and BSD books abound, but none cover OpenBSD with the clarity and expertise of Palmer and Nazario. They explain the optimal way to configure and administer your OpenBSD machines, with a keen eye to security at all stages."—Brian Hatch, coauthor of Hacking Exposed Linux and Building Linux Virtual Private Networks

Descended from BSD, OpenBSD is a popular choice for those who demand stability and security from their operating system. No code goes into OpenBSD without first undergoing a rigorous security check, making it a terrific choice for Web servers, VPNs, and firewalls.

Secure Architectures with OpenBSD is the insider's guide to building secure systems using OpenBSD. Written by Brandon Palmer and Jose Nazario, this book is a how-to for system and network administrators who need to move to a more secure operating system and a reference for seasoned OpenBSD users who want to fully exploit every feature of the system.

After getting readers started with OpenBSD, the authors explain system configuration and administration, then explore more exotic hardware and advanced topics. Every chapter of the book addresses the issue of security because security is integrated into almost every facet of OpenBSD. Examples appear throughout the book, and the authors provide source code and system details unavailable anywhere else. This goes well beyond the basics and gives readers information they will need long after they have installed the system. Key topic coverage includes:Installation and upgrade detailsBasic system usage in OpenBSD versus other Unix systemsThird-party software via packages and the ports treeSMTP services in OpenBSDWeb services with ApacheUsing OpenBSD as a firewallOpenBSD as a Kerberos V client and serverUse of IpsecConfiguration and use of IPv6Network intrusion detection

Secure Architectures with OpenBSD takes you inside OpenBSD, giving you the insights and expertise no system manual can provide. The companion Web site tracks advances and changes made to the operating system, and it contains updates to the book and working code samples.

Tim Parker, Karanjit Siyan, Karanjit B. Siyan TCP/IP Unleashed, Third Edition, explains the features and complexities of the TCP/IP protocol suite in a comprehensive, logical format. The book is designed for easy reference and incorporates step-by-step guidelines and configuration examples to enhance the reader's learning experience. Our expert authors walk through the fundamentals of TCP/IP before moving on to more challenging topics including naming and addressing, IPv6, routing, implementation, TCP/IP applications, and TCP/IP network administration. TCP/IP Unleashed has been revised to include the latest implementation information and real-world experiences, including configuring TCP/IP for Linux and Windows 2000 systems.

Richard Petersen Tap into the power of Linux using this comprehensive and easy-to-use reference. Featuring a bonus DVD which contains previously unavailable source code and over 1500 applications found on the Red Hat Linux 7.3 distribution (usually on 5 CD-ROMs) this valuable reference includes up-to-date coverage of everything from installation and configuration to system administration and programming.

Esmond Pitt The book provides complete coverage of fundamental IP networking in Java. It introduces the concepts behind TCP/IP and UDP and their intended use and purpose; gives complete coverage of Java networking APIs, includes an extended discussion of advanced server design, so that the various design principles and tradeoffs concerned are discussed and equips the reader with analytic queuing-theory tools to evaluate design alternatives; covers UDP multicasting, and covers multi-homed hosts, leading the reader to understand the extra programming steps and design considerations required in such environments.

After reading this book the reader will have an advanced knowledge of fundamental network design and programming concepts in the Java language, enabling them to design and implement distributed applications with advanced features and to predict their performance. Special emphasis is given to the scalable I/O facilities of Java 1.4 as well as complete treatments of multi-homing and UDP both unicast and multicast.

David Pollino, Bill Pennington, Tony Bradley, Himanshu Dwivedi The stories about phishing attacks against banks are so true-to-life, it’s chilling.” —Joel Dubin, CISSP, Microsoft MVP in Security

Every day, hackers are devising new ways to break into your network. Do you have what it takes to stop them? Find out in Hacker’s Challenge 3. Inside, top-tier security experts offer 20 brand-new, real-world network security incidents to test your computer forensics and response skills. All the latest hot-button topics are covered, including phishing and pharming scams, internal corporate hacking, Cisco IOS, wireless, iSCSI storage, VoIP, Windows, Mac OS X, and UNIX/Linux hacks, and much more. Each challenge includes a detailed explanation of the incident—how the break-in was detected, evidence and clues, technical background such as log files and network maps, and a series of questions for you to solve. In Part II, you’ll get a detailed analysis of how the experts solved each incident.

W. Curtis Preston Packed with practical, freely available backup and recovery solutions for Unix, Linux, Windows, and Mac OS X systems — as well as various databases — this new guide is a complete overhaul of Unix Backup & Recovery by the same author, now revised and expanded with over 75% new material.

Backup & Recovery starts with a complete overview of backup philosophy and design, including the basic backup utilities of tar, dump, cpio, ntbackup, ditto, and rsync. It then explains several open source backup products that automate backups using those utilities, including AMANDA, Bacula, BackupPC, rdiff-backup, and rsnapshot. Backup & Recovery then explains how to perform bare metal recovery of AIX, HP-UX, Linux, Mac OS, Solaris, VMWare, & Windows systems using freely-available utilities. The book also provides overviews of the current state of the commercial backup software and hardware market, including overviews of CDP, Data De-duplication, D2D2T, and VTL technology. Finally, it covers how to automate the backups of DB2, Exchange, MySQL, Oracle, PostgreSQL, SQL-Server, and Sybase databases - without purchasing a commercial backup product to do so.

For environments of all sizes and budgets, this unique book shows you how to ensure data protection without resorting to expensive commercial solutions. You will soon learn to: Automate the backup of popular databases without a commercial utilityPerform bare metal recovery of any popular open systems platform, including your PC or laptopUtilize valuable but often unknown open source backup productsUnderstand the state of commercial backup software, including explanations of CDP and data de-duplication softwareAccess the current state of backup hardware, including Virtual Tape Libraries (VTLs)

Charles Riley (Editor), Umer Khan, Michael Sweeney Umer Khan's first book, "Cisco Security Specialist's Guide to PIX Firewalls," ISBN: 1931836639, consistently maintained its spot as the #1 best-selling PIX book on amazon.com by providing readers with a clear, comprehensive, and independent introduction to PIX Firewall configuration. With the market for PIX Firewalls maintaining double digit growth and several major enhancements to both the PIX Firewall and VPN Client product lines, this book will have enormous appeal with the audience already familiar with his first book.

* The Cisco Pix firewall is the #1 market leading firewall, owning 43% market share. Cisco released completely re-designed version 7 of the Pix operating system in the first quarter of 2004.

* "Cisco Pix Firewalls: configure | manage | troubleshoot" covers all objectives on the new Cisco Pix certification exam, making this book the perfect study guide in addition to professional reference.

Ivan Ristic ModSecurity Handbook is the definitive guide to ModSecurity, a popular open source web application firewall. Written by Ivan Ristic, who designed and wrote much of ModSecurity, this book will teach you everything you need to know to monitor the activity on your web sites and protect them from attack. Situated between your web sites and the world, web application firewalls provide an additional security layer, monitoring everything that comes in and everything that goes out. They enable you to perform many advanced activities, such as real-time application security monitoring, access control, virtual patching, HTTP traffic logging, continuous passive security assessment, and web application hardening. They can be very effective in preventing application security attacks, such as cross-site scripting, SQL injection, remote file inclusion, and others. Considering that most web sites today suffer from one problem or another, ModSecurity Handbook will help anyone who has a web site to run. The topics covered include: - Installation and configuration of ModSecurity - Logging of complete HTTP traffic - Rule writing, in detail - IP address, session, and user tracking - Session management hardening - Whitelisting, blacklisting, and IP reputation management - Advanced blocking strategies - Integration with other Apache modules - Working with rule sets - Virtual patching - Performance considerations - Content injection - XML inspection - Writing rules in Lua - Extending ModSecurity in C The book is suitable for all reader levels: it contains step-by-step installation and configuration instructions for those just starting out, as well as detailed explanations of the internals and discussion of advanced techniques for seasoned users. The official ModSecurity Reference Manual is included in the second part of the book. Digital version available. For more information and to access the online companion, go to www.modsecurityhandbook.com

Colin Robson This successful text on carrying out research in 'real world' situations has been thoroughly revised and updated in order to make it as useful as possible to teachers and students from a range of behavioral and social science disciplines.

Includes new examples from applied psychology, applied social science, health studies, social work and education.
Provides more coverage of qualitative methods.
Pedagogical material has been updated to include a glossary and detailed cross-referencing across chapters.
Bases the quantitative analysis section around version 10 of SPSS and the section on qualitative analysis around the NUD*IST software.
Situates material more clearly within theoretical conceptualizations of the nature of social science research, pointing to the advantages of a critical realist approach.

For sample chapters please visit www.blackwellpublishing.com/robson

David Rusenko, Carl Taylor, Alistair McDonald, Patrick Ben Koetter, Magnus Back A simple step-by-step guide to setting up a Linux email server using the most popular free Open Source toolsAll the information you need to easily set up your own Linux email serverShows how to provide web access to email, virus and spam protection, and moreTechniques to backup and protect your dataApplications used include PostFix, Courier, SquirrelMail, SpamAssassin, ProcMail, and ClamAV

In Detail

Many businesses want to run their email servers on Linux, but getting started can be complicated. The attractiveness of a free-to-use and robust email service running on Linux can be undermined by the apparent technical challenges involved. Some of the complexity arises from the fact that an email server consists of several components that must be installed and configured separately, then integrated together. Unlike other approaches that deal with one component at a time, this book gives you a basic knowledge across all the server components, leaving you with a complete working email server for your small business network.

Based entirely on free, Open Source software, you will see how to protect your server from spam and viruses, offer web access for remote access, and secure your installation with regular backups.

What you will learn from this book?Setting up and running a Linux-based email serverKey information about installing, configuring, and using PostFix, Courier, SquirrelMail, ProcMail, ClamAV, and SpamAssassinSecuring and protecting your installation from viruses, spam, intruders, and hardware failure

Approach

The book takes a practical, step-by-step approach to working with email. We start by establishing the basics, so that your users can send and receive their email in their favourite email client. We then move on to look at providing web access, so that users can access their email out of the office. After this we look at the features you'll want to add to improve email productivity: virus protection, spam detection, and automatic email processing. Finally we look at an essential maintenance task: backups.

Who this book is written for?

This book aimed at 'unofficial' sysadmins in small businesses, who want to set up a Linux-based email server without spending a lot of time becoming expert in the individual applications.

Matthew A. Russell Of all the Ajax-specific frameworks that have popped up in recent years, one clearly stands out as the industrial strength solution. Dojo is not just another JavaScript toolkit — it's the JavaScript toolkit — and Dojo: The Definitive Guide demonstrates how to tame Dojo's extensive library of utilities so that you can build rich and responsive web applications like never before. Dojo founder Alex Russell gives a foreword that explains the "why" of Dojo and of this book.

Dojo provides an end-to-end solution for development in the browser, including everything from the core JavaScript library and turnkey widgets to build tools and a testing framework. Its vibrant open source community keeps adding to Dojo's arsenal, and this book provides an ideal companion to Dojo's official documentation.

Dojo: the Definitive Guide gives you the most thorough overview of this toolkit available, showing you everything from how to create complex layouts and form controls closely resembling those found in the most advanced desktop applications with stock widgets, to advanced JavaScript idioms to AJAX and advanced communication transports. With this definitive reference you get:

Get a concise introduction to Dojo that's good for all 1.x versionsWell-explained examples, with scores of tested code samples, that let you see Dojo in actionA comprehensive reference to Dojo's standard JavaScript library (including fundamental utilities in Base, Dojo's tiny but powerful kernel) that you'll wonder how you ever lived withoutAn extensive look at additional Core features, such as animations, drag-and-drop, back-button handling, animations like wipe and slide, and moreExhaustive coverage of out-of-the-box Dijits (Dojo widgets) as well as definitive coverage on how to create your own, either from scratch or building on existing onesAn itemized inventory of DojoX subprojects, the build tools, and the DOH, Dojo's unit-testing framework that you can use with Dojo — or anywhere else

If you're a DHTML-toting web developer, you need to read this book — whether you're a one-person operation or part of an organization employing scores of developers. Dojo packs the standard JavaScript library you've always wanted, and Dojo: The Definitive Guide helps you transform your ideas into working applications quickly by leveraging design concepts you already know.

Bruce Schneier Presenting invaluable advice from the world?s most famous computer security expert, this intensely readable collection features some of the most insightful and informative coverage of the strengths and weaknesses of computer security and the price people pay — figuratively and literally — when security fails. Discussing the issues surrounding things such as airplanes, passports, voting machines, ID cards, cameras, passwords, Internet banking, sporting events, computers, and castles, this book is a must-read for anyone who values security at any level — business, technical, or personal.

Markus Schumacher, Eduardo Fernandez-Buglioni, Duane Hybertson, Frank Buschmann, Peter Sommerlad Most security books are targeted at security engineers and specialists. Few show how build security into software. None breakdown the different concerns facing security at different levels of the system: the enterprise, architectural and operational layers. Security Patterns addresses the full spectrum of security in systems design, using best practice solutions to show how to integrate security in the broader engineering process.Essential for designers building large-scale systems who want best practice solutions to typical security problemsReal world case studies illustrate how to use the patterns in specific domains

For more information visit www.securitypatterns.org

Shreeraj Shah Service-Oriented Architecure (SOA), Rich Internet Applications (RIA), and Asynchronous Java and eXtended Markup Language (Ajax) comprise the backbone behind now-widespread Web 2.0 applications, such as MySpace, Google Maps, Flickr, and Live.com. Although these robust tools make next-generation Web applications possible, they also add new security concerns to the fi eld of Web application security. Yamanner-, Sammy-, and Spaceflash-type worms are exploiting client-side Ajax frameworks, providing new avenues of attack, and compromising confidential information. Portals such as Google, Netflix, Yahoo, and MySpace have witnessed new vulnerabilities recently, and these vulnerabilities can be leveraged by attackers to perform phishing, cross-site scripting (XSS), and cross-site request forgery (CSRF) exploitation. Web 2.0 Security: Defending Ajax, RIA, and SOA covers the new field of Web 2.0 security. Written for security professionals and developers, the book explores Web 2.0 hacking methods and helps enhance next-generation security controls for better application security. Readers will gain knowledge in advanced footprinting and discovery techniques; Web 2.0 scanning and vulnerability detection methods; Ajax and Flash hacking methods; SOAP, REST, and XML-RPC hacking; RSS/Atom feed attacks; fuzzing and code review methodologies and tools; and tool building with Python, Ruby, and .NET. Whether you?re a computer security professional, a developer, or an administrator, Web 2.0 Security: Defending Ajax, RIA, and SOA is the only book you will need to prevent new Web 2.0 security threats from harming your network and compromising your data.

Abraham / Galvin, Peter Baer / Gagne, Greg Silberschatz

Ian Sommerville THE most current Software Engineering text in the market– quality trusted coverage, practical case studies, strong lecturer support.

William Stallings For one-semester, undergraduate/graduate level courses in Cryptography, Computer Security, and Network Security. Best-selling author and four-time winner of the TEXTY award for the best Computer Science and Engineering text, William Stallings provides a practical survey of both the principles and practice of cryptography and network security. This text, which won the 1999 TAA Award for the best computer science and engineering textbook of the year, has been completely updated to reflect the latest developments in the field. It has also been extensively reorganized to provide the optimal sequence for classroom instruction and self-study.

Dafydd Stuttard, Marcus Pinto This book is a practical guide to discovering and exploiting security flaws in web applications. The authors explain each category of vulnerability using real-world examples, screen shots and code extracts. The book is extremely practical in focus, and describes in detail the steps involved in detecting and exploiting each kind of security weakness found within a variety of applications such as online banking, e-commerce and other web applications.

The topics covered include bypassing login mechanisms, injecting code, exploiting logic flaws and compromising other users. Because every web application is different, attacking them entails bringing to bear various general principles, techniques and experience in an imaginative way. The most successful hackers go beyond this, and find ways to automate their bespoke attacks. This handbook describes a proven methodology that combines the virtues of human intelligence and computerized brute force, often with devastating results.

The authors are professional penetration testers who have been involved in web application security for nearly a decade. They have presented training courses at the Black Hat security conferences throughout the world. Under the alias "PortSwigger", Dafydd developed the popular Burp Suite of web application hack tools.

James Turnbull James Turnbull is an IT&T Security Consultant at the Commonwealth Bank of Australia. He is an experienced infrastructure architect with a background in Linux/Unix, AS/400, Windows, and Storage systems. He has been involved in security consulting, infrastructure security design, SLA & support services design, and business application support.

Craig Walls, Ryan Breidenbach Spring in Action 2E is an expanded, completely updated second edition of the best selling Spring in Action. Written by Craig Walls, one of Manning's best writers, this book covers the exciting new features of Spring 2.0, which was released in October 2006.

Spring is a lightweight container framework that represents an exciting way to build enterprise components with simple Java objects. By employing dependency injection and AOP, Spring encourages loosely coupled code and enables plain-old Java objects with capabilities that were previously reserved for EJBs. This book is a hands-on, example-driven exploration of the Spring Framework. Combining short code snippets and an ongoing example developed throughout the book, it shows readers how to build simple and efficient J2EE applications, how to solve persistence problems, handle asynchronous messaging, create and consume remote services, build web applications, and integrate with most popular web frameworks. Readers will learn how to use Spring to write simpler, easier to maintain code so they can focus on what really matters— critical business needs.

Spring in Action, 2E is for Java developers who are looking for ways to build enterprise-grade applications based on simple Java objects, without resorting to more complex and invasive EJBs. Even hard-core EJB users will find this book valuable as Spring in Action, 2E will describe ways to use EJB components alongside Spring. Software architects will also find Spring in Action, 2E useful as they assess and apply lightweight techniques prescribed by Spring. and learn how Spring can be applied at the various layers of enterprise applications.

Andrew Whitaker, Keatron Evans, Jack B. Voth The complete guide to today’s hard-to-defend chained attacks: performing them and preventing them

 

Nowadays, it’s rare for malicious hackers to rely on just one exploit or tool; instead, they use “chained” exploits that integrate multiple forms of attack to achieve their goals. Chained exploits are far more complex and far more difficult to defend. Few security or hacking books cover them well and most don’t cover them at all. Now there’s a book that brings together start-to-finish information about today’s most widespread chained exploits–both how to perform them and how to prevent them.

 

Chained Exploits demonstrates this advanced hacking attack technique through detailed examples that reflect real-world attack strategies, use today’s most common attack tools, and focus on actual high-value targets, including credit card and healthcare data. Relentlessly thorough and realistic, this book covers the full spectrum of attack avenues, from wireless networks to physical access and social engineering.

 

Writing for security, network, and other IT professionals, the authors take you through each attack, one step at a time, and then introduce today’s most effective countermeasures— both technical and human. Coverage includes: Constructing convincing new phishing attacksDiscovering which sites other Web users are visitingWreaking havoc on IT security via wireless networksDisrupting competitors’ Web sitesPerforming–and preventing–corporate espionageDestroying secure filesGaining access to private healthcare recordsAttacking the viewers of social networking pagesCreating entirely new exploitsand more

 

Andrew Whitaker, Director of Enterprise InfoSec and Networking for Training Camp, has been featured in The Wall Street Journal and BusinessWeek. He coauthored Penetration Testing and Network Defense. Andrew was a winner of EC Council’s Instructor of Excellence Award.

 

Keatron Evans is President and Chief Security Consultant of Blink Digital Security, LLC, a trainer for Training Camp, and winner of EC Council’s Instructor of Excellence Award.

 

Jack B. Voth specializes in penetration testing, vulnerability assessment, and perimeter security. He co-owns The Client Server, Inc., and teaches for Training Camp throughout the United States and abroad.

 

informit.com/aw

Cover photograph © Corbis /

Jupiter Images

 

$49.99 US 

$59.99 CANADA

Chris Wysopal, Lucas Nelson, Dino Dai Zovi, Elfriede Dustin Risk-based security testing, the important subject of this book, is one of seven software security touchpoints introduced in my book, Software Security: Building Security In. This book takes the basic idea several steps forward. Written by masters of software exploit, this book describes in very basic terms how security testing differs from standard software testing as practiced by QA groups everywhere. It unifies in one place ideas from Michael Howard, David Litchfield, Greg Hoglund, and me into a concise introductory package. Improve your security testing by reading this book today.”

–Gary McGraw, Ph.D., CTO, Cigital; Author, Software Security, Exploiting Software, Building Secure Software, and Software Fault Injection; www.cigital.com/~gem

 

“As 2006 closes out, we will see over 5,000 software vulnerabilities announced to the public. Many of these vulnerabilities were, or will be, found in enterprise applications from companies who are staffed with large, professional, QA teams. How then can it be that these flaws consistently continue to escape even well-structured diligent testing? The answer, in part, is that testing still by and large only scratches the surface when validating the presence of security flaws. Books such as this hopefully will start to bring a more thorough level of understanding to the arena of security testing and make us all a little safer over time.”

–Alfred Huger, Senior Director, Development, Symantec Corporation

 

“Software security testing may indeed be an art, but this book provides the paint-by-numbers to perform good, solid, and appropriately destructive security testing: proof that an ounce of creative destruction is worth a pound of patching later. If understanding how software can be broken is step one in every programmers’ twelve-step program to defensible, secure, robust software, then knowledgeable security testing comprises at least steps two through six.”

–Mary Ann Davidson, Chief Security Officer, Oracle

 

“Over the past few years, several excellent books have come out teaching developers how to write more secure software by describing common security failure patterns. However, none of these books have targeted the tester whose job it is to find the security problems before they make it out of the R&D lab and into customer hands. Into this void comes The Art of Software Security Testing: Identifying Software Security Flaws. The authors, all of whom have extensive experience in security testing, explain how to use free tools to find the problems in software, giving plenty of examples of what a software flaw looks like when it shows up in the test tool. The reader learns why security flaws are different from other types of bugs (we want to know not only that ‘the program does what it’s supposed to,’ but also that ‘the program doesn’t do that which it’s not supposed to’), and how to use the tools to find them. Examples are primarily based on C code, but some description of Java, C#, and scripting languages help for those environments. The authors cover both Windows and UNIX-based test tools, with plenty of screenshots to see what to expect. Anyone who’s doing QA testing on software should read this book, whether as a refresher for finding security problems, or as a starting point for QA people who have focused on testing functionality.”

–Jeremy Epstein, WebMethods

 

State-of-the-Art Software Security Testing: Expert, Up to Date, and Comprehensive

 

The Art of Software Security Testing delivers in-depth, up-to-date, battle-tested techniques for anticipating and identifying software security problems before the “bad guys” do.

 

Drawing on decades of experience in application and penetration testing, this book’s authors can help you transform your approach from mere “verification” to proactive “attack.” The authors begin by systematically reviewing the design and coding vulnerabilities that can arise in software, and offering realistic guidance in avoiding them. Next, they show you ways to customize software debugging tools to test the unique aspects of any program and then analyze the results to identify exploitable vulnerabilities.

 

Coverage includes Tips on how to think the way software attackers think to strengthen your defense strategyCost-effectively integrating security testing into your development lifecycleUsing threat modeling to prioritize testing based on your top areas of riskBuilding testing labs for performing white-, grey-, and black-box software testingChoosing and using the right tools for each testing projectExecuting today’s leading attacks, from fault injection to buffer overflowsDetermining which flaws are most likely to be exploited by real-world attackers

 

This book is indispensable for every technical professional responsible for software security: testers, QA specialists, security professionals, developers, and more. For IT managers and leaders, it offers a proven blueprint for implementing effective security testing or strengthening existing processes.

 

Foreword xiii

Preface xvii

Acknowledgments xxix

About the Authors xxxi

 

Part I: Introduction

Chapter 1: Case Your Own Joint: A Paradigm Shift from Traditional Software Testing  3

Chapter 2: How Vulnerabilities Get Into All Software  19

Chapter 3: The Secure Software Development Lifecycle  55

Chapter 4: Risk-Based Security Testing: Prioritizing Security Testing with Threat Modeling  73

Chapter 5: Shades of Analysis: White, Gray, and Black Box Testing  93

 

Part II: Performing the Attacks

Chapter 6: Generic Network Fault Injection  107

Chapter 7: Web Applications: Session Attacks  125

Chapter 8: Web Applications: Common Issues  141

Chapter 9: Web Proxies: Using WebScarab  169

Chapter 10: Implementing a Custom Fuzz Utility  185

Chapter 11: Local Fault Injection  201

 

Part III: Analysis

Chapter 12: Determining Exploitability  233

 

Index  251

Michal Zalewski Author Michal Zalewski has long been known and respected in the hacking and security communities for his intelligence, curiosity and creativity, and this book is truly unlike anything else out there. In Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks, Zalewski shares his expertise and experience to explain how computers and networks work, how information is processed and delivered, and what security threats lurk in the shadows. No humdrum technical white paper or how-to manual for protecting one’s network, this book is a fascinating narrative that explores a variety of unique, uncommon and often quite elegant security challenges that defy classification and eschew the traditional attacker-victim model.