Five Thumbs Up

Dr. Dobb's Journal November, 2005

By Gregory V. Wilson

Greg is a DDJ contributing editor, and can be reached at gvwilson@ddj.com. His most recent book is Data Crunching: Solve Everyday Problems Using Java, Python, and More.

The Software Vulnerability Guide
Herbert H. Thompson and Scott G. Chase
Charles River Media, 2005
354 pp., $49.95
ISBN 1584503580

Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks
Michal Zalewski
No Starch Press, 2005
312 pp., $39.95
ISBN 1593270461

Imperfect XML: Rants, Raves, Tips, and Tricks... From an Insider
David Megginson
Addison-Wesley, 2005
229 pp., $39.95
ISBN 0131453491

Higher Order Perl: Transforming Programs with Programs
Mark Jason Dominus
Morgan Kaufmann, 2005
600 pp., $59.95
ISBN 1558607013

Regular Expression Recipes: A Problem-Solution Approach
Nathan A. Good
Apress, 2005
285 pp., $34.95
ISBN 159059441X

It's been another good summer for books—or maybe it's just that what I've been learning as I try to stay one lecture ahead of the students in my web-programming course looks good compared to the drywall dust and gaping holes that are the only fruit to date of our house renovations. Whatever the reason, this month's column has five thumbs-up recommendations.

At the top of the list is Herbert Thompson and Scott Chase's Software Vulnerability Guide. It doesn't really matter what you're working on, or where in the software production food chain—excuse me, lifecycle—you sit. You really need to put down whatever you're doing and go and read this book. After three introductory chapters (which contain much less fluff than those in most books), the authors walk through each major family of security holes one by one: faulty permission models, bad passwords, macros, dynamic linking and loading, buffer overflow, format strings and various injection attacks, temporary files, spoofing, and more. Each problem is explained in clear prose that never talks down to the reader, and each chapter ends with a brief summary of the problem, its potential impact, where and how to look for it, and some pointers to exploits that have made use of it. If, like most of us, you know less about security than you ought to, this is the book you've been looking for.

If I had to pick three adjectives to describe Michal Zalewski's Silence on the Wire, "quirky" and "self-indulgent" would be the second and third: Zalewski wanders all over the map at times, and spends more words than he should on things that anyone capable of understanding this book will already know. However, the first adjective would be "thought-provoking," and that's what earns this book its thumbs-up. Zalewski's concern is how much information can be harvested from computer systems simply by watching them. Typing rhythms, workload patterns, and data left behind in memory or on disk are just a few of the opportunities for passive surveillance that he covers. While some of these may seem too esoteric to be practically useful, when taken together, they paint a sobering picture of just how hard it is to ensure any kind of privacy in the electronic age.

David Megginson's Imperfect XML doesn't range quite as widely, and isn't quite as quirky, but it is still a very personal book. Megginson has been active in the SGML and XML communities for a long time, and was the mind behind SAX, the Simple API for XML. This book collects his thoughts on all aspects of XML, from markup styles to its use in network protocols to performance considerations. Megginson clearly has strong opinions on most of these issues, and while there were a couple of places where I would have enjoyed hearing more about the other side, his exposition and analysis were almost always level-headed and illuminating. You might not need this if you're only doing simple things with markup, but if you're planning on paddling around in the deep end of the pool, this is a good float toy to keep at hand.

Mark Jason Dominus's Higher Order Perl is similar: It's well written, and while it shouldn't be anyone's first book on the subject, everyone who claims to be an expert ought to read it. Dominus's goal is to show how ideas originally developed in the Lisp community—particularly techniques for manipulating code as if it were just another kind of data—can be exploited in Perl. Used well, these techniques allow programmers to accomplish far more than they're used to, in far less time. My only gripe about this well-written book (which comes fully loaded with hundreds of clean, clear examples) is that the author doesn't spend nearly enough time talking about how to debug higher order programs when they go wrong, or how to figure out what the meta-meta-meta-function you just inherited actually does.

Finally is Nathan Good's Regular Expression Recipes. Want to turn e-mail addresses into mailto links? Check the format of a North American phone number, a time, or a credit-card number? Do you have some comma-separated values (CSV) files to read? It's all here, solution after solution for Perl, Python, PHP, grep, and the shell. My copy is already plastered with yellow sticky notes.

DDJ