Book review: How to Break Software

 How to Break Software - a practical guide to testing by James Whittaker

James Whittaker is a well-known figure in software testing (at least in the past years, now he has other interests) and managed tests in Microsoft and Google, but this will happen later. At the time of writing, James was a professor of software engineering at the Florida Institute of Technology.

The facts:

The book How to Break Software is another catching-up book for me, on the road to reading some of the software testing classics. The book was written in 2002, designed to be a book not about theory but about ‘how good testers actually do testing” and the audience is testers in all levels, according to the author.

The book concentrates on how to break software (“We are not breaking software but the illusion that the software is doing what people want,” will say James Bach more or less, didn’t find the original quote) on a few levels:

  • User Interface attacks:

  • Inputs and Outputs;

  • Data and computation.

  • System Interface attack.

  • File system interface;

  • Software/OS interface.

Each chapter has a few attacks (23 altogether), and each attack has a detailed explanation:

  • When to apply this attack;

  • What software faults make this attack successful;

  • How to determine if this attack exposes failures;

  • How to conduct this attack, usually with real-life bugs.

A link to the attacks can be found by pressing here.

The book contains a CD with a program designed to help in attacks with a complicated setup, like a full hard drive.

The opinions:

I know the book got mostly good reviews, including one of James Bach in Amazon (if it is authentic). According to that review, this book is revolutionary because it “gives us strategies for actually finding problems.” An acquaintance of mine said “Very short book with proven bug-finding techniques. Fun read, and very practical.” I agree, and moreover, you can read each attack at your leisure and not as a continuous read. Also, each attack has good explanations.

But that was true for 2002. However, is the book relevant today?

Most attacks are:

An example of an attack is attack 4, Overflow input buffers. SIt is still relevant, and there is an explanation about the cause of it.

But attack 10 and force the screen to refresh, not sure it is relevant today.

When you talk about methodologies and managerial tips, a book can stay relevant for a long time. When the book is very detailed in technology, though it might be great for its time, but not so much for later times.

The discussions about each attack are too long. Some data, to be sure, does reveal interesting info. As a whole, it can be much shorter.

Another disadvantage is that the book doesn’t” know” about Virtual Machines, about mobile devices, and other new technologies. The examples are on old MS Office producers and links to resources are broken. But maybe the biggest drawback is that the program which is attached, Canned Heat, an essential part of the product and on which some attacks and based, doesn’t work on Windows 10.


I think the book has interesting information. Even today there aren’t many books that are so detailed about finding bugs. However today you can find cheat sheets and heuristics in abundance on the internet. The book is outdated, and there are many other books and articles on the internet I would recommend to read before this one.

Book review list: