30 May 2011

Book: Beautiful Security: Leading Security Experts Explain How They Think

 Beautiful Security: Leading Security Experts Explain How They Think By Andy Oram, John Viega.

I like computer security: it is always entertaining and insightful. This book is no exception. It offers a large panorama on Security, as seen from many point of view since this is a collective work

Advantages: 
  • You see the subject from different angles
  • One or two author maybe boring, the overall content still has value
  • It is more like reading many little books on security.
On the other hand:
  • You get many introduction and conclusions, that doesn't add much.
  • There is no real continuity nor overall aim or message. It is more a collection of essays arranged and formated to look like a "one story".
Some essays are really insightful:
  • Psychological security trap: Is certainly something that you want to be aware of! How developers may think that security isn't a real requirement. It is somehow also the point in "security by design" and "Forcing firms to focus", but with an emphasis on project management and process.
  • Security Metrics is also interesting. It resurfaces in many others essays, mostly to warn about the wrong usage of metrics or the usage of wrong metrics.
  • The evolution of PGP is nice. It shows how far they have gone with PKI. Now it really looks like a good solution. But as with the Semantic Web, I would say that it is still waiting wide adoption to be useful.
  • "Oh no, here comes the Lawyer" should have been even more developed. This is where I feel I lack the most insight.
  • Incident detection: This is well known today. But always good to repeat. This is concrete stuff and where we expect improvement soon.
  • "Doing real work without real data" exposes a nice idea. Worth to implement if it fits your use case. There are good references to balance pro and cons.
  • Casting spells also exposes a vendor solution. It uses a combination of technics (virtualization, signature + AI) to secure the user's workstation. Again, it may fit some use case.
  • Log handling is also certainly a crucial part of the puzzle.
  • ... others essays exposes security breaches, Honeyclient, wireless problems ...
The essays target an average reader. It doesn't require any knowledge in programming, cryptography or Network protocols, but it will certainly help to have some culture in software development. It raises awarness in many differents aspect related to security. 
At first, I really liked the introduction in the book: The idea that too often security is seen from the point of view of the failures, like you look for a car race only waiting to see car crashes. The promise here was to focus on how a good design is as beautiful and enjoyable as a car crash. Well the content shows that it isn't that easy. I guess that it would have been a book on protocol design and application architecture. Subjects much harder to enjoy. Still the intent was good. 
To conclude, I would say that this book is what computer's security looks like after all: there is no coherent story. But if you have to write your own security story, you will be better of knowing 16 different essays on security than a single long one.

October summary - 2017-10

10 October Science Looks like the p-value has been under fire for years. https://www.nature.com/news/one-size-fits-all-threshold-for-p-value...