Skip to main content

Book: Beautiful Security: Leading Security Experts Explain How They Think

 Beautiful Security: Leading Security Experts Explain How They Think By Andy Oram, John Viega.

I like computer security: it is always entertaining and insightful. This book is no exception. It offers a large panorama on Security, as seen from many point of view since this is a collective work

  • You see the subject from different angles
  • One or two author maybe boring, the overall content still has value
  • It is more like reading many little books on security.
On the other hand:
  • You get many introduction and conclusions, that doesn't add much.
  • There is no real continuity nor overall aim or message. It is more a collection of essays arranged and formated to look like a "one story".
Some essays are really insightful:
  • Psychological security trap: Is certainly something that you want to be aware of! How developers may think that security isn't a real requirement. It is somehow also the point in "security by design" and "Forcing firms to focus", but with an emphasis on project management and process.
  • Security Metrics is also interesting. It resurfaces in many others essays, mostly to warn about the wrong usage of metrics or the usage of wrong metrics.
  • The evolution of PGP is nice. It shows how far they have gone with PKI. Now it really looks like a good solution. But as with the Semantic Web, I would say that it is still waiting wide adoption to be useful.
  • "Oh no, here comes the Lawyer" should have been even more developed. This is where I feel I lack the most insight.
  • Incident detection: This is well known today. But always good to repeat. This is concrete stuff and where we expect improvement soon.
  • "Doing real work without real data" exposes a nice idea. Worth to implement if it fits your use case. There are good references to balance pro and cons.
  • Casting spells also exposes a vendor solution. It uses a combination of technics (virtualization, signature + AI) to secure the user's workstation. Again, it may fit some use case.
  • Log handling is also certainly a crucial part of the puzzle.
  • ... others essays exposes security breaches, Honeyclient, wireless problems ...
The essays target an average reader. It doesn't require any knowledge in programming, cryptography or Network protocols, but it will certainly help to have some culture in software development. It raises awarness in many differents aspect related to security. 
At first, I really liked the introduction in the book: The idea that too often security is seen from the point of view of the failures, like you look for a car race only waiting to see car crashes. The promise here was to focus on how a good design is as beautiful and enjoyable as a car crash. Well the content shows that it isn't that easy. I guess that it would have been a book on protocol design and application architecture. Subjects much harder to enjoy. Still the intent was good. 
To conclude, I would say that this book is what computer's security looks like after all: there is no coherent story. But if you have to write your own security story, you will be better of knowing 16 different essays on security than a single long one.


Popular posts from this blog

VirtualBox, CentOS, Network and Template

I have been working with VirtualBox and CentOS recently, here are some notes about this experience.
I used VirtualBox 4.2 and CentOS 6.3, but most of this should work with other products too. I created the first headless, minimal CentOS via NetInstall.
I cover two points: create a template machine and configure the Network.
Configure the NetworkWe want Internet access and a LAN local to the host.
For background information read: Networking in VirtualBox by Fat Bloke on June 2012.
The easiest is to enable two Network Adapters: One will be "Host-only" and the second "Nat". In the "Preference" menu you can see the DHCP server range for the Host-only Network. So you may set fixed addresses outside this range.
Next: start the guest. There may be various results at first, depending on a lot of things. Some problem might be solved by rm -f /etc/udev/rules.d/70-persistent-net.rules and a reboot.
Anyway, configure the two interfaces (set your own IP and MAC addresses)…

One in six IT projects ends up ‘out of control’

A surprisingly high number of projects are 'ticking time bombs', according to researchers at the University of Oxford. They analysed 1,500 global projects that had revamped their information technology systems within the last 10 years. They discovered that one in six projects in the sample went over budget by an average of 200 per cent (in real terms) or over ran by an average of almost 70 per cent.

Their conclusion is similar to previous studies:

TLS: Disabling legacy cipher suites

First: "A cipher suite is a named combination of authentication, encryption, and message authentication code (MAC) algorithms".If you are using TLS (for HTTPS typicaly) you may want to remove some Cipher Suites.You maybe a little bit less compatible, but also a bit more secure. Things will be better when TLS1.2 is implemented everywhere.You can also claim to be FIPS 140 compliant: !How to do it:From the command line: code: Look at the "ciphers" attribute in someone knows how to do it on the IBM J9 via configuration, I am interested.