REVIEW: "Beautiful Security", Andy Oram/John Viega

Discussion in 'Computer Security' started by Rob Slade, doting grandpa of Ryan and Trevor, Jan 4, 2010.

  1. BKBEASEC.RVW 20091008

    "Beautiful Security", Andy Oram/John Viega, 2009, 978-0-596-52748-8,
    %E Andy Oram
    %E John Viega
    %C 103 Morris Street, Suite A, Sebastopol, CA 95472
    %D 2009
    %G 978-0-596-52748-8 0-596-52748-9
    %I O'Reilly & Associates, Inc.
    %O U$39.99/C$49.99 707-829-0515 fax: 707-829-0104
    %O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
    %P 281 p.
    %T "Beautiful Security"

    The preface states that the intention of the book is to a) make sure
    that security books sell well, b) show that security is an exciting
    career, and c) demolish the idea that security is a separate component
    that can be added to any system. (The first is a tall order, the
    second is already a common belief among many who haven't worked in the
    field or the real world, and the third is so well established in the
    minds of so many that this book had better sell extremely well if it
    is to have any chance of success.) The work is directed at those
    interested in starting a career in technology, and interested in the
    cutting edge.

    With pretty much any collection of essays the quality varies. It is
    also true of this assortment, but the articles in this work are
    uninspired and uninspiring.

    The first paper notes the psychological factors that lead to
    insecurities, and which can be used to direct attacks against systems.
    (It promises to suggest how psychological factors can be used against
    attackers, but never delivers on that.) Another essay describes the
    common practice of creating fake wireless access points to collect
    financial and authentication credentials. A third suggests that
    security metrics can protect companies, but the two examples given are
    actually of situations where companies were using metrics: just not
    ones that would catch those specific situations. The underground
    economy involved in the organization of blackhat crime is covered in
    one piece, and presents material that is fairly simplistic from the
    perspective of those who have worked in recent malware research, but
    possibly surprising to those who have not. A review of credit card
    security issues in online commerce proposes to outline a new paradigm
    for such transactions, but ends abruptly without saying how such a
    thing might work. Another paper notes problems with online
    advertising, such as malware and click-through fraud.

    One excellent and detailed essay by Phil Zimmermann and John Callas
    describes the "web of trust" key signing and validation model from the
    PGP (Pretty Good Privacy) program. The honeyclient method of
    searching for malicious Websites is explained in another item. On the
    other hand, the following paper is simply a collection of diverse
    opinions without a theme. An article recommends project management in
    software development while another suggests making security a software
    requirement: both of these are admirable pieces of advice, but the
    papers don't provide any more convincing impetus to do so. A rambling
    dissertation on legal issues related to information security meanders
    through a variety of topics, without any central theme. The article
    on factors affecting the usefulness of audit logs is broadly
    comprehensive and to the point. The subsequent paper on incident
    detection examines a specific incident, but is otherwise a generic

    A bright spot in the book is Peter Wayner's intriguing description of
    a system of partial encryption of common databases, where visibility
    of the data depends upon location, which would have significant
    implications for e-commerce, customer privacy, cloud computing, and
    possibly even social networking. Unfortunately, the book ends on a
    slightly sour note, with a paper insisting that everyone is doing
    antivirus protection incorrectly, except the company for which the
    authors work.

    I'm not certain that this work will do anything for the sales of
    security texts. With a few exceptions, the pedestrian writing and
    ideas scarcely show that security is an exciting career. Only one
    item is close to the cutting edge. Security is not approached in a
    holistic manner in the material, so the notion of security as a
    fundamental constituent, rather than a separate component, of a system
    is unlikely to be dislodged.

    copyright Robert M. Slade, 2009 BKBEASEC.RVW 20091008


    "Dictionary of Information Security," Syngress 1597491152
    ============= for back issues:
    [Base URL] site
    CISSP refs: [Base URL]mnbksccd.htm
    Book reviews: [Base URL]mnbk.htm
    Review mailing list: send mail to
    Rob Slade, doting grandpa of Ryan and Trevor, Jan 4, 2010
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.