Musings
- Book Reviews
Here we are gathering book reviews on information and network security, management, and leadership.
Book Review: Dreams from My Father, by Barack Obama - February 4th, 2008
Book Review: LAN Switch Security:What Hackers Know About Your Switches, by Eric Vyncke and Christopher Paggen - January 11th, 2008
Book Review: Made to Stick: Why Some Ideas Survive and Others Die, by Chip Heath and Dan Heath - January 2nd, 2008
Book Review: Geekonomics, by David Rice - December 27th, 2007
Book Review: End-to-End Network Security, by Omar Santos - December 6th, 2007
Book alert, Behind the Screen: Hacking Hollywood, by Mark Stone - November 27th, 2007
Book Review: Linksys WRT54G Ultimate Hacking, by Paul Asadoorian and Larry Pesce; Raul Siles Technical Editor - October 31st, 2007
Book Review: The Black Swan: The Impact of the HIGHLY IMPROBABLE, by Nassim Nicholas Taleb - October 27th, 2007
The Best Security Books to have in your library - October 25th, 2007
Book Review: The Age of Speed, by Vince Poscente - October 2nd, 2007
Book Review: Virtual Honeypots by Niels Provos and Thorsten Holz - August 21st, 2007
Book Review: Seduced by Success by Robert J. Herbold - June 26th, 2007
Book Review: Selling Blue Elephants, by Moskowitz and Gofman - June 25th, 2007
Book Review of Snow Crash leads to Second Life - April 18th, 2007
Book Review: Miracle in the Andes, by Nando Parrado and Vince Rause - February 20th, 2007
Book Review - Information Security Law: Control of Digital Assets - February 19th, 2007
Book Review - Cisco Network Admission Control - January 1st, 2007
Book Review: The Art of Software Security Assessment - December 19th, 2006
Book Review: The Art of Software Security Assessment
December 19th, 2006
By Stephen Northcutt
The Art of Software Security Assessment, Dowd, McDonald, Schuh, Addison Wesley Press
This is one of those rare security books that has a chance to revolutionize the industry like Applied Cryptography, Snort 2.0, or Hacking Exposed. We rarely post book reviews in the Leadership Laboratory, but we will for truly ground breaking books. The longer you wait to read this book, the further you will fall behind. Nuff said?
Every week that goes by we see an increasing understanding in the community about how important secure software is and that it takes the appropriate development process to create secure software. This book is hitting the marketplace at the perfect time, I hope the authors and publishing team have a runaway success, they deserve it. I also hope people will be encouraged by this book, secure software development is certainly possible, this book clearly shows that. It takes management support in terms of resources, training, and good process, but it can certainly be done.
With 1128 content pages, much of this material will be things that you have picked up in other places, such as other books or courses you have taken. Much of it will be things you once knew and forgot. But this is the most complete book on software security available covering Windows, Unix, Network Protocols, Web and other Applications.
What I particularly love is the majority of the information is very accessible, the authors have worked hard to be clear and understandable. Please do not get me wrong, if you have never written a line of code you are going to be lost during the code examples. The only signpost you get is the occasional bolded line, but you will still be able to follow the discussion before the code example and right after the code example.
Section one of the book is called an Introduction to Software Security Assessment. I was able to read the 164 pages all at one time ( though I was up to 2 AM doing it). This is foundational material and if you are responsible for software development as a manager, I recommend you read at least this one section.
The next section, Software Vulnerabilities, starts with a buffer overflow chapter. This is a test of any good security book. If they point to an ancient paper like Smashing the Stack and mumble an incoherent sentence or two, you know they probably dont know what they are talking about. This book builds the case, uses both code fragments and clear diagrams with plenty of explanations.
The final section titled, Software Vulnerabilities in Practice, I am not convinced this is an appropriate section name. Network or Web should probably be in the name. Chapters include Network Protocols, Firewalls ( probably the weakest chapter in the book), Network Application Protocols, Web Applications, and Web Technologies.
They do not list an errata and discussion website in the book, but one of the authors (Schuh) wrote and said try http://taossa.com/ Nice web site/blog, you probably want to bookmark or RSS feed it. Also, in the back of the book you have an opportunity to register your book; that might be a good idea, these guys are still adding content.
Happy Reading!