BKBEASEC.RVW 20091008 "Beautiful Security", Andy Oram/John Viega, 2009, 978-0-596-52748-8, U$39.99/C$49.99 %E Andy Oram http://praxagora.com/andyo %E John Viega %C 103 Morris Street, Suite A, Sebastopol, CA 95472 %D 2009 %G 978-0-596-52748-8 0-596-52748-9 %I O'Reilly & Associates, Inc. %O U$39.99/C$49.99 707-829-0515 fax: 707-829-0104 nuts@ora.com %O http://www.amazon.com/exec/obidos/ASIN/0596527489/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0596527489/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0596527489/robsladesin03-20 %O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation) %P 281 p. %T "Beautiful Security" The preface states that the intention of the book is to a) make sure that security books sell well, b) show that security is an exciting career, and c) demolish the idea that security is a separate component that can be added to any system. (The first is a tall order, the second is already a common belief among many who haven't worked in the field or the real world, and the third is so well established in the minds of so many that this book had better sell extremely well if it is to have any chance of success.) The work is directed at those interested in starting a career in technology, and interested in the cutting edge. With pretty much any collection of essays the quality varies. It is also true of this assortment, but the articles in this work are uninspired and uninspiring. The first paper notes the psychological factors that lead to insecurities, and which can be used to direct attacks against systems. (It promises to suggest how psychological factors can be used against attackers, but never delivers on that.) Another essay describes the common practice of creating fake wireless access points to collect financial and authentication credentials. A third suggests that security metrics can protect companies, but the two examples given are actually of situations where companies were using metrics: just not ones that would catch those specific situations. The underground economy involved in the organization of blackhat crime is covered in one piece, and presents material that is fairly simplistic from the perspective of those who have worked in recent malware research, but possibly surprising to those who have not. A review of credit card security issues in online commerce proposes to outline a new paradigm for such transactions, but ends abruptly without saying how such a thing might work. Another paper notes problems with online advertising, such as malware and click-through fraud. One excellent and detailed essay by Phil Zimmermann and John Callas describes the "web of trust" key signing and validation model from the PGP (Pretty Good Privacy) program. The honeyclient method of searching for malicious Websites is explained in another item. On the other hand, the following paper is simply a collection of diverse opinions without a theme. An article recommends project management in software development while another suggests making security a software requirement: both of these are admirable pieces of advice, but the papers don't provide any more convincing impetus to do so. A rambling dissertation on legal issues related to information security meanders through a variety of topics, without any central theme. The article on factors affecting the usefulness of audit logs is broadly comprehensive and to the point. The subsequent paper on incident detection examines a specific incident, but is otherwise a generic discussion. A bright spot in the book is Peter Wayner's intriguing description of a system of partial encryption of common databases, where visibility of the data depends upon location, which would have significant implications for e-commerce, customer privacy, cloud computing, and possibly even social networking. Unfortunately, the book ends on a slightly sour note, with a paper insisting that everyone is doing antivirus protection incorrectly, except the company for which the authors work. I'm not certain that this work will do anything for the sales of security texts. With a few exceptions, the pedestrian writing and ideas scarcely show that security is an exciting career. Only one item is close to the cutting edge. Security is not approached in a holistic manner in the material, so the notion of security as a fundamental constituent, rather than a separate component, of a system is unlikely to be dislodged. copyright Robert M. Slade, 2009 BKBEASEC.RVW 20091008