Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 internet speed test! ×

Beautiful Security 81

brothke writes "Books that collect chapters from numerous expert authors often fail to do more than be a collection of disjointed ideas. Simply combining expert essays does not always make for an interesting, cohesive read. Beautiful Security: Leading Security Experts Explain How They Think is an exception to that and is definitely worth a read. The book's 16 chapters provide an interesting overview to the current and future states of security, risk and privacy. Each chapter is written by an established expert in the field and each author brings their own unique insights and approach to information security." Keep reading for the rest of Ben's review.
Beautiful Security: Leading Security Experts Explain How They Think
author Andy Oram and John Viega
pages 300
publisher O'Reilly Media
rating 9/10
reviewer Ben Rothke
ISBN 978-0596527488
summary An eye-opening book that will challenge you
A premise of the book is that most people don't give security much attention until their personal or business systems are attacked or breached. The book notes that criminals often succeed by exercising enormous creativity when devising their attacks. They think outside of the box which the security people built to keep them out. Those who create defenses around digital assets must similarly use creativity when designing an information security solution.

Unfortunately, far too few organizations spend enough time thinking creatively about security. More often than not, it is simply about deploying a firewall and hoping the understaffed security team can deal with the rest of the risks.

The 16 essays, arranged in no particular theme, are meant to show how fascinating information security can be. This is in defense to how security is often perceived, as an endless series of dialogue boxes and warnings, or some other block to keep a user from the web site or device they want to access. Each of the 16 essays is well-written, organized and well-argued. The following 4 chapters are particularly noteworthy.

Chapter 3 is titled Beautiful Security Metrics and details how security metrics can be effectively used, rather than simply being a vehicle for creating random statistics for management. Security metrics are a critical prerequisite for turning IT security into a science, instead of an art. With that, author Elizabeth Nichols notes that the security profession needs to change in ways that emulate the medical professional when it comes to metrics. She notes specifically that security must develop a system of vital signs and generally accepted metrics in the same way in which physicians work. The chapter also provides excellent insights on how to use metrics, in addition to high-level questions that can be used to determine how effective security is within an organization.

Chapter 6 deals with online-advertising and the myriad problems in keeping it honest. Author Benjamin Edelman observed a problem with the online supply chain world, as opposed to brick and mortar (BAM) world, in that BAM companies have long-established procurement departments with robust internal controls, and carefully trained staff who evaluate prospective vendors to confirm legitimacy. In the online world, predominantly around Google AdSense, most advertisers and advertising networks lack any comparable rigor for evaluating their vendors. That has created a significant avenue for online advertising fraud, of which the online advertising is a victim too.

Edelman writes that he has uncovered hundreds of online advertising scams defrauding hundreds of thousands of users, in addition to the merchants themselves. The chapter details many of the deceptive advertisements that he has found, and shows how often web ads that tout something for free are most often far from it.

Chapter 7 is about the PGP and the evolution of the PGP web of trust scheme. The chapter is written by PGP creator Phil Zimmerman, and current PGP CTO Jon Callas. It has been a long while since Zimmerman has written anything authoritative about PGP, so the chapter is a welcome one. Zimmerman and Callas note that while a lot has been written about PGP, much of it contains substantial inaccuracies. The chapter provides invaluable insights into PGP and the history and use of cryptography. It also gives a thorough overview of the original PGP web of trust model, and recent enhancements bring PGP's web of trust up to date.

Chapter 9 is one of the standout chapters in the book. Mark Curphrey writes about the need to get people, processes and technology to work together so that the humans involved in information security can make better decisions. In the chapter, Curphrey deals with topical issues such as cloud computing, social networks, security economics and more. Curphrey notes that when he starts giving a presentation, he does it with the following quotation from Upton Sinclair — "it's difficult to get a man to understand something when his salary depends on him not understanding it." He uses the quote to challenge listeners (and readers in this case) to question the reason why they are being presented the specific ideas, which serves as a reminder of common, subtle biases for thoughts and ideas presented as fact.

In its 250 pages, Beautiful Security is both a fascinating an enjoyable read. There are numerous security books that weigh a few pounds and use reams of paper which don't have a fraction of the real content that Beautiful Security has. With other chapters from industry luminaries such as Jim Routh, Randy Sabett, Anton Chuvakin and others, Beautiful Security is a required read.

For those that have an interest in information security or those that are frustrated by it, Beautiful Security is an eye-opening book that will challenge you, and change the way you think about information security. It is a good book for those whose who think information security is simply about deploying hardware, and an even better book for those who truly get information security.

Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.

You can purchase Beautiful Security: Leading Security Experts Explain How They Think from Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.


This discussion has been archived. No new comments can be posted.

Beautiful Security

Comments Filter:
  • Thnx (Score:2, Insightful)

    by hurting now ( 967633 ) on Monday July 06, 2009 @03:07PM (#28598071) Homepage Journal
    While these essays are probably available in some form or another on the web, I'll be in for one of these books. Thank you for the review.

    As an Information Security professional, I look for books and other easy to read documentation that I can recommend to management and others who indicate an interest in (or need a push in the right direction) info security. Most of the time, if I e-mail them a link or story, it gets blown off. If I can put a document (screw paper saving) in their hands or a book with a chapter as "homework" I seem to get a better response.
  • by tcopeland ( 32225 ) <> on Monday July 06, 2009 @03:16PM (#28598183) Homepage

    ...the book Beautiful Code [] which was a collection of essays about, well, beautiful code. The chapter "Another Level of Indirection" by Diomidis Spinellis was one of my favorites. There were some misses in there, but overall definitely worth a look.

    Another thing - all the author royalties for Beautiful Code were donated to Amnesty International. Not sure if Beautiful Security is the same way, but, neat idea.

  • by mungtor ( 306258 ) on Monday July 06, 2009 @03:27PM (#28598369)

    I don't think he was implying that security professionals are incapable of creativity. In most organizations security is considered an inconvenience, a budget drain, and an afterthought. Very rarely is an IT team staffed appropriately to allow the time and flexibility for anybody to try to think creatively about security. Even if they had the time, convincing people to spend money to prevent attacks that haven't happened yet is more difficult than it should be.

    Being pulled away from a firewall deployment because one of the many Finance printers is out of toner is a lot more common than one would think.

  • Grammar Nazi Me (Score:3, Insightful)

    by cromar ( 1103585 ) on Monday July 06, 2009 @04:21PM (#28599029)

    This is all meant in the best spirit of camaraderie. To summarize is not the purpose of a book review. The purpose is to explain to the reader why they should (or should not) read the book. Furthermore, chapter summaries are almost always redundant. Write concisely. Good opening. Informative. Understandable. Few spelling or grammar mistakes, though they were fairly noticeable and detracted from the tone of the piece.

    Compare to the following reworking of your review. Basically, you have a short paragraph of content:

    Books that collect chapters from expert authors often fail to do more than present disjointed ideas. "Beautiful Security: Leading Security Experts Explain How They Think" is an exception: the book provides an interesting overview of security, risk and privacy and is comprised of 16 essays, each showing how fascinating information security can be. Each of the essays is written by an established security expert and is organized and well-argued. With chapters from industry luminaries such as Mark Cuphrey, Jim Routh, Randy Sabett, Anton Chuvakin and others, "Beautiful Security" is required reading. The book highlights the importance of security metrics, with author Elizabeth Nichols explaining why the security profession should change to more emulate the medical profession in that a system of vital signs and accepted metrics should be adopted. Author Benjamin Edelman reports a problem with the online supply chain, in that it does not have long-established practices to confirm legitimacy of vendors. This has created an avenue for fraud. He has uncovered hundreds of online advertising scams defrauding hundreds of thousands of users, in addition to the merchants themselves, and provides details of these scams. In a welcome and long absent authoritative appearance by PGP creator Phil Zimmerman, as well as current PGP CTO Jon Callas, the pair highlight substantial inaccuracies in other writing on PGP, and provide insight into the history and use of cryptography, the PGP web of trust model, and recent enhancements to that model. The book details the need to get people, processes and technology to work together to make better security decisions. It also details emerging security topics relating to cloud computing, social networks, and the economics of security. For those that have an interest in information security, or those that are frustrated by it, "Beautiful Security" will be an entertaining yet challenging read.

    A better review would briefly explain why these ideas are important, giving the separate highlighted ideas their own paragraph or two. A good rule of thumb is to explain an idea rather than only present it; the explanation presents the idea in context so the reader will not only know what is in the book but know why they may want to read it.

    Cheers and good luck!

  • by theheadlessrabbit ( 1022587 ) on Monday July 06, 2009 @05:55PM (#28600315) Homepage Journal

    I wish people would understand what a phrase meant before trying to use it constructively..."Thinking outside the box" means thinking beyond marketing -- thinking about how the customer will use the product once the box is in the landfill. The use of the phrase in the summary is a great example of not having a clue.

    the phrase "think outside the box" may have meant that at one time, but its meaning has evolved since then. Now, when people say 'think outside the box' they mean "take an unconventional approach to problem solving". 'The box' is no longer referring to 'a box' that a product comes in. 'The box' is a metaphor for 'the class room', 'the board room', or 'the established paradigm'

    words change meaning with time. this is not a bad thing.

Computers don't actually think. You just think they think. (We think.)