{ by david linsin }

August 18, 2008

Book Review: Foundations of Security

Apress was kind enough to pass me a copy of this book, which I agreed to review in return.

Foundations of Security: What Every Programmer Needs to Know delivers what it promises. You get an overview of all the relevant topics in the field of security and secure system design.

The book is divided into 3 parts: Security Design Principles, Secure Programming Techniques and Introduction to Cryptography. I made my way through the book in a linear fashion to get a feeling what a security novice would take away, reading Foundations of Security. The parts are very well organized and build on each other. If you are not familiar or a little rusty when it comes to security, it's advisable to start from scratch.

The first part highlights the basics of security. It covers security goals, shows you what threats your system might have to face and the design principles to handle those threats and reach your security goals. Among other principles this first chapter explains e.g. Authentication and Authorization as well as Denial-of-Service attacks and Defense-in-Depth.

In part 2 it gets a little more concrete and technical. It covers a variety of topics that you should be aware of, when developing your software. It highlights buffer overflows and shows how to securely handle passwords in your application. Since the book was published in 2007, it's up-to-date and covers web 2.0 attack patterns such as Cross Site Scripting (XSS) and SQL Injection. This part contains some nice examples in Java and shows you common errors, leading to potential security flaws.

The final part of the book gives a brief overview of the world of Cryptography. It covers topics like key cryptography, message authentication codes (MACs) and Signatures. Unfortunately this is the shortest part of the book. I would have loved to read more on this topic, because the authors really understand how to explain the correlation of cryptography and security, in a comprehensible manner.

There are a few nit-picks I have to mention: the book features quite a bit of Java source code, which gives the book a nice practical aspect. Unfortunately all the package statements are unqualified, I suppose to save some space, but it makes it kinda hard to read the code. Another thing that I have to criticize is the constant repetition of what's going to happen next. In each part, chapter and section the authors repeat over and over again, what you are going to read a couple of lines further down the road. To me that is very irritating. It's like this non-stop noise which follows you through out the book.

Foundations of Security is really meant for beginners or someone who wants to get a feel of what security is all about. Although there are code example and sometimes it gets a little technical, it's really just a starting point for further investigation. Especially the Introduction into Cryptography only gives you a glimpse of what's going on. After all it is called Foundations of Security and I think it does a great job in laying those out.



  • mail(dlinsin@gmail.com)
  • jabber(dlinsin@gmail.com)
  • skype(dlinsin)