Book Review: Foundations of Security

Apress was kind enough to pass me a copy of this book, which I agreed to review in return.

Foundations of Security: What Every Programmer Needs to Know delivers what it promises. You get an overview of all the relevant topics in the field of security and secure system design.

The book is divided into 3 parts: Security Design Principles, Secure Programming Techniques and Introduction to Cryptography. I made my way through the book in a linear fashion to get a feeling what a security novice would take away, reading Foundations of Security. The parts are very well organized and build on each other. If you are not familiar or a little rusty when it comes to security, it's advisable to start from scratch.

The first part highlights the basics of security. It covers security goals, shows you what threats your system might have to face and the design principles to handle those threats and reach your security goals. Among other principles this first chapter explains e.g. Authentication and Authorization as well as Denial-of-Service attacks and Defense-in-Depth.

In part 2 it gets a little more concrete and technical. It covers a variety of topics that you should be aware of, when developing your software. It highlights buffer overflows and shows how to securely handle passwords in your application. Since the book was published in 2007, it's up-to-date and covers web 2.0 attack patterns such as Cross Site Scripting (XSS) and SQL Injection. This part contains some nice examples in Java and shows you common errors, leading to potential security flaws.

The final part of the book gives a brief overview of the world of Cryptography. It covers topics like key cryptography, message authentication codes (MACs) and Signatures. Unfortunately this is the shortest part of the book. I would have loved to read more on this topic, because the authors really understand how to explain the correlation of cryptography and security, in a comprehensible manner.

There are a few nit-picks I have to mention: the book features quite a bit of Java source code, which gives the book a nice practical aspect. Unfortunately all the package statements are unqualified, I suppose to save some space, but it makes it kinda hard to read the code. Another thing that I have to criticize is the constant repetition of what's going to happen next. In each part, chapter and section the authors repeat over and over again, what you are going to read a couple of lines further down the road. To me that is very irritating. It's like this non-stop noise which follows you through out the book.

Foundations of Security is really meant for beginners or someone who wants to get a feel of what security is all about. Although there are code example and sometimes it gets a little technical, it's really just a starting point for further investigation. Especially the Introduction into Cryptography only gives you a glimpse of what's going on. After all it is called Foundations of Security and I think it does a great job in laying those out.

Security Talk @ JUG-Ka

This Wednesday at 7:15pm, Dr. Patrick Schemitz from Netpioneer GmbH will give a talk on Basics of Security Auditing at Java Users Group Karlsruhe. It'll takes place at University of Karlsruhe as usual, but this time in room UG 102.

I'm currently reviewing Apress's Foundation of Security, so this talk will be very interesting and a useful addition.

For further information check out the Google Group, the new Xing Group or subscribe to the Google Calendar feed.

How Corporation Constrain Productivity

In the environment I'm working right now, everything is forbidden! You are not allowed to install, download or connect to anything at all! So in some sense I feel like Dilbert here:



I really want to be productive and dedicated, but the corporation I'm working for right, is giving me a hard time.

So far I've only been working for small companies where virtually everything is possible. At my employer for instance, I can use my own Mac Book Pro for development. That's really cool. I'm allowed to use the tools that I prefer and there is no limitation when it comes to internet access. In short: it's fun to develop this way.

I feel so much more productive when I can use the tools that I like and have all the freedom that I need as a developer. That doesn't necessarily mean I am more productive. It simply means, that I put more effort into what I do, because I'm having fun. During the last project that I did, I invested a lot of personal time to switch from Eclipse to IntelliJ. I changed the build process and tweaked the workspace settings, until everything worked seamlessly with the new IDE. I don't know how many hours I put into that transition, just to use the tool that I prefer (As a sidenote: I still think IntelliJ is way better than Eclipse in so many ways and my heart is literally bleeding, that I can't use it at the moment). If you'd make a down-to-earth cost benefit analysis, you'd probably throw your hands up in horror. However, my efforts weren't in vain: we ended up having a neat build process and I believe that led to more overall quality of our software.

At the moment I'm all hyped because of the new project I just started. There a lots of new technologies involved and I'm learning a lot every single day. I'd love to make a difference and I'm trying to put a lot of effort and dedication into my work. However, the circumstances are not very promising. Like in a lot of big corporation there is a process for almost everything - even changing a database schema can only be made by filling out a form. Those processes are not only annoying, they also have the tendency to be rather slow. Waiting for an important piece of software can take weeks, although it's literally one click away. I'm actually surprised how calm I am about those circumstances. Maybe it's because I'm not really accountable for anything, but my code. In my previous project, it was the opposite: I was responsible for virtually every technical aspect of the application.

I'm also surprise how much money, time and ultimately productivity, constrains like limited internet access and user rights cost. Being used to all the freedom in relation to my working environment, I can see now how much it fosters creativity. I can explore new possibilities in terms of tools or languages and that makes me as a tech-geek very happy. Don't get me wrong, I can fully understand the notion of such limitation and constraints from the corporation's point of view. It's important to have standards and processes of how things work. I just think more freedom equals more creativity and thus can yield higher productivity.

Security advice of the day

always add some salt to your hash