My friends at Pearson sent me four new books from their various imprints. The first is Penetration Testing and Network Defense by Andrew Whitaker and Daniel Newman. This book has received high marks at Amazon.com and it seems more coherent than a similar book I just reviewed. This is my first Cisco Press security book. The last Cisco Press book I reviewed was Cisco Router Firewall Security.
Next is VPNs Illustrated: Tunnels, VPNs,, and IPsec by Jon C. Snader. This book is unique in that it looks and communicates like Richard Stevens' TCP/IP Illustrated, Volume 1: The Protocols. I wanted to read this book after seeing the diagrams, code snippets, and Tcpdump traces. I've also never found a really satisfying analysis of IPsec, which is covered by this book. The Amazon.com reviews are mixed, but I am hopeful.
The next book is High-Assurance Design: Architecting Secure and Reliable Enterprise Applications by Clifford J. Berg. This is a book of design principles and patterns to build high-assurance applications. I like books on security engineering, and I plan to read this book in concert with Security Patterns: Integrating Security and Systems Engineering.
Last but definitely not least is the new edition of Counter Hack Reloaded: A Step-by-Step Guide to Computer Attacks and Effective Defenses, 2nd Ed by Ed Skoudis with Tom Liston. I loved the first edition of this book, which was on my list of favorite 10 books from the past 10 years. This is the perfect book for anyone starting the information security career, because it covers all of the significant technical issues which a security operator should know.
Thinking about Ed's book made me consider the following point. To the degree that the CISSP has any value at all, it should be a management-oriented certification focusing on broad security themes. As I wrote previously, I believe the CISSP should be based on NIST SP 800-27, Rev. A (.pdf), Engineering Principles for Information Technology Security (A Baseline for Achieving Security).
If someone wanted to build a real technical information security certification, they should base it on Counter Hack.
On a related note, someone asked me recently if my first book was "CISSP compliant". After calming myself, I replied that the CISSP should be compliant with best practices -- best practices should not "comply" with the CISSP. That sort of question raised problems with teaching and learning "for the test," instead of teaching and learning the best material. I am not opposed to teaching and learning for the test if the test is sound. Unfortunately, as I've written before, I think the CISSP test is utterly worthless.