Wednesday, July 26, 2006

The State of the Security Book Market

At left is the juggernaut of the security book market -- Hacking Exposed. I mention this book because it came up in a discussion I had with someone in the publishing community today. She reported that the state of the security book market is somewhat weak. She worried that Hacking Exposed (published in late 1999) might have created a "bubble" in the security book market, and the bubble is now deflating.

I interpreted her comment to mean that publishers have flooded bookshelves with too many security books over the last 7 years. Publishers were chasing readership figures that were inflated by false expectations caused by Hacking Exposed.

Over the last 6 or 7 years I've read and reviewed almost exactly 200 technical titles, the majority of which are security books. That's a huge number, with at least half of those books being titles I thought would be good to read. You can begin to imagine the number of titles I've missed when I tell you that I concentrate on reading books from Pearson (Addison-Wesley, PHPTR, etc.), Osborne/McGraw-Hill, Wiley, O'Reilly and friends (Syngress, No Starch, etc.), and recently Apress. I basically never touch Auerbach and several other publishing houses.

If you look at my Amazon.com Wish List you'll see a large selection of mainly security titles that I would like to read, or at least look at before making a decision. Recently there seems to have been a lull in books arriving at my doorstep, which is great considering the depth of my reading list. I'm making progress again, and you can expect another review -- my 200th technical book -- shortly.

What is your opinion of the security book market? Here's a few questions.

  1. What subjects would you like to see discussed? Hot topics at the moment seem to be forensics, reverse engineering, and rootkits.

  2. How many security books do you purchase per year?

  3. About how much do you consider paying for a book? What price is too expensive?

  4. Do you have a favorite publisher? Why?

  5. What is the biggest problem with security books today?


If you're wondering, these are my questions. The publishing person referenced earlier has nothing to do with these questions. I'm just curious.

Finally, if you find my reviews helpful, please vote them as being helpful when you read them. I get no financial compensation from Amazon.com one way or the other, but I do keep notes while reading and I try to deliver something useful when done. Seeing my helpful vote count jump from the current 3376 for 207 reviews (8 are nontechnical) might motivate me to update my Listmania Lists. :) Thank you!

13 comments:

Da Kahuna said...

Richard,

I have to agree that there are just too many and not all of them are good.

Subject's I'd like to see are the ones you mentioned but I would like to see more of the "how to" type of books. Something similar to "Google Hacking" but for forensics would be a "must purchase" for me.

Another type of must have would be a follow up to the "Security Assessment: Case Studies For Implementing the NSA IAM" While very comprehensive, more examples of completed assessments, sanitized of course, would make it better.

I purchase on the average of about 12 per year, one per month. My last eight books have all been from Syngress.

I have to think long and hard before I'll pay over $50.00 for a book. This sometimes means that I have to wait until some popular titles have been out for a while but unless the book is something that I can immediately apply, I try to stay within a budget.

I guess Syngress is my favorite publisher mainly because I can't get enough of their STN series. I plan on buying the newest one at BH/DefCon next week. Also I find their prices reasonable.

In my opinion that would be too much repetition.

David Belle-Isle said...

1. IDS, Forensics, Security engineering

2. ~25 (2/month)

3. 30-40$ USD. Over 50$ is too much.

4. Addison-Wesley. Books of great quality either content or the book itself (paper, cover, etc). They are very professional and books from them usually cover subjects in much more depth than any other publishers. Authors are technically very good and they are very good at writing.

I can't talk a lot about how it works on the inside, but from what I noticed, books from AW seem to be thoroughly reviewed and edited (if needed) before publishing. Unlike other publishers, like Syngress, which is a common thing to have books filled with language errors, technical errors and editing errors.

5. Companies like Syngress. Overloading the shelves with poor quality books and non-professional stuff. You clearly can see that Syngress is there for one single reason: money. Of course, publishers, like every other companies, have to do money but the main reason for a book is to educate and learn things and Syngress is clearly not good at it. Oh yeah... and the chapter reprint problem.. that just makes me sick.

Another problem is the lack of good authors, not from a technical point of view but from a writing stand point. For a security book to be good it needs quality technical content and quality writing, unfortunately, the latter doesn't seem to be important for most publishers.

As a final note, I would like to see more books like "Protect your windows network", "The tao of network security monitoring" or "Real digital forensics". Those books have a very good understanding of information security and bring very good material to the community.

David

Jason M said...

1. Security Engineering - both deep knowledge and 'craft'. Extending through both ends of the spectrum from building it to breaking it.

The title I am most looking forward to at the moment... DJB's high speed crypto book.

2. Roughly 1 every 2 months that are security specific. Usually 1+ per month that is technical.

3. Depends on the quality, both in contents and package. Anywhere < $120 CAD can be 'reasonable' by some measure but usually anything over $70 CAD has to be something 'special'.

4. The usually suspects: Pearson (Addison-Wesley, PHPTR, etc.), No Starch, Wiley, O'Reilly, and Osborne/McGraw-Hill in roughly that order. Others, technical but not necessarily security pubs, that are not to be left out are MIT Press, Springer-Verlag, Oxford, Cambrige, and Elsevier.

Major factor in my list are solid editing, thorough technical review, and novel topics (but not fluff). These I'm willing to pay for.

Bill Pollock from No Starch has such a wicked attitude. I had a chance to meet him at CanSecWest and he really impressed me. Bill has a genuine interest in both people and the books, in that order. I think this leads to really interesting reads with greater longevity more often than not.

5. I'm with Dave above on this one: Syngress typifies poor security books. Badly edited, layout and typeset to maximize page count (repetition, overly large fonts, gratuitous screenshots), and don't get me started on reprinting chapters. I own two of their titles: Pen Tester's OS Tk (just for chapter 1) and Google Hacking.

The Google book should have been half the size it was: the quantity of listings was absurd and the text was too prolix and oversimplified. Part of the problem is that the topic was almost too new at the time it was published, basically the book took a couple of research papers and added padding. This also key, a book has to be more substantive in content than a research paper... but I'm starting to rant.

Ryan Russell said...

I should note that I write bits of the security books in question, so I'm a little bit of a special case. If Da Kahuna is waiting on "How to Own a Shadow", I'm afraid you won't find it next week, we're not done. Feel free to hunt me down at Black hat or Defcon and give me grief for that.

1. My favorite topics are reverse engineering, computer/security history, hardware hacking, and some of the story/fiction-based stuff.

2. I probably pick up 10-20 security books per year. I pay for maybe half of those out of my own pocket. This doesn't include any Syngress books that I obtain for promotional purposes or classes, etc...

3. I think the $60-75 range is where I think twice about whether I really want that book or not. I'll certainly pay it for the right book, though. Yes, for the record, my books are often priced a bit high for what they are. That's largely a consequence of the buyers that Syngress sells to, and the typical volume (read: lack of) that they do.

4. Other than Syngress, which isn't fair to name as favorite since they pay me for things, It seems that Addison-Wesley has all my other friends writing for them.

5. Certainly I think volume of books is a problem of sorts. I haven't decided whether it's a cause or symptom. And having served as cat herd on a few projects, I can say that some of the best subject matter experts are often not able to devote the proper attention to a lot of writing. If you want to hear from them, then guess what? They're probably a pretty busy guy (or gal.) Also, please note that writing these books is almost never worth the author's time, from a strictly dollars-per-hour standpoint. You have to like writing books for their own sake.

Joe said...

# What subjects would you like to see discussed?
IDS, packet analysis, attacking network equipment (taking advantage of misconfigurations or buggy code) such as cisco, juniper, etc.

# How many security books do you purchase per year?
2-3

# About how much do you consider paying for a book? What price is too expensive?
Anything over $50 better be REALLY good and better teach me something new.

# Do you have a favorite publisher? Why?
O'Reilly is nice because they have loads if INFORMATION and can be used as a reference later.

# What is the biggest problem with security books today?
Errors make me want to throw a book.
Some are too wordy with the basics.
Some are way too long for the subject.
Seems most books are geared for n00bs.
Security books need more examples and case studies. I love reading a book that shows off what the book taught in a real example.
NSM was a good book because it taught IDS analysts that they are missing a lot of data when relying on tools like ACID/BASE and others.

LonerVamp said...

1. I am getting interested in wireless security as one of my specialties, in addition to NSM/networking. I've enjoyed a few nice books on wireless security such as Wi-Foo and Wireless Hacks, but I have to admit the offerings are still slightly slim, and I certainly am beyond an overview book on wireless security for the home; I want the down-and-dirty tools exposure and how-tos. I see a bunch on the horizon though, like Kismet Hacking, Wardriving and Wireless Pentesting, and Hacking Exposed Wireless.

I also truly enjoy, right now, books on particular tools that get into some real functional detail. I am a bit sick of books like Windows Security, where there is much more about what should be done as opposed to actually how to do them. For instance, "you should use ethereal to check for arp-poisoning," but leave out the, "And here is the filter I'm talking about." I do enjoy those books, but they don't always offer something new to my knowledge set. This is one place Syngress is strong with examples of their Snort, Ethereal, Open Source tools books, etc. I really enjoy getting a complete presentation on tools and how to use them to augment my own tinkering. Things like Hacking Exposed fall here for me, even though they are more of a blitz than a focused study.

The third area I really like would be books on complicated or new topics, but that drill down on them really nicely. Examples would be Grey Hat Hacking or even your own Tao of NSM. I appreciate books that really offer me something unique, new, or of value, as opposed to books that read like a CISSP study guide with little real new depth. I'd rather have someone somewhat walk me through malware analysis or forensics (since I am a novice there) than to just tell me what malware analysis is. I want practicality and usefulness out of my books, not just theory.

Lastly, I always enjoy the more informal books out there, such as the Hacker's Challenge series or the Stealing the Network series. Those are fun, give some real examples, and basically border on really involving the reader like a good fiction novel. I like real life examples, looks into the head of a hacker and even a security professional, stories, and other things like that. Kevin Mitnick's books are enjoyable for this reason (the second much more than the first). Case studies, culture, real life examples...they read fast and are highly entertaining and informative.


2. Too many! Honestly, probably about 2-3 per month. I wish I could read that many a month though!

3. So far, I've not found a top limit to the cost, but I certainly don't like to shell out over $49.99 for a security book unless it has some true value. Once it gets that high, I typically purchase off bookpool.com as opposed to Borders/B&N.

4. Not really, but I do love the quality of Addison-Wesley books, they're just enjoyable to read, feel, hold, look at and I really trust their author choices as being very professional and knowledgable. I do have a dislike to the quality of Syngress books. They rub me the wrong way, which means if a Syngress book is borderline for me on whether I want to read it or not, I choose not to. Otherwise, I don't even really look at the publisher.

5. One problem I've seen is the milking of a "franchise" of books. Stealing the Network had a very unpolished third book which was a disappointment, and at times felt like it was just carried on to sell more books (not that it didn't have valuable stories anyway, some were as good as any in the series!).

I see people are mentioning the widening array of books, many crappy ones. While I can understand this, I have to admit my local booksellers have been shrinking their space for networking and security/hacking books. In the past two years, shelf space at my local Borders and B&Ns has shrunk down to 1/3 what it used to be.

Keydet89 said...

Richard,

If you don't mind me asking, with whom were you speaking?

My experience with AWL/Pearson Ed seems to be very different from yours. Most notably, I recently got with an editor (they've shifted so much lately) at AWL and asked them to exercise their right of first refusal for my next book, so I could move on to another publisher. My primary reason is that they were doing (IMHO) a huge disservice to themselves in how they were placing my first (and subsequently my second) book. My thinking was that a book on Windows forensics should not go in the same section as writing GPOs, but rather in the section regarding forensics, as with Brian Carrier's book. For some reason, they didn't seem to see it that way.

Thanks,

Harlan

Keydet89 said...

# What subjects would you like to see discussed?

My personal preference it toward "deep" subjects in the area of Windows forensics. I'm not so much interested in "forensics" that's nothing more than a "HOW-TO" for EnCase.

# How many security books do you purchase per year?

Not many. I purchased RDF on a whim, b/c you were there in the store! ;-)

# About how much do you consider paying for a book? What price is too expensive?

It really depends on what the book has to offer. RDF, as an example, took an interesting turn by providing a walk-through of a case, with many of the necessary files. This way, the reader can follow along, and replicate what was done on the case. Such a book is worth more, IMHO.

# Do you have a favorite publisher? Why?

O'Reilly has always been my favorite, since I picked up the first "Java in a Nutshell" in the mid-90s. I like the no-nonsense, bare bones approach, without all the unnecessary fluff.

# What is the biggest problem with security books today?

Placement. Some books are out there, and are very good/useful, but aren't placed very well. By that, I mean that potential readers aren't "seeing" them when they go online and do searches, or even to the bookstore. Unfortunately, many potential purchasers aren't able to make it to bookstores.

Case in point...I recently ran across a title..."Windows Forensics", by Chad Steel, published by Wiley this year. I've done multiple searches that have included the terms "Windows" and "forensics" and not once has this title popped up. I ran across it completely by accident.

A close second is content. Again, my interest is specific to the forensic analysis of Windows systems, and I was somewhat disappointed with the content in that area in RDF. Steel's book isn't much different from RDF, with regards to content.

Harlan

Richard Bejtlich said...

Hi Harlan,

I wonder if your issue is your book being in the The Addison-Wesley Microsoft Technology Series? Something similar happened with Gary McGraw's Building Secure Software. It's in the Addison-Wesley Professional Computing Series. It should really look and feel like Gary's other two books.

Keydet89 said...

Richard,

I'm sure that's the case...but I was unsuccessful in getting them to position it differently the first time around, and got frustrated when discussing the second book with them.

Marcin Wielgoszewski said...

1. I would like to see books that can take the use of tools, policy, etc and apply them into real world applications. Anyone can use these tools, but in adddition, how about visually presenting the information gathered to your users, bosses etc?

2. About 3 or so... I would like to read more (see question 5 for more)

3. $30. Anything over $50 is getting expensive.

4. Addison-Wesley/O'Reilly. Quality of the books. I like how O'Reilly uses a special binding to prevent "breaking".

5. Very dry, not engaging enough. I have trouble reading some books all the way through because I get bored or end up putting it down and forgetting. Some books tend to drone about a topic without a break. When this happens, I stop and ask myself "what the hell did I just read?" Reading some security books is just flipping pages over and over, words getting lost 1/2 way to my eyes.

dre said...

1. I like books about information security or networking. I like authors like Schneier who can write books like Applied Cryptography and then write Beyond Fear many years later.

2. I read hundreds, maybe even over a thousand, of computer technical books every year. Probably at least half of them are security related. I rarely purchase "real live" books anymore with safari.oreilly.com, osoft.com, nostarch.com, books24x7.com, mkp.com, apress.com, and syngress.com being my top choices for reading these books (or even toc's/indexes and sample chapters).

3. I usually steal them from borders or bn (or have others steal them for me). When reading online, I rarely pay for book access - but instead find vulnerabilities in those specific websites. I've only worked maybe 6 months in the past 2 years - so I'm cash poor but hungry for knowledge. Therefore, the actual cost of the book means little to me.

4. My favorite publisher has always been PHPTR, followed by AWL/CSeng, followed by Morgan Kaufmann. These three have the best printing. Their books always look and feel as sharp as german steel. The writing material usually matches the longevity or `timeliness' of the cover and pages.

5. Biggest problem with security books today? They're not free as they should be, including cost. People keep information to themselves out of laziness, selfishness, or [worst] intellectual property laws.

also note that i find lots of hidden gems in vendor websites (especially ones that have customer/partner only access section(s), or internal company websites). search engines and blogs (including bloglines, technorati, digg, del.icio.us, et al) are hot points for information in this day and age (special note: see fravia's talk at recon.cx '06). finally, nothing beats conferences or events.

honedin said...

1. I like books that discuss the fundamentals and don't get too carried away on the technology (Schneier's books and articles are very good). I also like books on security management that give good practical ideas ("The information system security officer's guide", "A practical guide to managing information security", ...)

2. I purchase between 5 and 10 books in a year.

3. Depends on the book. For a really good book I will pay more...

4. No favorites.

5. There are lots of books on technology but it is difficult to find good books on governance, management, risk analysis etc.