Monday, December 31, 2007

Last Book Reviews of 2007 Posted

Amazon.com just published my five star review of Ajax Security by Billy Hoffman and Bryan Sullivan. From the review:

Ajax Security was the last book I read and reviewed in 2007. However, it was the best book I read all year. The book is absolutely compelling and every security professional and Web developer should read it. It's really as simple as that.

I am not a Web developer. I was not very familiar with Ajax (beyond its buzzword status and a vague notion of functionality) when I started reading Ajax Security. I attended the authors' Black Hat 2007 talk and was thoroughly impressed and disturbed by the security implications they presented. I expected Ajax Security to be a good book, but one can never be sure if talented hackers and presenters can transfer their skills to the written word. Ajax Security gets the job done.


Ajax Security is my Best Book Bejtlich Read in 2007 award winner. Amazon.com will soon publish my four star review of Geekonomics by David Rice. From the review:

I really, really liked Geekonomics, and I think all security and even technology professionals should read it. Why not give the book five stars then? The reasons are twofold: 1) the book fails to adequately differentiate between safety and security; and 2) the chapter on open source demonstrates fundamental misconceptions that unfortunately detract from the author's message. If you are kind enough to keep the
thoughts in this review in mind when reading Geekonomics, you will find the book to be thoughtful and exceptionally helpful.

It is important to remember that Geekonomics is almost exclusively a vulnerability-centric book. Remember that the "risk equation" is usually stated as "risk = vulnerability X threat X impact". While it is silly to assign numbers to these factors, you can see that decreasing vulnerability while keeping threat and impact constant results in decreased risk. This is the author's thesis. Rice believes the governing issue in software security is the need to reduce vulnerability.

The problem with this approach is that life is vulnerability. It is simply too difficult to eliminate enough vulnerability in order to reduce risk in the real world. Most real world security is accomplished by reducing threats. In other words, the average citizen does not reduce the risk of being murdered by wearing an electrified, mechanized armor suit, thereby mitigating the vulnerability of his soft flesh and breakable neck. Instead, he relies on the country's legal system and police force to deter, investigate, apprehend, prosecute, and incarcerate threats.
Finally, Amazon.com published my three star review of The Book of Pf by Peter N.M. Hansteen. From the review:

I was excited to see a new book on Pf on the market. Three years ago I read and reviewed Building Firewalls with OpenBSD and PF (BFWOAP) by Jacek Artymiak and gave it five stars. I hoped The Book of Pf (TBOP) would acknowledge the best ideas in BFWOAP and expand into Pf developments of the last three years. TBOP is strong when it addresses how to install or use Pf on operating systems other than OpenBSD. Elsewhere, the book is too weak to merit more than three stars.

Hopefully by the time you read this all of the links will be working and the reviews will be posted.

2 comments:

dre said...

I didn't read Geekonomics in the way that you did. I don't see any need for analysis of localized risk management or information security management. David Rice was discussing quality, security, and safety in software as if they were all one in the same (which they are).

There is certainly a difference between software assurance and information assurance. Geekonomics chose to look at all software from a software assurance perspective. It acknowledged that software users should have certain rights and privileges bestowed upon them by software vendors. According to Geekonomics, software vendors are not being held accountable for the vulnerabilities they are creating -- but also any/all aspects of quality. The vulnerability problem is primarily a software assurance problem. Certainly that's not the only information or data assurance problem -- the author never suggested it as such, or even as a panacea. It's my opinion that David Rice wasn't seeking to solve the problems of information -- only software. Maybe you could re-read it in that light.

Richard Bejtlich said...

http://linux.slashdot.org/comments.pl?sid=401894&cid=21858620