Saturday, October 25, 2008

Security Book Publishing Woes

Practical UNIX and Internet Security, 2nd Ed (pub Apr 96) by Simson Garfinkel and Gene Spafford was the first computer security book I ever read. I bought it in late 1997 after hearing about it in a "UNIX and Solaris Fundamentals" class I took while on temporary assignment to JAC Molesworth. Although I never formally listed it in my reviews, I did list it first in my Favorite 10 Books of the Last 10 years in 2007.

Since reading that book, I've read and reviewed over 270 technical books, mostly security but some networking and programming titles. In 2008 I've only read 15 so far, but I'm getting serious again with plans to read 16 more by the end of the year. (We'll see how well I do. I only read 25 last year, but my yearly low was 17 in 2000. My yearly high was 52 in 2006, when I flew all over the world for TaoSecurity LLC and read on each flight.)

Security books are on my mind because I had a conversation with a book publisher this week. She told me the industry has been in serious decline for a while, meaning people aren't buying books. Apparently this decrease in sales is industry-wide, punishing both good books (those recognized as being noteworthy) and bad (which you would expect to sell poorly anyway).

Some people blame the book Hacking Exposed (6th edition due in Feb 09) for creating unrealistic expectations in the minds of book publishers. McGraw-Hill claims HE is the best-selling security book of all time. I've heard numbers between 500,000 and 1,000,000 copies across the editions (not counting the other titles in the HE line.) That blows away any other security book.

I've got about 50 titles on my reading list for the remainder of 2008 and the first half of 2009. About 1/3 are programming books, 1/4 are related to vulnerability discovery, 1/5 could be called "hacking" books, and the remainder deal with general security topics. I only plan to read what I would call "good books," so from my perspective there's plenty of good new-ish books around. However, thus far this year I've only read two five-star books, Applied Security Visualization and Virtual Honeypots.

What do you think of the security book publishing space? Are there too many books? Are there too few good books? Are books too expensive? What books would you like to see published?


CG said...

I dont think there are too many books but I think there are too few GOOD books and they are usually too expensive.

I'd like to see more books addressing current threats published but I don't think the people that can write those books want to share that information in that medium at this time :-(

Kartar said...
This comment has been removed by the author.
Kartar said...
This comment has been removed by the author.
Kartar said...

Does the decline have to be about quality?

From my discussions with publishers the issue exists across the publishing industry - people are buying fewer books. Less people read.

Niche areas - like technical books - and within those niches smaller niches - security books - are being hit hard.

I think we're seeing a change in the way people want to get information rather than a backlash against any quality issues.

- James Turnbull

Anonymous said...

I'd love to see a good solid book on a recent version of Snort. Perhaps you can write it :) ?

Also, I'd love to see a book on using modsecurity as a WAF.

LonerVamp said...

A couple problems for me. Just to illustrate, I probably buy about 10-40 technical books a year, although I am definitely at the low end of the scale so far this year. That has nothing to do with any financial situation.

a) Syngress has too often left a bad taste in my mouth. I can pull out $40-$60 for a really crappy book that is put together poorly or just not all that useful. One bad publisher leads to a tendency to not look at as many books. Or at least be careful with those I do look at.

b) I'm a big book-store user; I spend many lunch hours in Barnes & Noble. Sadly, I've witnessed the security section continue to dwindle, in some cases to nearly nothing. This means I don't get the chance to idly browse various books and find ones I didn't know about. I find it difficult to "browse" books online, as I do like to open them up and get a feel for the content and presentation before picking something up. I understand computer security books are not a lucrative niche to spend shelf space on, but some of us care! :) The number of books I've bought has been roughly directly related to the selection I have at my bookstores.

Of note, other than your blog and the book shelves, I really also don't get notified of any new books in security either. I'm not sure how to fix that, as I also don't want email advertisements either. That might mean there is room for an RSS feed/blog about books and book releases?

c) As a group, I feel IT is still pretty overworked and misunderstood. Any sort of economic downturn certainly doesn't help issues (my company is not hurting, but even we have lost a needed position in the past few months). This means less free time available for technical endeavors.

Jebediah Webb said...

My big problem is the fact that by the time a book is published on a specific topic, it is already dated. This industry is way to much of a moving target to try and publish anything that will be relevant by the time it hits the bookshelves.

Steve Lodin said...

Funny you should list PUIS. I was in the COAST Lab under Spaf at the time and we got the "privilege" of reviewing the chapters :-). AKA slave labor :-).

Personally, I agree with the Syngress comment above and think proliferation has led to decline in quality. It used to be that industry luminaries (Ches, Larry Wall, Eric Allman, Cricket, etc...) published books, now anyone can be convinced to put together a book.

Security Shoggoth said...

As for books I'd like to see? Perhaps something in the live response or malware analysis topics. There aren't many books out there which dedicate themselves to "new" security topics and I understand the reason behind why. When it can take more than a year to get a book published, the information becomes old.

I'm curious - how long does it take you to read a book? You seem to be able to read them very quickly.

Richard Bejtlich said...


It really depends on the book and how deeply I decide to get involved with it. A "hands-off" book that's more theory and less application is faster than a book where I try most or all of the exercises or examples. Still, I might read a book like that faster than the theory book because I prefer practice to theory. "It depends" I guess.

Upton said...
This comment has been removed by a blog administrator.
dghnfgj said...
This comment has been removed by a blog administrator.