Security Book Publishing Woes
Practical UNIX and Internet Security, 2nd Ed (pub Apr 96) by Simson Garfinkel and Gene Spafford was the first computer security book I ever read. I bought it in late 1997 after hearing about it in a "UNIX and Solaris Fundamentals" class I took while on temporary assignment to JAC Molesworth. Although I never formally listed it in my Amazon.com reviews, I did list it first in my Favorite 10 Books of the Last 10 years in 2007.Since reading that book, I've read and reviewed over 270 technical books, mostly security but some networking and programming titles. In 2008 I've only read 15 so far, but I'm getting serious again with plans to read 16 more by the end of the year. (We'll see how well I do. I only read 25 last year, but my yearly low was 17 in 2000. My yearly high was 52 in 2006, when I flew all over the world for TaoSecurity LLC and read on each flight.)
Security books are on my mind because I had a conversation with a book publisher this week. She told me the industry has been in serious decline for a while, meaning people aren't buying books. Apparently this decrease in sales is industry-wide, punishing both good books (those recognized as being noteworthy) and bad (which you would expect to sell poorly anyway).
Some people blame the book Hacking Exposed (6th edition due in Feb 09) for creating unrealistic expectations in the minds of book publishers. McGraw-Hill claims HE is the best-selling security book of all time. I've heard numbers between 500,000 and 1,000,000 copies across the editions (not counting the other titles in the HE line.) That blows away any other security book.
I've got about 50 titles on my reading list for the remainder of 2008 and the first half of 2009. About 1/3 are programming books, 1/4 are related to vulnerability discovery, 1/5 could be called "hacking" books, and the remainder deal with general security topics. I only plan to read what I would call "good books," so from my perspective there's plenty of good new-ish books around. However, thus far this year I've only read two five-star books, Applied Security Visualization and Virtual Honeypots.
What do you think of the security book publishing space? Are there too many books? Are there too few good books? Are books too expensive? What books would you like to see published?
Comments
I'd like to see more books addressing current threats published but I don't think the people that can write those books want to share that information in that medium at this time :-(
From my discussions with publishers the issue exists across the publishing industry - people are buying fewer books. Less people read.
Niche areas - like technical books - and within those niches smaller niches - security books - are being hit hard.
I think we're seeing a change in the way people want to get information rather than a backlash against any quality issues.
- James Turnbull
Also, I'd love to see a book on using modsecurity as a WAF.
a) Syngress has too often left a bad taste in my mouth. I can pull out $40-$60 for a really crappy book that is put together poorly or just not all that useful. One bad publisher leads to a tendency to not look at as many books. Or at least be careful with those I do look at.
b) I'm a big book-store user; I spend many lunch hours in Barnes & Noble. Sadly, I've witnessed the security section continue to dwindle, in some cases to nearly nothing. This means I don't get the chance to idly browse various books and find ones I didn't know about. I find it difficult to "browse" books online, as I do like to open them up and get a feel for the content and presentation before picking something up. I understand computer security books are not a lucrative niche to spend shelf space on, but some of us care! :) The number of books I've bought has been roughly directly related to the selection I have at my bookstores.
Of note, other than your blog and the book shelves, I really also don't get notified of any new books in security either. I'm not sure how to fix that, as I also don't want email advertisements either. That might mean there is room for an RSS feed/blog about books and book releases?
c) As a group, I feel IT is still pretty overworked and misunderstood. Any sort of economic downturn certainly doesn't help issues (my company is not hurting, but even we have lost a needed position in the past few months). This means less free time available for technical endeavors.
Personally, I agree with the Syngress comment above and think proliferation has led to decline in quality. It used to be that industry luminaries (Ches, Larry Wall, Eric Allman, Cricket, etc...) published books, now anyone can be convinced to put together a book.
I'm curious - how long does it take you to read a book? You seem to be able to read them very quickly.
It really depends on the book and how deeply I decide to get involved with it. A "hands-off" book that's more theory and less application is faster than a book where I try most or all of the exercises or examples. Still, I might read a book like that faster than the theory book because I prefer practice to theory. "It depends" I guess.