REVIEW: "Beautiful Security", Andy Oram/John Viega

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

BKBEASEC.RVW   20091008

"Beautiful Security", Andy Oram/John Viega, 2009, 978-0-596-52748-8,
%E   Andy Oram
%E   John Viega
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2009
%G   978-0-596-52748-8 0-596-52748-9
%I   O'Reilly & Associates, Inc.
%O   U$39.99/C$49.99 707-829-0515 fax: 707-829-0104
%O  ( product link shortened)
  ( product link shortened)
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   281 p.
%T   "Beautiful Security"

The preface states that the intention of the book is to a) make sure
that security books sell well, b) show that security is an exciting
career, and c) demolish the idea that security is a separate component
that can be added to any system.  (The first is a tall order, the
second is already a common belief among many who haven't worked in the
field or the real world, and the third is so well established in the
minds of so many that this book had better sell extremely well if it
is to have any chance of success.)  The work is directed at those
interested in starting a career in technology, and interested in the
cutting edge.

With pretty much any collection of essays the quality varies.  It is
also true of this assortment, but the articles in this work are
uninspired and uninspiring.

The first paper notes the psychological factors that lead to
insecurities, and which can be used to direct attacks against systems.
(It promises to suggest how psychological factors can be used against
attackers, but never delivers on that.)  Another essay describes the
common practice of creating fake wireless access points to collect
financial and authentication credentials.  A third suggests that
security metrics can protect companies, but the two examples given are
actually of situations where companies were using metrics: just not
ones that would catch those specific situations.  The underground
economy involved in the organization of blackhat crime is covered in
one piece, and presents material that is fairly simplistic from the
perspective of those who have worked in recent malware research, but
possibly surprising to those who have not.  A review of credit card
security issues in online commerce proposes to outline a new paradigm
for such transactions, but ends abruptly without saying how such a
thing might work.  Another paper notes problems with online
advertising, such as malware and click-through fraud.

One excellent and detailed essay by Phil Zimmermann and John Callas
describes the "web of trust" key signing and validation model from the
PGP (Pretty Good Privacy) program.  The honeyclient method of
searching for malicious Websites is explained in another item.  On the
other hand, the following paper is simply a collection of diverse
opinions without a theme.  An article recommends project management in
software development while another suggests making security a software
requirement: both of these are admirable pieces of advice, but the
papers don't provide any more convincing impetus to do so.  A rambling
dissertation on legal issues related to information security meanders
through a variety of topics, without any central theme.  The article
on factors affecting the usefulness of audit logs is broadly
comprehensive and to the point.  The subsequent paper on incident
detection examines a specific incident, but is otherwise a generic

A bright spot in the book is Peter Wayner's intriguing description of
a system of partial encryption of common databases, where visibility
of the data depends upon location, which would have significant
implications for e-commerce, customer privacy, cloud computing, and
possibly even social networking.  Unfortunately, the book ends on a
slightly sour note, with a paper insisting that everyone is doing
antivirus protection incorrectly, except the company for which the
authors work.

I'm not certain that this work will do anything for the sales of
security texts.  With a few exceptions, the pedestrian writing and
ideas scarcely show that security is an exciting career.  Only one
item is close to the cutting edge.  Security is not approached in a
holistic manner in the material, so the notion of security as a
fundamental constituent, rather than a separate component, of a system
is unlikely to be dislodged.

copyright Robert M. Slade, 2009    BKBEASEC.RVW   20091008

"Dictionary of Information Security," Syngress               1597491152 /
============= for back issues:
[Base URL] site /
CISSP refs:     [Base URL]mnbksccd.htm
Book reviews:   [Base URL]mnbk.htm
Review mailing list: send mail to

Site Timeline