1/11/2012 -- A great many new titles on system and network security have hit the book shelves recently, with three standing out among the masses. While none of these titles are study guides, these books can still be used as resources if you are studying for a security certification or just to round out the knowledge you need to keep one step ahead of the malware and miscreants. We'll take a look at each of the three and what makes each one worthy of note.
Web Application Security: A Beginner's Guide Don't let the "Beginner's Guide" throw you for too much of a loop. The feature that makes this book stand out from the pack is the team of authors. Bryan Sullivan used to be the security program manager at Microsoft and is currently the senior security researcher at Adobe. His coauthor, Vincent Liu, led the Attack & Penetration and Reverse Engineering teams for Honeywell and was an analyst for the National Security Agency. To say this is a strong team of authors hardly scratches the surface.
There are three parts to the book and nine chapters:
- Welcome to the Wide World of Web Application Security
- Security Fundamentals
- Authentication
- Authorization
- Browser Security Principles: The Same-Origin Policy
- Browser Security Principles: Cross-Site Scripting and Cross-Site Request Forgery
- Database Security Principles
- File Security Principles
- Secure Development Methodologies
In my opinion, the chapter on Cross-Site Scripting/Request Forgery is worth the cost of the book alone. This is a problem/vulnerability that seems to be becoming more exploited every day and there are few good sources on it.
Security Metrics: A Beginner's Guide One of the biggest issues with security is justifying the costs associated with it. When IT budgets are being trimmed and slashed, it can be hard to explain why security should be exempt from such actions and obtain shareholder buy-in. That is where this book from Caroline Wong comes in. Wong is the former chief of staff for the Global Information Security Team at eBay and helped build their metrics from the start.
The 17 chapters are divided among eight parts, and the titles of the parts pinpoint the material covered quite well:
- Why Security Metrics?
- Essential Components of an Effective Security Metrics Practitioner
- Decide What to Measure
- Get Started
- Toolkit
- Creating the Best Environment for Healthy Metrics
- Secret Sauce: Lessons Learned from an Enterprise Practitioner
- Looking Forward
The chapter worth special recognition in this book, in my opinion, is "Falling beneath the Toolkit." Technologies are discussed first, and then you're given a scenario for Acme Corporation -- a large, public, multinational pharmaceutical company -- and you walk through their issues with lessons that are learned given at the end.
Securing the Clicks: Network Security in the Age of Social Media Leaving the "Beginner's Guide" series, Gary Bahadur, Jason Inasi, and Alex de Carvalho have written a guidebook for analyzing risk and formulating solutions. The focus on social media is both timely and indispensable in today's environment. The 18 chapters are divided into five parts:
- Assessing Social Media Security
- Assessing Social Media Threats
- Operations, Policies, & Processes
- Monitoring & Reporting
- Social Media 3.0
Each chapter begins with a case study intended to illustrate the need for the discussion and those alone are worth the read. They run the gamut from "Expensive Paperweight Gets Fired" to "Domino's Reputation Attack." The book is insightful, illuminating and recommended for security administrators at all levels.
|