Rik Farrow

This is primarily a textbook for a one semester, or possibly two, college course for third year CS students and above. The coverage is wide but not deep, though the author makes up for the lack of depth by providing copious references and exercises relating to those references. For example, Nessus and nmap are briefly mentioned, but the author does provide guidance for going deeper into vulnerability and network scanning, and these tools come with lots of online support. The first chapter covers general security principles. The author actually has a list of 20 security principles that get referenced throughout the book, although they are in an optional section near the end of the chapter. Other general topics include threat modeling and attack trees, both covered in a few pages. The next three chapters are related to cryptography, a topic the author knows well and covers without a lot of equations. Chapter two covers basic cryptography, chapter three authentication, which relies of cryptographic hashes in many cases, and chapter four covers authentication protocols, such as Kerberos. Chapter five discusses what I consider a more traditional security topic, operating system security and access control. Chapter six delves into software security, as well as exploits and privilege escalation, again, quite traditional topics. Chapter 7 digs into malicious software and seems very up-to-date to me. Chapter 8 veers back into cryptography with coverage of public-key certificate management, an appropriate prelude to chapter 9, Web browser security. I like his explanation of cross-site-scripting, as it was much clearer than any I've encountered. Chapter 10 covers firewalls and tunnels, chapter 11 intrusion detection and network-based attacks. I found this description a little confusing, as these were attacks relying on networking, like a SYN flood, rather than attacks from a network against a particular service or host, but that's my own perspective. Chapter 12 is new to the second edition, and covers the development and security of WiFi. The author is kind to the developers of WEP and WPA, even as he uses them as design patterns for things you want to avoid when designing standards for secure networking. Chapter 13 covers blockchains and related technology, as these are popular and likely will continue to be used in some form, long after the interested in cryptocurrency has faded away, like Bernie Madoff. There is extensive use of color, all comfortable pastels, to distinguish newly introduced terminology, file names, examples, paragraphs, exercises, and so on. I counted sixteen newly introduced terms on one page, easily discovered in their italic fonts and green color, and I mention this not just because of wide use of typesetting conventions but also as an indication of how full of concepts this book is. There are 13 typographic conventions, and they appear in both the print and e-book versions. Non-students could use this book for self-study, and just reading it (as long as you have a very good memory) would be an excellent primer for a CTO or a programmer interested in security. I found the information to be accurate, based on my own long experience with teaching UNIX, Windows, and Internet security professionally. Someone who really wants to learn security, deeper than the average C-level executive, also needs to work the exercises in this book. And any instructor needs to do the same--enhance the book by creating exercises, where students will actually begin to embody security concepts. In summary, a carefully written book about a broad and critical topic.