Wednesday, April 14, 2010

Book Review: Beautiful Security

It has been said there are two types of education - content expanding and context expanding. Content expanding is about acquiring a skill, knowledge, technical aptitude in order to carry out a task. Context expanding doesn't provide you with a specific skill so much as it allows you to apply what you already know to a broader number of situations. Beautiful Security falls into the latter category.

The book is a collection of stories from some of the true thought leaders of the industry. Some of them are war stories from the trenches, some of them are simply lessons the authors wish to impart but all of them are intended to convey to the reader a sense of how security can, infact, be beautiful. For those who sit outside of the industry, I think it is a good glimpse of the beauty we practitioners see when good security practises come together and a great deal of the time we take for granted.

What makes it difficult to review is that so many of the stories appealed to me. Some of them (Ch. 1, 3, 5, 10, 11) made me look at old problems in a new light. Most of them (Ch. 2,4,6,8,910,12,13, 14,16) I found educational but largely aimed at those coming into this book with no security experience (or perhaps specialists with a less broad focus perhaps).

I would like to draw particular attention to Chapters 5, 9, 13 and 15 done by Ed Bellis, Mark Curphy, Dr. Chuvakin and Peter Wayner respectively. In particular, the content in these chapters is something I'm quite familiar with for the most part. However, I was particularly impressed by the manner in which they conveyed their points. I hope that the reader sits back and considers the message, googles their names (if they have never heard of them) and truly gets a sense of the depth of their experience. In doing so, hopefully, the reader will give more serious consideration to how these lessons can be applied to their own lives.  This could be owing to my own experiences and particular interest in security architecture, so I must admit my bias - but nevertheless, I do think many security folk have tunnel vision and often neglect to see the wider sphere in which they operate.

I realise I have skipped a chapter. Where is Chapter 7? Alas, this chapter was the only downer for me - and it was a big one, given the author was Phil Zimmerman and Jon Callas. This chapter was basically a history piece, discussing PGP and explaining the concept of the web of trust. I'd like to be impartial and state that I'm sure this is an example of a chapter that was intended for those who do not work in information security, and as such, have no concept of the web of trust. That said, this chapter was so painful to read, so dry that it failed utterly in its ability to convey anything beautiful about cryptography, let alone security (infact, I think Mark Curphey did a much better job just touching on it when he explained how the ancient Egyptians used scytales on page 148). Infact, I found this chapter so badly written it soured my view of the book completely - to the degree I must suggest experienced infosec professionals simply skip it.

I don't want to belabour the point - but it soured my view so utterly, it forced me to consider just what was the message O'Reilly sent to the prsopective authors when proposing they write a piece on information security. All of the authors, in their own unique way were able to articulate their point and relate it back to what they found beautiful about security (or at least a specific scenario). Phil and Jon couldn't even achieve that. I'm sorry guys, but that's a Fail.

Do I think the book was worth it? Well, yes, it was given to me for free (thanks O'Reilly!). But yes, I would pay money for it. I think the book has real value for anyone. Heck, I could probably give it to my mother to get an inkling of what I do. For most part it is a reasonably easy digest. My honest hope is that prospective practitioners, perhaps fledgling uni students or high school students, will pick up the book and glean something that will inspire them to enter the field. Truth is, I wish I had more books like this when I knew this was the industry I wanted to work in.

Rating: 8.5/ 10

- J.

No comments: