Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
Search
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Books Look at Security Inside and Out

    By
    Peter Coffee
    -
    April 12, 2004
    Share
    Facebook
    Twitter
    Linkedin

      Many IT security efforts fail in the short run by ignoring or even conflicting with IT users, or fail in the long run by burying IT operators under an avalanche of bewildering and disorganized details.

      We were therefore pleased when two new books that avoid these errors crossed our threshold, within days of each other, even though they look at the problem from radically different perspectives. Each provides a wealth of valuable insight and practical advice for the independent developer or consultant and the in-house IT pro.

      Theres a wicked and visceral appeal in the promise made by the latest title from secure-code maven Gary McGraw. His new book, co-authored with Greg Hoglund, www.rootkit.com founder and hacking guru, is brashly titled “Exploiting Software: How to Break Code” (Addison-Wesley, $49.99), and it attacks the dangerous misconception that IT security means network security.

      “Most of the defensive mechanisms sold today,” the book asserts, “do little to address the heart of the problem—bad software. Instead they operate in a reactive mode.”

      While millions of dollars are spent to control the perimeter, McGraw and Hoglund warn, “Network traffic is not really the best way to approach the problem.” The applications that must be exposed to the outside world, because they represent the function of a system, are rife—their research finds—with dangerous defects.

      When large and critical bodies of source code become unexpectedly available for expert scrutiny, the results are often embarrassing. In his foreword to “Exploiting Software,” noted computer scientist and e-voting skeptic Aviel Rubin describes his reaction to the July 2003 source code leak at Diebold Election Systems: “Security and coding flaws were so prevalent that an attack might be delayed because the attacker might get stuck trying to choose from all the different vulnerabilities to exploit.”

      Rubin hastens to add, “Such delay tactics are not recommended as a security strategy.”

      But speaking of delays, McGraw told eWEEK Labs that this book took three years to write because that very proliferation of bugs across innumerable systems demands what McGraw calls “scientific organization” of attackers most effective strategies into what the book identifies as 49 “attack patterns.”

      These patterns are not mere recipes for conducting specific attacks. “Script kiddies wont like this book,” the authors say toward the end of Chapter 1, “because we dont simply give away just add water hacks.”

      Security guru Bruce Schneier has compared many IT attackers to thugs who buy cheap handguns without knowing—or needing to know—anything about the technology of making the weapon.

      “This book is about crafting guns by hand,” write McGraw and Hoglund, adding: “Software systems are, for the most part, proprietary, complicated, and custom-made. This is why exploiting software is a nontrivial undertaking.”

      But “nontrivial” though it may be to crack real systems, the books distillation of a universe of sloppy code into a physics of software attack is an effective device for making software developers face their responsibility to think about security issues.

      “Most developers today remain blithely unaware of software security,” McGraw and Hoglund conclude from their real-world observations. The results, they warn, include client-side applications that assume nonhostile users, a problem they often find to be compounded by naive trust relationships that give ordinary applications “way too much systemwide privilege.”

      Black hat, white hat

      Two books perspectives on IT security

      “Exploiting Software”

      • Network security is not the answer
      • Security systems are themselves vulnerable software
      • Attack patterns can be identified and blocked by good practice

      “Security Assessment”

      • Not all security problems are equally important
      • Information types are more fun-damental than IT systems
      • User organizations must participate in defining priorities

      IT managers should not overreact by defending every system to the limit of available technology. That would be one of the main errors targeted by the other book we want to bring to readers notice: “Security Assessment: Case Studies for Implementing the NSA IAM,” by Greg Miles and others (Syngress, $69.95).

      NSA is the National Security Agency; IAM is Information Assurance Methodology, the process that NSA developed for certification of provider organizations to help it handle the exploding workload of securing federal systems.

      This is the best guide weve ever seen to the real-world process of getting IT user organizations to ask themselves what types of information they use, what impact they would suffer from lack of security involving those information types and what measures they are prepared to take toward those ends.

      The subtitles reference to case studies suggests these will dominate the book, but the content we found most compelling was the useful mix of conversational process guidance plus checklists and templates for conducting assessment efforts.

      With “Exploiting Software” to make the dangers clear and “Security Assessment” to help organizations put those dangers in context, these books are worth adding to any IT professionals spring reading list.

      Technology Editor Peter Coffee can be reached at [email protected].

      /zimages/1/28571.gifCheck out eWEEK.coms Security Center at http://security.eweek.com for security news, views and analysis.
      Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page: http://us.i1.yimg.com/us.yimg.com/i/us/my/addtomyyahoo2.gif

      Peter Coffee
      Peter Coffee is Director of Platform Research at salesforce.com, where he serves as a liaison with the developer community to define the opportunity and clarify developers' technical requirements on the company's evolving Apex Platform. Peter previously spent 18 years with eWEEK (formerly PC Week), the national news magazine of enterprise technology practice, where he reviewed software development tools and methods and wrote regular columns on emerging technologies and professional community issues.Before he began writing full-time in 1989, Peter spent eleven years in technical and management positions at Exxon and The Aerospace Corporation, including management of the latter company's first desktop computing planning team and applied research in applications of artificial intelligence techniques. He holds an engineering degree from MIT and an MBA from Pepperdine University, he has held teaching appointments in computer science, business analytics and information systems management at Pepperdine, UCLA, and Chapman College.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      Chris Preimesberger - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      Chris Preimesberger - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      eWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      Zeus Kerravala - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      Wayne Rash - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×