Security in Computing

[A review of the 4th Edition, that was published in October 2006.] I would compare this book to Matt Bishop's "Introduction to Computer Security". The latter is far more mathematical. Probably too much so for the typical sysadmin who is looking to defend her computers and network. Bishop's book is perhaps best suited to someone who wants to deeply understand cryptosystems and malware, and who might want to design a new cryptosystem or a malware detector. Whereas the Pfleeger book does not stress mathematical formalism at all. Much easier for a broader IT audience to understand. For a sysadmin, programmer, or an IT manager. All you need is some general background in computing, and much of the book will be very intelligible. For cryptography, there are 2 chapters, that give a quick overview of symmetric and public key systems. At the schematic level, with few equations. The seminal RSA algorithm is explained. The second cryptography chapter is actually the book's last chapter. Appropriate, because it is the most mathematical section of the text. It includes a nice Figure 12-3, that is an especially clear schematic of the hierarchies of complexity classes. It should make apparent the distinction between NP and P(olynomial) complete problems. There is a wide survey of malware. For viruses, there are qualitative explanations of how viruses can infect code. The level of detail is not that of more specialised books that focus just on viruses. The text does not give you enough to detect or write a virus. But you can understand how they work, at a level adequate for a sysadmin, say. In other words, if you have computers to defend, and you need to choose between various tools for detection, the book gives you enough education to rationally understand the differences between the methods of those tools. At least to the extent that the toolmakers offer such information, and that it is accurate. For the malware known as phishing, the book does not offer any technical solution. This reflects the current position of much antiphishing thinking. That phishing is social engineering, and no effective technical antidote is known. To which I say, wait a few months. Marvin Shannon and I invented a seminal antiphishing method, and its Patent Pending should soon be published by the US Patent and Trademark Office. I predict that the 5th edition of this book will have a thorough rewrite of antiphishing.

Security in Computing (Third Edition) can serve as an upper division undergraduate or graduate level text book. But if you're not a student, and more pragmatic than theoretical, don't let that scare you off. Each chapter is clearly written, well organized, contains a summary, list of terms used, and a brief "To Learn More" section. The book is very up to date: It includes reasonably detailed discussions on the inner workings of AES and even an introduction to quantum cryptography. All the "old standards" are covered as well, including firewalls, viruses and malware, CIA, database security, policy development, network security, trusted operating systems, security law, cryptography and more.All in all, this is the best general purpose computer security book available. It belongs on the bookshelf of every practicing professional. But you won't want to leave it there - take it down when you need to work in an unfamiliar area. It will help bring you up to speed and point you towards more specialized resources. Minor caution: This is not a book for security beginners, and it helps to have some background in computer architecture, networks, databases and/or administration. But if you've got that, you won't find a better book. And if you don't this book provides enough ground work for quick studies to understand new security material.

In 1989, I read the first edition of "Security in Computing" which was one of the best books in the information security field. Fourteen years later, I find the 2003 third edition even better. This is my primary textbook in a graduate course I teach. I also recommend this text to commercial students who are in my CISSP Common Body of Knowledge seminars. What I like best about this book is the index and the bibliography. Personally, I use this text as a reference to remind myself of the concise descriptions of some difficult security issues or protocols. I also recommend this book for managers to develop insights for interviewing potential candidates. The book, just like the field, is very broad and can assist you in understanding the big picture view in information security. It can help you focus on requirements in the development of a secure computing environment and develop some metrics as you define your security architecture. Having spent several decades in the information security field, I find this to be an excellent book for the classroom as well as the reference shelf of information security practitioner and manager in an enterprise environment.J Holleran, CISSPRetired Technical DirectorNational Computer Security Center

An excellent book. I highly recommend it to software engineers and other computer scientists who desire a good foundation in computer security topics. It is comprehensive, well organized, and chock full of clear, concise examples which assist the reader in understanding complex subjects. The many "real world" vignettes, many of which were fascinating to read, lent credibility and urgency to this important field of study. I would use it as the basis for an undergraduate or graduate course in this field.

This book is still the best textbook on the market. Having reviewed (officially) many of the new competitors to this book, this book is still the best at providing an excellent overview to computing security, especially for computer scientists. While I agree with another reviewer that "Hacking Exposed" is another good book, it is not a textbook and does not provide the theoretical underpinnings that this book does. The old edition (2nd) was getting dated and I was glad to see most of the material that needed updating was. In particular, the networking section was updated and sufficient for my course in computer security. Other books tend to provide a more short-term view of security, than a textbook with solid concepts. This series of editions has done a lot to create a science of security, rather than just a collection of techniques.