BY CLIFFORD NEUMAN,
Computer Security Books
These are books that I refer to frequently related to computer
Click on the book title for more details about the book.
Kerberos: A network authentication system - Brian Tung. 1999.
- This book is a beginners guide to Kerberos, whether the reader is
a user, administrator, or developer. It describes the basic
functionaility of Kerberos in an easy to understand style and provides
step by step instructions for using several common interfaces. While
not highly technical, it does refer the reader to other sources where
necessary. This would be the book I'd recommend to end users wanting
to know more about Kerberos.
The Practical Intrusion Detection Handbook - Paul Proctor. 2000.
- This book provides a thorough introduction to intrusion detection,
why you need it, and how it works. It covers the strengths and
drawbacks of the different approaches to intrusion detection,
host-based and network-based. It explains how to effectively use
intrusion detection systems for several scenarios and discusses some
of the non-technical issues associated with deploying such systems.
For those looking to select an intrusion detection product it
discusses the strengths and limitation of many of the current
Web Security Sourcebook - Aviel Rubin, Daniel Geer, and Marcus Ranum. June 1997.
This book provides excellent high level coverage of the security
issues affecting the World Wide Web. The material is presented in a
way that is understandable to individuals without a computer security
(or even a computer programming) background. The book is useful to
web users and web adminstrators. It explains many of the security
problems associated with Web browsers, Java, and the particular way
that many web servers can be misconfigured (e.g. the dangers of CGI
scripts, etc). Above all, this book tells web users and
administrators what not to do, and why doing these things can be
dangerous. I list this book as recommended reading for students in my
turorial on web security.
Applied Cryptography - 2nd edition paperback, (or
hardcover) Bruce Schneier. December 1995.
- This book collects into a single volume a huge amount of
information about protocols and cryptosystems that are relevant to
computer security. It is the most complete collection of such
information that I have seen, and it is one of the first resources
turned to by many researchers when they need technical information
about a particular algorithm or system. My one complaint regarding
this book is directed at many of the users of the book. The book
allows those who are lazy to stop their search here - and in many
cases they cite this book as the orgin of the information, instead of
finding the original papers from which the material was collected.
This book does cite all the original papers, so it is easy to do the
right thing. My advice, use this book as a reference, but don't be
lazy. If you are writing about any of the systems described in this
book, be sure to follow the references too.
Building Secure SoftwareJohn Viega and Gary McGraw, 2001.
- This book addresses one of the critical problems in computer
security, that so much of the software we use has bugs. It is
intended for the programmer of such systems and provides guidance on
how to develop programs that avoid these pitfalls. It addresses
topics of program structure, as well as how to avoid some of the often
repeated pitfalls in programming, like buffer overruns. This book is
a must read, telling you how to fix the security problem rather than
just how to mitgate it the problem by applying band-aids (firewalls).
Writing Secure CodeMichael Howard and David LeBlanc, 2002
- This book addresses the problem of writing secure software. It
covers program design, as well as pitfalls like buffer overruns. It
talks about which programming interfaces are safer than others, and
testing. A large part of this book is focused on .NET and similar
PGP: Pretty Good Privacy Simson Garfinkel. January 1995.
- Of the books I have seen, this is the best book available on PGP.
This book covers the history and the philosophy of PGP and provides
step by step instructions for obtaining, installing, and using the
system. The main drawback of the book is that the step by step
instructions are somewhat dated as there have been changes to the
system since 1995. Despite this shortcoming, this book would be my
choice for anyone wanting to learn what PGP really does. The reader
can always find step by step instructions for the latest releases can
in documentation accompanying the software itself.
Firewalls and Internet Security: Repelling the Wily Hacker William Cheswick and Steven Bellovin. June 1994.
- This is the classic book on internet firewalls, describing what
they can do, and more importantly what they don't do and why they are
only one tool in an arsenal needed to secure a network. The book is a
bit dated leaving out detailed discussions of virtual private networks
and IPSec, but I expect that to be corrected in the new version.
Building Internet Firewalls Brent Chapman and Elizabeth Zwicky. September 1995.
- Though also a little bit dated wth respect to the specific
attacks you might see and some of the bugs commonly exploited in
today's services, this book still provides a good overview of the
philosopy of firewalls, and guidance for selecting and configuring the
right firewal for your organization. The book starts with an overview of
network security. It then discusses how to choose and configure
firewalls and how to set up network services to work with them. The
book concludes with a discussion of security policies and guidlines
for maintaining your systems securely.
BY CLIFFORD NEUMAN,