I felt somewhat conflicted about reading this book. I had written a related book, now decades out of date, and taught security classes for two decades. That makes the topics familiar to me, but also leaves me feeling very opinionated about how one should approach teaching security. That said, I do think this is a very good book, clearly written.
This is primarily a textbook for a one or two semester college course for third year CS students and above. The coverage is wide but not deep, though the author makes up for the lack of depth by providing copious references and exercises relating to those references. For example, Nessus and nmap are briefly mentioned, but the author does provide guidance for going deeper into vulnerability and network scanning, and these tools come with lots of online support.
The first chapter covers general security principles. The author actually has a list of 20 security principles that get referenced throughout the book, although they are in an optional section near the end of the chapter. Other general topics include threat modeling and attack trees, both covered in a few pages. All in all, this chapter does a very good job of providing the necessary background for the remainder of the book.
The next three chapters are related to cryptography, a topic the author knows well and covers without a lot of equations. Chapter two covers cryptography principles, chapter three authentication, which relies of cryptographic hashes, and chapter four authentication protocols, such as Kerberos. I searched the index for zero-trust, the security system developed by Google that relies heavily on encryption, authentication, and proofs of authorization, but didn't find any mention of it. Cryptography is important to computer and network security, so I do understand the author's intent in putting these chapters at the beginning of his book.
Chapter five covers what I consider a more traditional security topic, operating system security and access control. Chapter six delves into software security, as well as exploits and privilege escalation, again, quite traditional topics. Chapter seven digs into malicious software and appears very up-to-date.
Chapter eight veers back into cryptography with coverage of public-key certificate management, an appropriate prelude to chapter nine, Web browser security. I like his explanation of cross-site-scripting, as it was much clearer than any I've encountered. Chapter 10 covers firewalls and tunnels, chapter 11 intrusion detection and network-based attacks. I found the description "network-based attacks" a little confusing, as these were attacks relying on networking, like a SYN flood, rather than attacks from a network against a particular service or host, but that's my own perspective.
Chapter 12 is new to the second edition, and covers the development and security of WiFi. The author is kind to the developers of WEP and WPA, even as he uses them to explain design patterns you want to avoid when devising standards for secure networking.
Chapter 13 covers blockchains and related technology, as these are popular and likely will continue to be used in some form, long after the interested in cryptocurrency has faded away, like Bernie Madoff. Blockchains may indeed remain as a public ledger.
There is extensive use of color, all comfortable pastels, to distinguish newly introduced terminology, file names, examples, paragraphs, exercises, and so on. I counted sixteen newly introduced terms on one page, easily discovered in their italic fonts and green color, and I mention this not just because of wide use of typesetting conventions but also as an indication of how full of concepts this book is. There are 13 typographic conventions, and they appear in both the print and e-book versions.
Non-students could use this book for self-study, and just reading it, as long as they have a very good memory, would be an excellent primer for a CTO or a programmer interested in security. I found the information to be accurate, based on my own long experience with teaching UNIX, Windows, and Internet security professionally. Someone who really wants to learn security, deeper than the average C-level executive, also needs to work the exercises in this book. And any instructor needs to do the same--enhance the book by creating exercises, where students will actually begin to embody security concepts.
I generally don't read textbooks, but I can vouch to the accuracy and clarity found in Van Oorschot's latest book, and can recommend it to those serious about getting introduced to security. The topic is very broad, as evidenced by the number of important security conferences and the hundreds of papers published every year, not to mention the billions made selling security products and services. You can also find a PDF of this book on Van Oorschot's web site, so you can sample it before buying.
Computer Security and the Internet
Tools and Jewels, from Malware to Bitcoin
