Power User: Time to catch up on your red-hot security reading
- By John McCormick
- Jun 30, 2004
Summer is a great time to relax and dig into your pile of IT reading'especially the red-hot area of IT security.
I plan to load up my Gateway Tablet PC with thousands of pages and move my office to the patio. The only reason I'm not toting along books is that I spent recent months reading up on several resources that I recommend to you.
Microsoft Press has an excellent step-by-step series that leads you through the basics of learning a new language fast and painlessly.
OOP with Visual Basic .Net and Visual C# .Net by Robin A. Reynolds-Haertle, ISBN 0-7356-1568-3, is a hands-on introduction for Microsoft Visual Studio users new to object-oriented programming.
Visual Basic .Net by Michael Halvorson, ISBN 0-7356-1374-5, is more basic. Both books come with lots of coding examples stored on CD-ROM.
Another good Microsoft Press book is Writing Secure Code by Michael Howard and David LeBlanc, ISBN 0-7356-1588-8. This, too, is full of examples and code in the text as well as on CD-ROM. As a Tablet PC user, I appreciated the e-book copy.
Building Secure Software, How to Avoid Security Problems the Right Way by John Viega and Gary McGraw, ISBN 020172152X, is part of the Addison-Wesley Professional Computing Series and very useful for those working on Internet applications. The book delves into details of real-world coding problems. It's easy to read but still has a lot of meat.
Another Addison-Wesley book, Building Portals, Intranets and Corporate Web Sites Using Microsoft Servers by James Townsend, Dmitri Riz and Deon Schaffer, ISBN 0-321-15963-2, contains some code but is more of a general introduction for experienced programmers who are new to Microsoft Windows Server 2003.
Like many new programming books, this one pays special attention to security. Despite the word 'corporate' in the title, it's suitable for government developers. In fact, one example uses the National Transportation Safety Board's Web site.Computer horror
My favorite security book is Ross Anderson's Security Engineering, a Guide to Building Dependable Distributed Systems from Wiley Computer Publishing, ISBN 0-471-38922-6. This is the book Stephen King would have written if he turned his imagination to computer horror.
In it, Anderson lays out the known and potential vulnerabilities of international banking and automated teller machines and the like. He shows how easy it can be to hack a smart card. There's even a chapter on what can go wrong in nuclear command and control.
Anderson also describes a so-called Tempest virus that could cause a computer to broadcast data wirelessly. It's an interesting, if scary, read and accessible to anyone interested in electronic security.
There are a few rather technical sections covering things such as differential fault analysis, but most of the book simply discusses how critical infrastructures have been or might be successfully attacked.
As for those downloads I'll be perusing on the patio, here are two of general interest to GCN readers.
A fascinating report on 'Improving Security across the Software Development Cycle,' at www.cyberpartnership.org/SDLCFULL.pdf
, says in part that Indian programmers are being hired not only because they are less expensive but because they are trained to program securely while in school, whereas U.S. universities fail to train programmers properly.
Here's a memorable quote from Page 17: 'The United States doesn't have very many university programs with adequate education in software security, and as a nation, we are unable to produce the practitioners we need to build and operate the secure systems we need for our critical infrastructures.
'Few people would accept medical treatment from practitioners who were originally economics graduates, operated on people in their spare time, and went through a rapid training program to become doctors. But as a nation, the United States has taken exactly this position with regard to engineering software systems that run critical infrastructures upon which many lives depend.'
Microsoft has acknowledged that C is a very unsecure programming language and is finishing up a major effort to improve standard C libraries. To read about them, go to < ahref="http://www.gcn.com">www.gcn.com and enter 247 in the GCN.com/box.
John McCormick is a free-lance writer and computer consultant. E-mail him at firstname.lastname@example.org