Book Review
Department Editor: Warren Keuffel, wkeuffel@computer.org

An Informative (but Nonessential) Look at Security

Paul Sevinç

Inside the Security Mind: Making the Tough Decisions, Kevin Day, Prentice Hall, 2003, ISBN 0-13-111829-3, 309 pp., US$44.99

In Inside the Security Mind, Kevin Day tries to convey the essence of his 10 years of information security experience to an IT-savvy audience. His target audience not only consists of information security practitioners but also IT people in general, including IT managers, in order to raise security awareness at all levels. I applaud Day’s courage to recommend reading the book in its entirety, instead of trying to placate his potential readership by stating that a lot of it can be skipped.

However, it’s irritating when, in the two introductory chapters, Day refers to information security as an art. Isn’t this a step backward, when both the information security and software development communities are working to advance their fields so that they become mature engineering disciplines based on strong scientific foundations? But what Day seems to mean by “security as an art form” is that merely following recipes isn’t enough; creative and, to a certain extent, even paranoid thinking is very important when securing systems. However, my impression is that, despite its title, this book doesn’t put the reader into this state of mind. Ross Anderson’s Security Engineering (Wiley, 2001) better succeeds in that regard.

The book’s key chapters are “The Four Virtues of Security” and “The Eight Rules of Security.” The four virtues are daily consideration, community effort, higher focus, and education. The eight rules are those of least privilege, change, trust, the weakest link, separation, the three-fold process, preventative action, and immediate and proper response. Summarizing these virtues and rules is beyond the scope of this review. Suffice it to say that Day concisely motivates and explains (with examples) all four virtues and eight rules. I agree with all of them, but it would be interesting to know if security professionals with more experience than I would add anything to these two lists.

Some of the other chapters read like a light version of other documents, such as the freely available IT Baseline Protection Manual (www.bsi.de/gshb/english/etc/menue.html) from the German Bundesamt für Sicherheit in der Informationstechnik, the federal IT security office. These additional documents may be less entertaining and may take considerably longer to study, but without them, these chapters of Day’s book remain too abstract. As a gentle introduction to or brief summary of topics discussed (physical defense, for instance), they are nevertheless valuable.

The two chapters I liked in particular were eight and nine, “Practical Security Assessments” and “The Security Staff,” respectively. IT security risk management is still in its infancy, and chapter eight provides useful information about how we might go about approaching it. Chapter nine discusses recruiting and interviewing security personnel, a topic most information-security texts I know don’t even mention.

Overall, is this a book that software developers should read? Well, if you have the time, yes. But if you don’t have time to read a general-purpose security book, reading one on software security (such as Greg Hoglund’s and Gary McGraw’s Exploiting Software, Addison-Wesley, 2004) is probably a better investment of your precious time.

Paul E. Sevinçis a doctoral student and assistant in the information security group of the Swiss Federal Institute of Technology Zurich. Contact him at ersin@computer.org.