REVIEW: "Developing Trust", Matt Curtin
- BKDEVTRS.RVW 20020514
"Developing Trust", Matt Curtin, 2002, 1-893115-72-0, U$39.95
%A Matt Curtin cmcurtin@...
%C 175 Fifth Ave., New York, NY 10010
%O U$39.95 212-460-1500 800-777-4643 orders@...
%P 282 p.
%T "Developing Trust: Online Privacy and Security"
The title, foreword, preface, and introduction aren't terribly clear
about the purpose of the book. Ultimately, the key word seems to be
not trust, but privacy: the work appears to be directed at providing
tips for developers, of all stripes, to help maintain the
confidentiality of information.
Part one is a generic introduction to security and privacy. Chapter
one, entitled "Why Privacy," seems, ironically, to move us even
further away from the topic of privacy. The emphasis of the chapter
is on intrusions, although the reconnaissance phase does get the most
space. (The subtitle, "Why This Book," does not appear to be
addressed.) The discussion of privacy theory, in chapter two, flips
back and forth between the technical issues of identity authentication
and access control, and the social concepts of privacy, failing to
make hard relations between the two ideas. A partial list of basic
conceptual security terms are reasonably well defined in chapter
three. Chapter four does start to get into privacy issues, specifying
a number of notions important to protecting confidentiality in an
online (generally Web based) environment. A number (but not an
exhaustive list) of threats to privacy are discussed in chapter five.
Part two looks at the problem. Chapter six provides a concise list of
the basic principles of development of secure applications.
(Interestingly, Curtin uses the principle of least common mechanism as
an argument for the adoption of modular code, where others might say
that it was a reason to avoid modularity.) Background concepts for
the Internet and Web, the basic development environment assumed for
the book, are given in chapter seven. Some specific examples of
privacy problems on the Web are presented in chapter eight.
Part three outlines the cure. Chapter nine reviews some basic
security protections, such as firewalls and constrained systems. Opt
out systems are criticized in chapter ten. "Earning Trust," in
chapter eleven, points out that providing privacy for customers is not
just a cost and a nuisance, but good business. A structure for
analyzing and designing secure Web systems is proposed in chapter
Strangely, while the book is disjointed and difficult to pin down as
to the central theme, ultimately it could be quite valuable. In the
end, the title is appropriate, albeit in a punning fashion: the
content is directed at developing trustworthy applications. The
literature in the field of developing secure applications is not
extensive, and much of it is either ethereally academic or completely
language specific. This book attempts to be practical, and, while
hardly ever touching on implementation, the precepts suggested are a
sound foundation. Security professionals would find the general
background limited, but developers will neither be snowed under by
esoteric discussions nor left with too many vulnerabilities uncovered.
The specifics in the book deal with the Web, but the tenets of secure
design are applicable to all systems.
copyright Robert M. Slade, 2002 BKDEVTRS.RVW 20020514
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... rslade@... slade@... p1@...
Materialists are Object-Oriented
http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade