Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "Security in Computing", Charles P. Pfleeger/Shari Lawrence Pfleeger

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Ha
    BKSCNCMP.RVW 20030209 Security in Computing , Charles P. Pfleeger/Shari Lawrence Pfleeger, 2003, 0-13-035548-8, U$79.00/C$122.99 %A Charles P. Pfleeger %A
    Message 1 of 1 , Mar 5, 2003
      BKSCNCMP.RVW 20030209

      "Security in Computing", Charles P. Pfleeger/Shari Lawrence Pfleeger,
      2003, 0-13-035548-8, U$79.00/C$122.99
      %A Charles P. Pfleeger
      %A Shari Lawrence Pfleeger s.pfleeger@...
      %C One Lake St., Upper Saddle River, NJ 07458
      %D 2003
      %G 0-13-035548-8
      %I Prentice Hall
      %O U$79.00/C$122.99 +1-201-236-7139 fax: +1-201-236-7131
      %O http://www.amazon.com/exec/obidos/ASIN/0130355488/robsladesinterne
      %O http://www.amazon.ca/exec/obidos/ASIN/0130355488/robsladesin03-20
      %P 746 p.
      %T "Security in Computing"

      This work is still obviously a textbook. The attempts to target it at
      a "professional" audience are possibly more convincing than in the
      first edition, but it still reads like a text, and includes material
      that is addressed at a scholastic, rather than experienced, audience.
      Even as a textbook it difficult to say that it succeeds. It addresses
      a broad range of computer security related topics, although there is a
      notable shortage of material dealing with formal security models,
      access concepts, operational procedures, physical security, and
      business continuity. The level of detail in the different areas
      varies greatly, but the shortcomings of the book could be addressed in
      the hands of a competent teacher.

      The ten chapters in the book are not divided into parts, but seem, in
      some cases, to come in chunks. The introductory chapter is an
      overview of basic concepts involved with system security.
      Unfortunately, not all of them are explained fully. The idea of
      controls, for example, is a vital one, but the full ranges and types
      of controls are not outlined. There are also some not-quite-standard
      additions to the lexicon, such as an attempt to divide threats into
      four classes: interception, interruption, modification, and
      fabrication. It is difficult to see why fabrication is added to the
      list, or why this provides a clearer view of threats than simply
      looking to the opposites of confidentiality, integrity, and
      availability. Cryptography starts in chapter two (and, oddly, ends in
      chapter ten). The early coverage steps through different types of
      simple encryption algorithms, followed up by cryptanalysis of the
      same. It strenuously avoids using any arithmetic, which makes
      discussions of key sizes and strengths a bit difficult, but throws in
      lots of symbolic logic, which seems to serve only to cloud the issue.

      Chapter three starts what might be seen as a section on secure systems
      development. This is an important, and often neglected, topic, and is
      generally covered reasonably well. However, the material is not
      always completely clear and rigorous. For example, it is implied that
      Thompson, rather than Cohen, was the first to investigate viruses.
      Leaving aside the fact that Cohen's work started a year before
      Thompson's lecture (only the date of Cohen's graduation is given),
      Thompson's thought experiment proposed only an extremely limited form
      of reproduction. Again, when discussing covert channels, both the
      terms "timing channel" and "storage channel" are used, but all the
      examples given relate only to timing channels. Operating system
      protections are supposed to be covered in chapter four, but the
      content is an odd amalgam of computer architecture and high level
      access control. In regard to designing trusted operating systems,
      chapter five starts with a very poor outline of formal models (the
      test is not clear, and, again, the addition of symbolic logic fails to
      assist in the tutorial), presents a fair review of operating system
      requirements, and then spends a lot of time going over various
      evaluation criteria, without presenting much content of any use. The
      outline of database security is disappointing: chapter six spends too
      much time on specific details, while almost ignoring major concepts
      such as aggregation.

      Chapter seven, the longest in the book, devotes excessive space to
      basic communications technologies, including two copies of the section
      on transmission methods. Administration, in chapter eight, provides
      the usual generic advice on planning, risk, and policies.
      Intellectual property, computer crime, and ethics are presented as
      problems with no solutions, in chapter nine. The closing chapter
      provides a whirlwind of the mathematics related to cryptography in an
      impressive, disorganized, and basically pointless display.

      This book could definitely use a wholesale reorganization and cleanup.
      The level and tone of the content varies tremendously from section to
      section, even within given chapters. While most computer security
      topics appear somewhere within the work, there is very little in the
      way of logical flow or links between subjects. Major areas seem to be
      thrown in with minor sections simply because they had to be put
      somewhere. In terms of textbooks, I do not know that there is much to
      choose between this volume and Bishop's "Computer Security: Art and
      Science" (cf. BKCMSCAS.RVW), although Pfleeger and Pfleeger might have
      a slight edge. Certainly Gollman's "Computer Security" (cf.
      BKCOMPSC.RVW) is superior to both. And, depending upon the course,
      Anderson's "Security Engineering" (cf. BKSECENG.RVW) probably outranks
      them all.

      copyright Robert M. Slade, 1993, 2003 BKSCNCMP.RVW 20030209

      rslade@... rslade@... slade@... p1@...
      Find book info victoria.tc.ca/techrev/ or sun.soci.niu.edu/~rslade/
      Upcoming (ISC)^2 CISSP CBK review seminars (+1-888-333-4458):
      March 31, 2003 Indianapolis, IN
    Your message has been successfully submitted and would be delivered to recipients shortly.