I spent the last boom working with a team that took security very (very) seriously. As a result, when I look at most of the software I use---at the web sites I sign into every day, or at the dozen and one applications I run on my desktop---I can't help but wonder how many holes they have. Everyone now acknowledges the scale of the problem, but all too often, good intentions aren't translated into practice because developers simply don't know where to start. Kenan and McGraw's new books can both help. Kenan works for Symantec; his book is a very detailed look at how how to go about securing data that's stored in relational databases. And when I say "detailed", I mean it: this is a brick-by-brick description of a security architecture that covers everything from crypto engines and key management to the process changes needed to produce hardened requirements. The extended example that takes up the last third of the book shows how to put these ideas into practice using Java. In contrast, McGraw's book is more forest than trees. While his earlier books focused on secure coding, this one steps back and looks at what development teams have to do to ensure that security gets built into the product from the start. Its material is organized into three broad themes: risk management, touchpoints, and general knowledge. The first and third are self-explanatory, and his discussion of them is mostly common sense (i.e., things most of us would realize only in hindsight). The second is a set of best practices: abuse cases to go with your use cases, risk-based security testing, code reviews and reviewing tools, penetration testing, and so on. McGraw's book is a lot to absorb: more step-by-step examples like the ones in Kenan's book would certainly have made its 448 pages easier to absorb. On the other hand, it does cover the whole process from end to end, while Kenan focuses solely on one technical aspect.
Kevin Kenan: Cryptography in the Database. Addison-Wesley, 2005, 0321320735, 312 pages, $44.99. Gary McGraw: Software Security: Building Security In. Addison-Wesley, 2006, 0321356705, 448 pages, $49.99.