One, Two, Three
My favorite books these days are Boynton’s Your Personal Penguin and Pratchett’s Where’s My Cow?, but since this is a magazine for programmers, not parents, I’ll turn my attention to six others: one very good, two useful, and three that missed the mark.
The first is Smith and Marchesini’s The Craft of System Security, which is the best undergraduate textbook on computer security I’ve read to date. The authors know their field well—Smith does academic research into trustworthy systems, while Marchesini has worked at several software security companies—and their experience is evident on almost every page.
The book is broken down into five sections: history, the modern landscape (which summarizes flaws in operating systems and networks, and explain where and why they arise), building blocks (including cryptography and authentication), applications (the web, desktop tools, e-cash) and emerging tools, such as formal proofs of correctness, hardware-based security, AI techniques for detecting intrusion, and human factors. The history section was particularly welcome: unlike most books aimed at developers, this one takes the time to explain and critique the US Department of Defense “Orange Book”, Bell and LaPadula’s groundbreaking work on formal analysis of security, and Saltzer and Schroeder’s design principles.
The topics in the middle three sections are more conventional, but still well done. Throughout, the authors hit exactly the right tone and level for their intended audience, use clear, pertinent examples, and provide extensive references to the primary literature. The final section, on emerging tools, is necessarily less nitty-gritty than its predecessors, since much of what they describe is still taking shape. Even there, though, they show how practical theory can be.
My one criticism of the book is that it doesn’t devote as much space as I would have liked to “soft” issues, such as the economics of information security, usability, or developers’ professional responsibilities. That’s a minor quibble, though; at over 500 pages, the book is already going to be a challenge to get through in a single semester course. I believe the rewards for doing so are considerable, and I hope many instructors and students choose to take it on.
Next up is Holmes’ Windows PowerShell Cookbook. Regular readers will know that I think PowerShell (formerly known as “Monad”) is one of the most important developments in practical programming in the last ten years. If you still need convincing, the recipes in this book show why. Yes, the syntax could have been better (there are better models to borrow from than Perl), but look at what you can do when your pipes and filters can pass objects around, instead of having to squeeze everything into lines of plain old ASCII. The core cmdlets show up several times, and hundreds of simple pipes and longer scripts are shown and explained.
Shortcomings? First, I would have liked more for developers, rather than users—if you want to extend PowerShell with new cmdlets, you’re going to need more than what’s here. Second, it all runs only on recent versions of Windows. As a result, examples involving Active Directory and registry manipulation probably won’t make much sense to readers from the other side of the “two solitudes” that are Unix and Windows. Finally, and most importantly, I don’t know why this is a printed book, rather than a dynamic web site. As much as I love flipping pages, I don’t think reference material belongs on paper any more: it’s hard to search, it’s never at hand when you need it, and the under-30s who do most of the world’s programming just aren’t that into dead trees.
I had the same reaction to Burns et al’s Security Power Tools. It contains a wealth of useful information on how to use a wide variety of tools for reconnaissance, penetration, defense, monitoring, and hardening, but some of it is already out of date (damn those new releases), and its 850 pages of often dense text would be more useful to me online and hyperlinked.
That said, it’s more than useful in its present form. The authors build firewalls, VPNs, and intrusion detection products for a living, and their in-depth experience with Linux, Windows, and Mac OS shows through in their examples. Most importantly, they almost never lose sight of the fact that the point of these tools is to find and fix problems. Sys admins and testers will particularly like this book, as it gives them a toolbox full of ways to find out what’s broken before the bad guys do. It’s not for cover-to-cover reading, but for sixty dollars plus shipping and handling, it’s a pretty good investment.
That brings us to the last three books in this month’s column. Shore and Warden’s Art of Agile Development was the best: well written and well organized, it covers everything in the agile canon without ever being preachy. However, it doesn’t say anything new: pair programming, test-driven development, continuous integration, and all the other practices it describes are now standard fare in undergraduate software engineering courses, and I doubt that anyone in industry who actually cares about their craft hasn’t heard about them before.
The same cannot be said of Pelesko’s Self Assembly. As the subtitle says, this book is about the science of things that put themselves together—in particular, about how we might be able to get nanomachines to build themselves in the same way as many biological molecules and other self-organizing systems. Most of it is very new (at least to me), and all of it’s fascinating.
However, playing this game requires more math than most programmers have today. If integrals frighten you, or if you’re not sure what an amphiphile is, a lot of what’s in here will wash right over you. If you’re under 30, this ought to worry you—it’s easy to imagine a future in which knowing aspect-oriented functional concurrent languages is the equivalent of being really good at COBOL, while all the really cool stuff is being done by physicists on nano-quantum thingies. Until then, though, this one is probably something most readers of this column will only want to dip into.
Finally, there is Inmon and Nesavich’s Tapping Into Unstructured Data, which I read in manuscript. To be frank, I’m not sure who this book is for: it doesn’t have enough depth or detail to be useful to programmers, and its “explanation” of the kinds of data to be found in spreadsheets and email messages won’t come as news to anyone in management, either. The authors have impressive credentials, and this is an important topic; it’s a shame the book doesn’t live up to either.
Bryan Burns, Jennifer Stisa Granick, Steve Manzuik, Paul Guersch, Dave Killion, Nicolas Beauchesne, Eric Moret, Julien Sobrier, Michael Lynn, Eric Markham, Chris Iezzoni, Philippe Biondi: Security Power Tools. O’Reilly Media, 2007, 978-0596009632.
Lee Holmes: Windows PowerShell Cookbook. O’Reilly Media, 2007, 978-0596528492.
William H. Inmon and Anthony Nesavich: Tapping Into Unstructured Data. Prentice Hall, 2007, 978-0132360296.
John A. Pelesko: Self Assembly: The Science of Things That Put Themselves Together. Chapman & Hall/CRC, 2007, 978-1584886877.
James Shore and Shane Warden: The Art of Agile Development. O’Reilly Media, 2007, 978-0596527679.
Sean Smith and John Marchesini: The Craft of System Security. Addison-Wesley, 2007, 978-0321434838.
Greg, You might know this but a lot of these books (specifically the Powershell one you wish you had electronically) are available online at safari books. I’m pretty sure thats free if you access it from a utoronto IP address.
Happy new year. You have inspired me to take a look at a few of these.
Thanks for the kind words. One nit about our book though: we’re not just writing for the top 10% of developers. We tried to write a book that was useful for everyone with a stake in successful software development, including the 90% of developers who may have heard of agile practices but haven’t necessarily practiced them in the context of agile development. (I do think we said some new things about trust, success, and value, but they won’t be new ideas to the very best teams.)
Thanks for the comments, Greg.
As Jonathan pointed out — electronic versions of most books are available from their publishers, although it sadly isn’t obvious from a quick (or even exhaustive) jaunt to Amazon. Interestingly, an earlier publication I did with O’Reilly (the PowerShell Quick Reference) was electronic only — and the only complaint was for a printed version.
I agree about the need for a programmer’s book. They are really different audiences and types of books, so a “Programming PowerShell” section of the cookbook could not have dealt with the subject well enough. Fortunately, several other members of the PowerShell team are writing the developer-oriented book you crave: http://www.amazon.com/Professional-Windows-PowerShell-Programming-Providers/dp/0470173939/.
I’m not sure what you mean in your point about PowerShell requiring newish operating systems. PowerShell supports Windows XP and beyond, which covers almost everybody that would be at all interested in PowerShell. While the Active Directory and Registry sections might be slightly foreign to Unix administrators, they are absolutely crucial for Windows administrators. To give a balance to those coming from Unix, the book also gives detailed treatment to text file manipulation.
BTW, I’m a UT02 CS grad — although I don’t think I’ve ever taken one of your courses, it’s refreshing to see a professor that blogs.