Two Books on Security

Why are so many computers so insecure? As Whitten and Tygar pointed out in their 1999 USENIX paper, "Why Johnny Can't Encrypt", the biggest reason may be that most security software is hard to use. Requiring people to know how DNS works in order to turn on a firewall is a good way to ensure that they never turn it on. Similarly, Sending people 25-character license keys that use both 0's and O's (recent personal experience---still bitter) doesn't make anything safer from piracy, since it actually is easier to google for a cracker than to try all plausible permutations of the license. That's why I had high hopes for Security and Usability. Unfortunately, the book didn't live up to them. These "34 groundbreaking essays from leading...researchers around the world" are what I'd expect to find in an academic journal, rather than the how-to-do-it for which O'Reilly is famous. Many of the individual articles are interesting, but I felt there was too much stamp collecting, and not enough physics. My recommendation would therefore be borrow and browse, rather than buy. Pro PHP Security, on the other hand, is very much a how-to book, and a very useful one. PHP has a bad reputation when it comes to security---by making web programming easy, it also made it easy for people to do things the wrong way. This book takes the reader step by step through common attacks, such as session hijacking and cross-site scripting, and explains how to foil each. While the examples are all in PHP, the discussion is thorough enough that many of the ideas can be applied directly to Ruby, Python, and other nimble languages. If you're using PHP, this book's definitely worth buying.
Lorraine Faith Cranor and Simson Garfinkel (eds): Security and Usability: Designing Secure Systems That People Can Use. O'Reilly, 2005, 0596008279, 715 pages.Chris Snyder and Michael Southwell: Pro PHP Security. APress, 2005, 1590595084, 500 pages.