Beautiful Security: Leading Security Experts Explain How They Think
by Andy Oram and Jon Viega, Eds.

O'Reilly 2009.
ISBN 978-0-596-52748-8 . USD 34.07

Reviewed by  Richard Austin   September 13, 2009 

Information security could be called many things: a head-on collision between people and technology, or a glistening Eldorado that lies forever tantalizingly just out of reach, but could it ever be called "beautiful"? In the preface, Oram opines that though information security (as opposed to "hacking") is often perceived as boring, it is "not tedious, not bureaucratic, and not constraining. In fact, it exercises the imagination like nothing else in technology" (p., xii). The following 16 chapters provide opportunities for well-known experts (the author list reads like a "Who's Who" of the security industry) to describe their particular specialty and give a glimpse of why they find it fascinating and even, perhaps, beautiful.

The topics surveyed cover a broad expanse of the security landscape, for example, "Mudge" Zatko's take on "Psychological Security Traps" (where he introduces the very useful concept of "learned helplessness" as the reason for why so many give up on "doing the good they know they should do") , Phil Zimmermann and Jon Callas's "The Evolution of PGP's Web of Trust", Randy Sabettt's "Oh No, here come the information security lawyers!" and Anton Chuvakin's "Beautiful Log Handling".

The authors do a great job of keeping to a high level presentation and avoiding the temptation to delve into technical detail. Perhaps the most "technical" material in the entire book is Mudge's discussion of how NTLM (Microsoft's NT LAN Manager) authentication hashes work, but that is done relatively painlessly with the aid of some great graphics.

With sixteen authors you might expect the quality of the writing to vary, and it does, sometimes seeming to lose sight of the collection's theme of "Beautiful Security". All in all, those are minor blemishes in a work that manages to give, in a scant 258 pages, a masterful overview of the themes of modern information security.

This book will appeal to a wide audience both inside and outside the security profession. For security professionals, it's a good antidote for our tendency to develop "tunnel vision" around our particular area of expertise by reminding us of just how broad our field really is. For the general reader, including those contemplating a career in information security but put off by the perception of it as endless repetition of "patch and pray", it's a very readable introduction to a critical and fascinating field of human endeavor.

The authors are to be commended for their decision to donate the royalties from the book to the IETF.

Before beginning life as an itinerant university instructor and cybersecurity consultant, Richard Austin was the storage network security architect for a Fortune 25 company. He welcomes your thoughts and comments at rausti19 at Kennesaw dot edu