Information Security - Book Review

As part of the requirements of maintaining my Certified Secure Software Lifecycle Professional (CSSLP) certification from ISC², I have to earn 15 Continuing Professional Education (CPE) credits per year.  As part of this requirement, I wrote a book review to be published on their site and I thought I would share it here as well for anyone interested.  I hope it is useful to someone.

Title: The Basics of Information Security
By: Jason Andress
Publisher: Syngress
Publication Date: August 1, 2011
Print ISBN-13: 978-1-59749-653-7
Web ISBN-13: 978-1-59749-654-4

Review (Overall rating 4 out of 5):

Jason Andress’ book, “The Basics of Information Security”, provides a high level overview of the primary risks security specialists need to be aware of.  The book is well written and discusses the issues in more of a conversational style, which keeps the reader engaged.  As the title of the book indicates, the content is higher level and does not delve deeply into the specifics about how to specifically mitigate security flaws, but rather focuses on making the reader more aware of the issues.  The book provides real world examples that help the reader to understand each of the security domains much more clearly.  Additionally, at the end of each chapter, there are several exercise questions that helps ensure the reader has a solid understanding of the topic.

While all of the chapters are necessary some of the topics are much more interesting and contained more useful content than others.  Specifically, the chapter discussing Physical Security, while relevant, probably could have been shorter as many of the points discussed were rather obvious.  Additionally, the book would have been better if the author delved a little more deeply into some of the more interesting content, like Cryptography.  While this book’s focus was not specifically on software development, it would have been much better if it included a chapter on the Software Development Life Cycle and how important it is to build security in from scratch as opposed to bolting it on later.

One of the most informative chapters in this book was the one on “Authorization and Access Control”.  This chapter outlined several approaches and provided a very clear and understandable discussion about them.  In particular, the author did an exceptional job clearly explaining the Bell-LaPadula, Biba, and Brewer and Nash models of access control.  Many authors provide the details, but do not provide examples that make these concepts understandable, but this author does and he does it well.

Overall, this book provides a really good high level, conceptual overview of information security and the issues security professionals are faced with on a day to day basis.  The author’s conversational style is very engaging and keeps the reader focused on the topic; he is careful not to provide too much mundane detail which would just cause the reader to lose interest.  This book is a great read for anyone that is just starting to study for the CSSLP as it provides a very nice overview of the topics in the exam.  This book does not dig in too deeply to the topics, however, and should only be the start of one’s study.  That said, the book does provide examples at the end of each section that will help ensure that the reader understands the topics, which will help anyone studying for the exam to ensure they have a solid understanding of the material.  Additionally, this book is a great read for anyone that thinks they might want to start a career in information security as it outlines the main topics and provides the reader with a sense of what they could expect in such a job.