http://www.spinellis.gr/pubs/Breview/2007-CR-SecComp/html/review.html
This is an HTML rendering of a working paper draft that led to a publication. The publication should always be cited in preference to this draft using the following reference:

The document's metadata is available in BibTeX format.

Find the publication on Google Scholar

This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. In most cases, these works may not be reposted without the explicit permission of the copyright holder.

Diomidis Spinellis Publications


Copyright © 2008 by the Association for Computing Machinery, Inc. Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, to republish, to post on servers, or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from Publications Dept, ACM Inc., fax +1 (212) 869-0481, or permissions@acm.org.

Book Review: Security in Computing, Fourth edition

Diomidis Spinellis
Athens University of Economics and Business

Charles P. Pfleeger and Shari Lawrence Pfleeger
Security in Computing, Fourth edition
Englewood Cliffs, NJ: Prentice Hall, 2007

D.E.R. Denning’s classic 1982 book “Cryptography and Data Security” is 400 pages long. If a field’s importance can be judged by the size of its textbooks, then security is certainly in the spotlight. At 845 pages Charles and Shari Pfleeger’s “Security in Computing” will require me to rearrange my bookshelf of security books to make space for it. Yet, I would be hard-pressed to find material in it that could be removed. True, when the Pfleegers can choose between elaborating and outlining a topic, they will typically elaborate, adding examples, diagrams, and sidebars to illustrate its significance. Security experts may find this level of detail tiresome, but I’m sure that students and unversed professionals will appreciate it when trying to grapple the hundreds of security concepts discussed in the book.

The book’s organization is eminently practical. After two chapters covering the problem of security in computing and the basics of cryptography, the next chapters of the book address security in specific fields: program code, general-purpose operating systems, trusted systems, databases, and networks. The relevant theory is covered close to the point where it applies. Although a separate discussion of security’s terms and theoretical underpinnings may be more elegant, I’ve seen that students find such an approach tiring, if not sleep-inducing. The four next chapters are less technical, dealing with security administration, the economics of cybersecurity, privacy in computing, and legal and ethical issues. A final chapter titled “cryptography explained” contains the nitty-gritty details of cryptographic algorithms, that mercifully weren’t covered in the book’s second chapter. A further 32 pages of bibliographic references and a 29-page index complete the offering.

All chapters end with a summary, an index of terms and concepts, a discussion of where the particular field is headed, references for further reading, and plentiful exercises. The exposition is aided by numerous clear diagrams, sidebars, and many examples. Some of the examples are oversimplified: for instance, in modern systems a buffer overflow in a user’s data area can’t overwrite system data or program code, as shown on page 105. Nevertheless, a simplified example is better than an inscrutable one: readers wishing an in-depth treatment of a particular topic can seek that in more specialized sources.

This book’s fourth edition adds new material in many of the previous edition’s chapters: networking, operating system attacks and controls, and data mining. More significantly, the book also includes two new chapters, one on the economics of cybersecurity and one on privacy. Both are hot topics that merit the treatment they get in the book. In a summary, “Security in computing” is a valuable textbook, bringing a large, diverse field under one comfortable and spacious roof.