2 May
2025
2 May
'25
12:21 p.m.
Hi All.
In a book I'm updating, I have the following references for
Unix security.
1. Practical UNIX & Internet Security, 3rd edition, by Simson Garfinkel,
Gene Spafford, and Alan Schwartz, O’Reilly & Associates, Sebastopol,
CA, USA, 2003. ISBN-10: 0-596-00323-4, ISBN-13: 978-0596003234.
2. Building Secure Software: How to Avoid Security Problems the Right Way,
by John Viega and Gary McGraw. Addison-Wesley, Reading, Massachusetts,
USA, 2001. ISBN- 10: 0-201-72152-X, ISBN-13: 978-0201721522.
3. “Setuid Demystified,” by Hao Chen, David Wagner, and Drew
Dean. Proceedings of the 11th USENIX Security Symposium, August 5–9,
2002. http://www.cs.berkeley. edu/~daw/papers/setuid-usenix02.pdf.
One of my reviewers asked if these weren't "dusty references".
So, before I just refer to them as "classics", can anyone recommend
more recent books? Feel free to answer in private.
Thanks,
Arnold
4 May
4 May
3:53 a.m.
On Fri, May 2, 2025 at 5:21 AM Aharon Robbins <arnold(a)skeeve.com> wrote:
Hi All.
In a book I'm updating, I have the following references for
Unix security.
1. Practical UNIX & Internet Security, 3rd edition, by Simson Garfinkel,
Gene Spafford, and Alan Schwartz, O’Reilly & Associates, Sebastopol,
CA, USA, 2003. ISBN-10: 0-596-00323-4, ISBN-13: 978-0596003234.
2. Building Secure Software: How to Avoid Security Problems the Right Way,
by John Viega and Gary McGraw. Addison-Wesley, Reading, Massachusetts,
USA, 2001. ISBN- 10: 0-201-72152-X, ISBN-13: 978-0201721522.
3. “Setuid Demystified,” by Hao Chen, David Wagner, and Drew
Dean. Proceedings of the 11th USENIX Security Symposium, August 5–9,
2002. http://www.cs.berkeley. edu/~daw/papers/setuid-usenix02.pdf.
One of my reviewers asked if these weren't "dusty references".
So, before I just refer to them as "classics", can anyone recommend
more recent books? Feel free to answer in private.
I’d have to rummage around for a definitive answer but I think things have
fractured a bit and OS level security is either a chapter or section in
academic or professional books. That is mostly survey or long standing
information, the edge is all in open source code and/or
papers/presentations.
There are several recent cryptography books aimed at a more practitioner
level I can recommend if that is relevant to your quest.
The main book that comes to mind 0321822137 is a C and C++ security survey
that is worthwhile but not OS specific.
I’d also like to know your title so I can add it to my collection when it
is ready!
Thanks,
Arnold
12:05 p.m.
The Bellovin and Cheswick book(s) although it's more about network security
and firewalls.
The OWASP guides.
Practical UNIX and Internet security Book by Simson Garfinkel
6:01 p.m.
Paul von Oorschot's Tools and Jewels:
https://people.scs.carleton.ca/~paulv/toolsjewels.html
This was designed as a textbook for security, and includes very good
coverage of cryptography.
Rik
On Sun, May 4, 2025 at 5:06 AM Rich Salz <rich.salz(a)gmail.com> wrote:
The Bellovin and Cheswick book(s) although it's
more about network
security and firewalls.
The OWASP guides.
Practical UNIX and Internet security Book by Simson Garfinkel
6 May
6 May
3:01 p.m.
Thanks to everyone who responded. Besides the original three in
my quoted email, here are the additional ones I was recommended
and have added to the list in my book.
Some were recommended by more than one person. In any case,
thank you all!
4. Secure Coding in C and C++, 2nd Edition, by Robert Seacord. ISBN-10:
0321822137, ISBN-13: 978-0321822130, Addison-Wesley Professional, Reading,
Massachusetts, USA, 2013.
5. Secure Coding: Principles and Practices, by Mark G. Graff,
Kenneth R. Van Wyk, and Debby Russell. ISBN-10: 0596002424, ISBN-13:
978-0596002428. O’Reilly Media, Inc., USA, 2003.
6. Writing Secure Code, 2nd Edition, by Michael Howard and David
LeBlanc. ISBN-10: 0735617228, ISBN-13: 978-0735617223. Microsoft Press,
USA, 2003.
7. Computer Security and the Internet—Tools and Jewels from
Malware to Bitcoin, 2nd Edition, by Paul C. van Oorschot. ISBN-13:
978-3-030-83410-4. Springer Nature Switzerland AG, 2021.
8. Thinking Security: Stopping Next Year’s Hackers by Steven
M. Bellovin. ISBN-10: 0134277546, ISBN-13: 978-0134277547. Addison-Wesley
Professional, Reading, Mas- sachusetts, USA, 2015.
9. Security Engineering: A Guide to Building Dependable Distributed
Systems, 3rd Edi- tion, by Ross Anderson. ISBN-10: 1119642787, ISBN-13:
978-1119642787. Wiley, USA, 2020.
10. Designing Secure Software: A Guide for Developers, by Loren
Kohnfelder. ISBN-10: 1718501927, ISBN-13: 978-1718501928. No Starch Press,
USA, 2021.
11. Building Secure and Reliable Systems: Best Practices for
Designing, Implementing, and Maintaining Systems, by Heather Adkins,
Betsy Beyer, Paul Blankinship, Piotr Lewandowski, Ana Oprea, and Adam
Stubblefield. ISBN-10: 1492083127, ISBN-13: 978-1492083122. O’Reilly
Media, USA, 2020.
12. Secure By Design, by Daniel Deogun, Dan Bergh Johnsson, and Daniel
Sawano. ISBN-10: 1617294357, ISBN-13: 978-1617294358. Manning, USA, 2019.
Aharon Robbins <arnold(a)skeeve.com> wrote:
Hi All.
In a book I'm updating, I have the following references for
Unix security.
1. Practical UNIX & Internet Security, 3rd edition, by Simson Garfinkel,
Gene Spafford, and Alan Schwartz, O’Reilly & Associates, Sebastopol,
CA, USA, 2003. ISBN-10: 0-596-00323-4, ISBN-13: 978-0596003234.
2. Building Secure Software: How to Avoid Security Problems the Right Way,
by John Viega and Gary McGraw. Addison-Wesley, Reading, Massachusetts,
USA, 2001. ISBN- 10: 0-201-72152-X, ISBN-13: 978-0201721522.
3. “Setuid Demystified,” by Hao Chen, David Wagner, and Drew
Dean. Proceedings of the 11th USENIX Security Symposium, August 5–9,
2002. http://www.cs.berkeley. edu/~daw/papers/setuid-usenix02.pdf.
One of my reviewers asked if these weren't "dusty references".
So, before I just refer to them as "classics", can anyone recommend
more recent books? Feel free to answer in private.
Thanks,
Arnold
9 May
9 May
3:32 a.m.
On 5/2/25 7:21 AM, Aharon Robbins wrote:
1. Practical UNIX & Internet Security, 3rd
edition, by Simson
Garfinkel, Gene Spafford, and Alan Schwartz, O’Reilly & Associates,
Sebastopol, CA, USA, 2003. ISBN-10: 0-596-00323-4, ISBN-13:
978-0596003234.
...
One of my reviewers asked if these weren't
"dusty references". So,
before I just refer to them as "classics", can anyone recommend more
recent books? Feel free to answer in private.
Having read (most of) Practical UNIX & Internet Security, 3rd edition,
and other similar texts...
I've come to the realization that we as an industry haven't really moved
beyond all of the problems taught to us in the '90s. It's really
amazing to me how much of the advice given in those "classic" tombs is
still as germane today as it was 30 years ago.
Sure, some things have fallen off the bottom. But mostly, we've just
added things on top.
Fundamentals may get old, but they usually don't become wrong.
--
Grant. . . .
6:19 a.m.
Hi.
Grant Taylor via TUHS <tuhs(a)tuhs.org> wrote:
Having read (most of) Practical UNIX & Internet
Security, 3rd edition,
and other similar texts...
I've come to the realization that we as an industry haven't really moved
beyond all of the problems taught to us in the '90s.
Sad, but true.
It's really
amazing to me how much of the advice given in those "classic" tombs is
Um, "tomes" is what I think you meant. :-)
still as germane today as it was 30 years ago.
Sure, some things have fallen off the bottom. But mostly, we've just
added things on top.
Fundamentals may get old, but they usually don't become wrong.
This last statement is exactly right. And in fact, it is my book on the
fundamental *nix APIs that I'm updating....
Feel free to ping me privately if you want more info.
Much thanks,
Arnold
P.S. Can I quote your statement?
0
days inactive
7
days old
6 comments
6 participants
participants (6)
-
Aharon Robbins -
arnold@skeeve.com
-
Grant Taylor -
Kevin Bowling -
Rich Salz -
Rik Farrow