Authors: Phillip Windley.
Paperback, 254 pages
Publisher: O'Reilly Media, Inc.
Publication Date: 2005-08-01


Reviews :

    The rise of network-based, automated services in the past decade has definitely changed the way businesses operate, but not always for the better. Offering services, conducting transactions and moving data on the Web opens new opportunities, but many CTOs and CIOs are more concerned with the risks. Like the rulers of medieval cities, they've adopted a siege mentality, building walls to keep the bad guys out. It makes for a secure perimeter, but hampers the flow of commerce.

Fortunately, some corporations are beginning to rethink how they provide security, so that interactions with customers, employees, partners, and suppliers will be richer and more flexible. Digital Identity explains how to go about it. This book details an important concept known as "identity management architecture" (IMA): a method to provide ample protection while giving good guys access to vital information and systems. In today's service-oriented economy, digital identity is everything. IMA is a coherent, enterprise-wide set of standards, policies, certifications and management activities that enable companies like yours to manage digital identity effectively--not just as a security check, but as a way to extend services and pinpoint the needs of customers.

Author Phil Windley likens IMA to good city planning. Cities define uses and design standards to ensure that buildings and city services are consistent and workable. Within that context, individual buildings--or system architectures--function as part of the overall plan. With Windley's experience as VP of product development for Excite@Home.com and CIO of Governor Michael Leavitt's administration in Utah, he provides a rich, real-world view of the concepts, issues, and technologies behind identity management architecture.

How does digital identity increase business opportunity? Windley's favorite example is the ATM machine. With ATMs, banks can now offer around-the-clock service, serve more customers simultaneously, and do it in a variety of new locations. This fascinating book shows CIOs, other IT professionals, product managers, and programmers how security planning can support business goals and opportunities, rather than holding them at bay.

...

Authors: Eric Bruno.
Paperback, 480 pages
Publisher: Charles River Media
Publication Date: 2005-11-07
Edition: 1

Reviews :

    LEARN TO USE JAVA MESSAGING SOFTWARE IN YOUR DISTRIBUTED APPLICATIONS!

As software becomes more complex, and the Web is leveraged further, the need for messaging software continues to grow. Virtually all software written today requires at least one form of internal, and even external, communication. Java Messaging explores the various methods of intra-process and inter-process messaging for Java software, such as JavaBean events, JMS, JAX-RPC, JAXM, SOAP, and Web Services. Programmers will learn the basics of these APIs, as well as how, when, and why to use each one, including how to use them in combination, such as combining SOAP with JMS over a WAN. The book begins by walking the reader through simple intra-process communication using JavaBean events. A set of classes is constructed that extend JavaBean events beyond one JVM, transparently using JMS. The messaging paradigms of JMS are explained thoroughly, including in-depth discussions on the theory and mechanics of message queues. Design patterns and helper classes are also explored, which ultimately combine to form a generic messaging framework that helps programmers avoid common pitfalls. This framework, explained throughout the book, provides for the seamless integration of JMS with SOAP Web Services that is required to build distributed applications. Starting from the first chapter, a comprehensive sample application (an online stock trading system) is built using the framework and messaging paradigms discussed in the book. By the end of the book, programmers will not only understand the various messaging paradigms, but they will also understand how to architect complex distributed applications that use them together – with a framework that provides a running start.

KEY FEATURES • Explores the various methods of intra-process and inter-process messaging for Java software, such as JavaBean events, JMS, JAX-RPC, JAXM, SOAP, and Web Services • Provides programmers with the practical knowledge of when and how to use each API alone, as well as together • Explains the messaging paradigms of JMS, including in-depth discussions on the theory and mechanics of message queues • Includes a development framework of classes for programmers to apply to their own projects • Teaches concepts through a comprehensive sample application (an online stock trading system) that uses the framework and messaging paradigms discussed within the book • Includes a CD-ROM with all of the sample code, the complete messaging toolkit that is explored throughout the book, open source tools, and all of the figures from the book

On the CD! * Source Code: Includes the sample applications referenced within each chapter * Figures: Contains all of the figures from the book, arranged by chapter * Java Tools: Includes the open-source tools used in the development of the book’s sample applications and toolkit * Toolkit: Contains the final, complete, messaging toolkit that is explored throughout the book SYSTEM REQUIREMENTS (WIN) Windows NT/2000/XP/2003; 256 MB RAM minimum, 512 MB recommended; 250 MB of available disk space, 500 MB recommended; J2SE version 1.4.2_06 or higher; CD-ROM or DVD-ROM drive; keyboard and mouse, or other pointing device...

Authors: Linda Volonino. Reynaldo Anzaldua. Jana Godwin.
Paperback, 552 pages
Publisher: Prentice Hall
Publication Date: 2006-08-31
Edition: 1

Reviews :

    For introductory and intermediate courses in computer forensics, digital investigations, or computer crime investigation By applying information systems, computer security, and criminal justice principles and practices to crime investigations and other legal actions, this text teaches students how to use forensically-sound methodologies and software to acquire admissible electronic evidence (e-evidence) with coverage of computer and email forensics, cell phone and IM forensics, and PDA and Blackberry forensics....

Authors: Rich Cannings. Himanshu Dwivedi. Zane Lackey.
Paperback, 258 pages
Publisher: McGraw-Hill Osborne Media
Publication Date: 2007-12-17
Edition: 1

Reviews :

   

Lock down next-generation Web services

"This book concisely identifies the types of attacks which are faced daily by Web 2.0 sites, and the authors give solid, practical advice on how to identify and mitigate these threats." --Max Kelly, CISSP, CIPP, CFCE, Senior Director of Security, Facebook

Protect your Web 2.0 architecture against the latest wave of cybercrime using expert tactics from Internet security professionals. Hacking Exposed Web 2.0 shows how hackers perform reconnaissance, choose their entry point, and attack Web 2.0-based services, and reveals detailed countermeasures and defense techniques. You'll learn how to avoid injection and buffer overflow attacks, fix browser and plug-in flaws, and secure AJAX, Flash, and XML-driven applications. Real-world case studies illustrate social networking site weaknesses, cross-site attack methods, migration vulnerabilities, and IE7 shortcomings.

• Plug security holes in Web 2.0 implementations the proven Hacking Exposed way
• Learn how hackers target and abuse vulnerable Web 2.0 applications, browsers, plug-ins, online databases, user inputs, and HTML forms
• Prevent Web 2.0-based SQL, XPath, XQuery, LDAP, and command injection attacks
• Circumvent XXE, directory traversal, and buffer overflow exploits
• Learn XSS and Cross-Site Request Forgery methods attackers use to bypass browser security controls
• Fix vulnerabilities in Outlook Express and Acrobat Reader add-ons
• Use input validators and XML classes to reinforce ASP and .NET security
• Eliminate unintentional exposures in ASP.NET AJAX (Atlas), Direct Web Remoting, Sajax, and GWT Web applications
• Mitigate ActiveX security exposures using SiteLock, code signing, and secure controls
• Find and fix Adobe Flash vulnerabilities and DNS rebinding attacks 
  
  

...

Authors: James Avery.
Paperback, 500 pages
Publisher: O'Reilly Media, Inc.
Publication Date: 2005-03-24
Edition: 26th

Reviews :

    With start-up templates for projects ranging from Windows applications to web services, and extensive help and on-line documentation, Visual Studio .NET might be mistaken for a tool for unsophisticated users. It's true that most developers soon discover that the basic operation of Visual Studio is fairly self-explanatory; less obvious are some of the suite's more advanced built-in features. Visual Studio .Net includes a wealth of little-used capabilities, is very customizable, has a complete automation model, and much more. On top of its regular feature set, there are hosts of free add-ins, macros, and power toys that can further enhance the functionality of Visual Studio. This book is all about exploring these things, and in doing so, becoming a better and more efficient developer. Developers will learn how to:

• Get the most out of projects and solutions, including getting down and dirty with the undocumented format of project and solution files
• Use these editor features to the fullest, and add additional functionality to the editor through the use of third-party add-ins
• Learn smarter ways to navigate the application and your own source code
• Customize shortcut keys, toolbars, menus, the toolbox, and much more
• Use the debugger successfully not only on your source code, but with T-SQL and scripting languages as well
• Automatically generate code
• Learn how the server can be used to interface with databases, services, and performance counters, as well as WMI
• Use and create Visual Studio add-ins to extend its functionality

Offering valuable tips, tools, and tricks, Visual Studio Hacks takes you far beyond the suite's usual capabilities. You can read this book from cover to cover or, because each hack stands its own, you can feel free to browse and jump to the different sections that interest you most. If there's a prerequisite you need to know about, a cross-reference will guide you to the right hack. If you want to experience the full spectrum of Visual Studio's functionality and flexibility, you'll find the perfect guide for exploration in Visual Studio Hacks. Once the final page is turned, you can confidently say that you've been exposed to everything that Visual Studio .NET is capable of doing....

Authors: Bruce Schneier.
Hardcover, 432 pages
Publisher: John Wiley & Sons
Publication Date: 2000-08-14
Edition: 1

Reviews :

    Praise for Sectrets and Lies "This is a business issue, not a technical one, and executives can no longer leave such decisions to techies. That's why Secrets and Lies belongs in every manager's library." Business Week "Clear and passionate, this is the definitive book on Internet security from the leading thinker on the subject." The Industry Standard "Startlingly lively...a jewel box of little surprises you can actually use." Fortune "Secrets is a comprehensive, well-written work on a topic few business leaders can afford to neglect." Business 2.0 "Instead of talking algorithms to geeky programmers, [Schneier] offers a primer in practical computer security aimed at those shopping, communicating or doing business online almost everyone, in other words." The Economist "Schneier peppers the book with lively anecdotes and aphorisms, making it unusually accessible." Los Angeles Times...

    Whom can you trust? Try Bruce Schneier, whose rare gift for common sense makes his book Secrets and Lies: Digital Security in a Networked World both enlightening and practical. He's worked in cryptography and electronic security for years, and has reached the depressing conclusion that even the loveliest code and toughest hardware still will yield to attackers who exploit human weaknesses in the users. The book is neatly divided into three parts, covering the turn-of-the-century landscape of systems and threats, the technologies used to protect and intercept data, and strategies for proper implementation of security systems. Moving away from blind faith in prevention, Schneier advocates swift detection and response to an attack, while maintaining firewalls and other gateways to keep out the amateurs.

Newcomers to the world of Schneier will be surprised at how funny he can be, especially given a subject commonly perceived as quiet and dull. Whether he's analyzing the security issues of the rebels and the Death Star in Star Wars or poking fun at the giant software and e-commerce companies that consistently sacrifice security for sexier features, he's one of the few tech writers who can provoke laughter consistently. While moderately pessimistic on the future of systems vulnerability, he goes on to relieve the reader's tension by comparing our electronic world to the equally insecure paper world we've endured for centuries--a little smart-card fraud doesn't seem so bad after all. Despite his unfortunate (but brief) shill for his consulting company in the book's afterword, you can trust Schneier to dish the dirt in Secrets and Lies. --Rob Lightner ...

Authors: Gabriel Weimann.
Hardcover, 256 pages
Publisher: The United States Institute of Peace
Publication Date: 2006-03
Edition: 1

Reviews :

    Terrorists fight their wars in cyberspace as well as on the ground. However, while politicians and the media have hotly debated the dangers of terrorists sabotaging the Internet, surprisingly little is known about terrorists’ actual use of the Internet.

In this timely and eye-opening volume, Gabriel Weimann reveals that terrorist organizations and their supporters maintain hundreds of websites, taking advantage of the unregulated, anonymous, and accessible nature of the Internet to target an array of messages to diverse audiences. Drawing on a seven-year study of the World Wide Web, the author examines how modern terrorist organizations exploit the Internet to raise funds, recruit members, plan and launch attacks, and publicize their chilling results. Weimann also investigates the effectiveness of counterterrorism measures and warns that this cyberwar may cost us dearly in terms of civil rights.

Illustrated with numerous examples taken from terrorist websites, Terror on the Internet offers the definitive introduction to this emerging and dynamic arena. Weimann lays bare the challenges we collectively face in confronting the growing and increasingly sophisticated terrorist presence on the Net. A publication of the United States Institute of Peace, distributed by Potomac Books, Inc....

Authors: Gary McGraw.
Paperback, 448 pages
Publisher: Addison-Wesley Professional
Publication Date: 2006-02-02


Reviews :

    This is the Mobipocket version of the print book. "When it comes to software security, the devil is in the details. This book tackles the details." --Bruce Schneier, CTO and founder, Counterpane, and author of Beyond Fear and Secrets and Lies "McGraw's book shows you how to make the 'culture of security' part of your development lifecycle." --Howard A. Schmidt, Former White House Cyber Security Advisor "McGraw is leading the charge in software security. His advice is as straightforward as it is actionable. If your business relies on software (and whose doesn't), buy this book and post it up on the lunchroom wall." --Avi Rubin, Director of the NSF ACCURATE Center; Professor, Johns Hopkins University; and coauthor of Firewalls and Internet Security Beginning where the best-selling book Building Secure Software left off, Software Security teaches you how to put software security into practice.The software security best practices, or touchpoints, described in this book have their basis in good software engineering and involve explicitly pondering security throughout the software development lifecycle.This means knowing and understanding common risks (including implementation bugsand architectural flaws), designing for security, and subjecting all software artifacts to thorough, objective risk analyses and testing. Software Security is about putting the touchpoints to work for you. Because you can apply these touchpoints to the software artifacts you already produce as you develop software, you can adopt this book's methods without radically changing the way you work. Inside you'll find detailed explanations of *Risk management frameworks and processes *Code review using static analysis tools *Architectural risk analysis *Penetration testing *Security testing *Abuse case development In addition to the touchpoints, Software Security covers knowledge management, training and awareness, and enterprise-level software security programs. Now that the world agrees that software security is central to computer security, it is time to put philosophy into practice. Create your own secure development lifecycle by enhancing your existing software development lifecycle with the touchpoints described in this book.Let this expert author show you how to build more secure software by building security in....

Authors: Andrew Hay. Daniel Cid. Rory Bray.
Paperback, 416 pages
Publisher: Syngress
Publication Date: 2008-02-18


Reviews :

    This book is the definitive guide on the OSSEC Host-based Intrusion Detection system and frankly, to really use OSSEC you are going to need a definitive guide. Documentation has been available since the start of the OSSEC project but, due to time constraints, no formal book has been created to outline the various features and functions of the OSSEC product. This has left very important and powerful features of the product undocumented...until now! The book you are holding will show you how to install and configure OSSEC on the operating system of your choice and provide detailed examples to help prevent and mitigate attacks on your systems.
-- Stephen Northcutt
OSSEC determines if a host has been compromised in this manner by taking the equivalent of a picture of the host machine in its original, unaltered state. This ?picture? captures the most relevant information about that machine?s configuration. OSSEC saves this ?picture? and then constantly compares it to the current state of that machine to identify anything that may have changed from the original configuration. Now, many of these changes are necessary, harmless, and authorized, such as a system administrator installing a new software upgrade, patch, or application. But, then there are the not-so-harmless changes, like the installation of a rootkit, trojan horse, or virus. Differentiating between the harmless and the not-so-harmless changes determines whether the system administrator or security professional is managing a secure, efficient network or a compromised network which might be funneling credit card numbers out to phishing gangs or storing massive amounts of pornography creating significant liability for that organization.
Separating the wheat from the chaff is by no means an easy task. Hence the need for this book. The book is co-authored by Daniel Cid, who is the founder and lead developer of the freely available OSSEC host-based IDS. As such, readers can be certain they are reading the most accurate, timely, and insightful information on OSSEC.

. Get Started with OSSEC
Get an overview of the features of OSSEC including commonly used terminology, pre-install preparation, and deployment considerations.
. Follow Steb-by-Step Installation Instructions
Walk through the installation process for the "local", "agent", and "server" install types on some of the most popular operating systems available.
. Master Configuration
Learn the basic configuration options for your install type and learn how to monitor log files, receive remote messages, configure email notification, and configure alert levels.
. Work With Rules
Extract key information from logs using decoders and how you can leverage rules to alert you of strange occurrences on your network.
. Understand System Integrity Check and Rootkit Detection
Monitor binary executable files, system configuration files, and the Microsoft Windows registry.
. Configure Active Response
Configure the active response actions you want and bind the actions to specific rules and sequence of events.
. Use the OSSEC Web User Interface
Install, configure, and use the community-developed, open source web interface available for OSSEC.
. Play in the OSSEC VMware Environment Sandbox
Use the OSSEC HIDS VMware Guest image on the companion DVD to implement what you have learned in a sandbox-style environment.
. Dig Deep into Data Log Mining
Take the "high art" of log analysis to the next level by breaking the dependence on the lists of strings or patterns to look for in the logs....

Authors: Richard Bejtlich.
Paperback, 416 pages
Publisher: Addison-Wesley Professional
Publication Date: 2005-11-18


Reviews :

    Overcome Your Fastest-Growing Security Problem: Internal, Client-Based Attacks Today's most devastating security attacks are launched from within the company, by intruders who have compromised your users' Web browsers, e-mail and chat clients, and other Internet-connected software. Hardening your network perimeter won't solve this problem. You must systematically protect client software and monitor the traffic it generates. Extrusion Detection is a comprehensive guide to preventing, detecting, and mitigating security breaches from the inside out. Top security consultant Richard Bejtlich offers clear, easy-to-understand explanations of today's client-based threats and effective, step-by-step solutions, demonstrated against real traffic and data. You will learn how to assess threats from internal clients, instrument networks to detect anomalies in outgoing traffic, architect networks to resist internal attacks, and respond effectively when attacks occur. Bejtlich's The Tao of Network Security Monitoring earned acclaim as the definitive guide to overcoming external threats.Now, in Extrusion Detection, he brings the same level of insight to defending against today's rapidly emerging internal threats. Whether you're an architect, analyst, engineer, administrator, or IT manager, you face a new generation of security risks. Get this book and protect yourself. Coverage includes *Architecting defensible networks with pervasive awareness: theory, techniques, and tools *Defending against malicious sites, Internet Explorer exploitations, bots, Trojans, worms, and more *Dissecting session and full-content data to reveal unauthorized activity *Implementing effective Layer 3 network access control *Responding to internal attacks, including step-by-step network forensics *Assessing your network's current ability to resist internal attacks *Setting reasonable corporate access policies *Detailed case studies, including the discovery of internal and IRC-based bot nets *Advanced extrusion detection: from data collection to host and vulnerability enumeration About the Web Site Get book updates and network security news at Richard Bejtlich's popular blog, taosecurity.blogspot.com, and his Web site, www.bejtlich.net....