Authors: Simson Garfinkel. Beth Rosenberg.
Hardcover, 608 pages
Publisher: Addison-Wesley Professional
Publication Date: 2005-07-16


Reviews :

    "RFID is the first important technology of the twenty-first century. That's an awesome responsibility. How can we know when and how RFID is being used? How can we make sure it is not misused? How can we exercise choice over how it affects us personally? How do we ensure it is safe? This book is a valuable contribution to the ongoing effort to find the answers." --From the Foreword by Kevin Ashton, cofounder and former executive director, Auto-ID Center; vice president, ThingMagic Corporation Radio frequency identification (RFID) technology is rapidly becoming ubiquitous as businesses seek to streamline supply chains and respond to mandates from key customers. But RFID and other new wireless ID technologies raise unprecedented privacy issues. RFID: Applications, Security, and Privacy covers these issues from every angle and viewpoint. Award-winning technology journalist and privacy expert Simson Garfinkel brings together contributions from every stakeholder community--from RFID suppliers to privacy advocates and beyond.His contributors introduce today's leading wireless ID technologies, trace their evolution, explain their promise, assess their privacy risks, and evaluate proposed solutions--technical, business, and political. The book also looks beyond RFID, reviewing the privacy implications of Wi-Fi, Bluetooth, smart cards, biometrics, new cell-phone networks, and the ever-evolving Internet. Highlights include *How RFID and other wireless ID technologies work *RFID applications--from gas stations and pharmacies to the twenty-first century battlefield *RFID, privacy, and the law--in the United States and around the world *RFID, security, and industrial espionage *How Bluetooth and Wi-Fi can track individuals, with or without their permission *Technical solutions to wireless ID privacy concerns--their values and limitations *Stakeholder perspectives from EPCglobal, Inc.,Gemplus, The Procter & Gamble Company, and other industry leaders *The future of citizen activism on privacy issues Clear, balanced, and accessible, this is the indispensable primer for everyone involved in RFID: businesses implementing or evaluating RFID; technology suppliers responding to user concerns; and policymakers and privacy advocates who want a deeper understanding of the technology and its implications. Includes contributions from AIM Global, Inc. CASPIAN Center for Democracy and Technology EPCglobal, Inc. The Galecia Group Gemplus IDAT Consulting & Education Institute for the Future Matrics, Inc. MIT Computer Science & Artificial Intelligence Laboratory MIT Media Laboratory OATSystems Privacy Journal The Privacy Rights Clearinghouse The Procter & Gamble Company RSA Laboratories UCLA Department of Geography Wayne State University Law School...

Authors: Andrew Hay. Keli Hay. Peter Giannoulis.
Paperback, 452 pages
Publisher: Syngress
Publication Date: 2008-11-21


Reviews :

    "While Nokia is perhaps most recognized for its leadership in the mobile phone market, they have successfully demonstrated their knowledge of the Internet security appliance market and its customers requirements."
--Chris Christiansen, Vice President, Internet Infrastructure and Security Software, IDC.

Syngress has a long history of publishing market-leading books for system administrators and security professionals on commercial security products, particularly Firewall and Virtual Private Network (VPN) appliances from Cisco, Check Point, Juniper, SonicWall, and Nokia (see related titles for sales histories). The Nokia Firewall, VPN, and IPSO Configuration Guide will be the only book on the market covering the all-new Nokia Firewall/VPN Appliance suite. Nokia Firewall/VPN appliances are designed to protect and extend the network perimeter.

According to IDC research, Nokia Firewall/VPN Appliances hold the #3 worldwide market-share position in this space behind Cisco and Juniper/NetScreen. IDC estimated the total Firewall/VPN market at $6 billion in 2007, and Nokia owns 6.6% of this market. Nokia's primary customers for security appliances are Mid-size to Large enterprises who need site-to-site connectivity and Mid-size to Large enterprises who need remote access connectivity through enterprise-deployed mobile devices. Nokia appliances for this market are priced form $1,000 for the simplest devices (Nokia IP60) up to $60,0000 for large enterprise- and service-provider class devices (like the Nokia IP2450 released in Q4 2007). While the feature set of such a broad product range obviously varies greatly, all of the appliances run on the same operating system: Nokia IPSO (IPSO refers to Ipsilon Networks, a company specializing in IP switching acquired by Nokia in 1997. The definition of the acronym has little to no meaning for customers.) As a result of this common operating system across the product line, The Nokia Firewall, VPN, and IPSO Configuration Guide will be an essential reference to users of any of these products. Users manage the Nokia IPSO (which is a Linux variant, specifically designed for these appliances) through a Web interface called Nokia Network Voyager or via a powerful Command Line Interface (CLI). Coverage within the book becomes increasingly complex relative to the product line.

The Nokia Firewall, VPN, and IPSO Configuration Guide and companion Web site will provide seasoned network administrators and security professionals with the in-depth coverage and step-by-step walkthroughs they require to properly secure their network perimeters and ensure safe connectivity for remote users. The book contains special chapters devoted to mastering the complex Nokia IPSO command line, as well as tips and tricks for taking advantage of the new "ease of use" features in the Nokia Network Voyager Web interface. In addition, the companion Web site offers downloadable video walkthroughs on various installation and troubleshooting tips from the authors.

* Only book on the market covering Nokia Firewall/VPN appliances, which hold 6.6% of a $6 billion market
* Companion website offers video walkthroughs on various installation and troubleshooting tips from the authors
* Special chapters detail mastering the complex Nokia IPSO command line, as well as tips and tricks for taking advantage of the new "ease of use" features in the Nokia Network Voyager Web interface...

Authors: Rick Lehtinen. G.T. Gangemi.
Paperback, 310 pages
Publisher: O'Reilly Media, Inc.
Publication Date: 2006-06-13
Edition: 2

Reviews :

   

This is the must-have book for a must-know field. Today, general security knowledge is mandatory, and, if you who need to understand the fundamentals, Computer Security Basics 2nd Edition is the book to consult.

The new edition builds on the well-established principles developed in the original edition and thoroughly updates that core knowledge. For anyone involved with computer security, including security administrators, system administrators, developers, and IT managers, Computer Security Basics 2nd Edition offers a clear overview of the security concepts you need to know, including access controls, malicious software, security policy, cryptography, biometrics, as well as government regulations and standards.

This handbook describes complicated concepts such as trusted systems, encryption, and mandatory access control in simple terms. It tells you what you need to know to understand the basics of computer security, and it will help you persuade your employees to practice safe computing.

Topics include:

• Computer security concepts
• Security breaches, such as viruses and other malicious programs
• Access controls
• Security policy
• Web attacks
• Communications and network security
• Encryption
• Physical security and biometrics
• Wireless network security
• Computer security and requirements of the Orange Book
• OSI Model and TEMPEST

...

Authors: Ray Blair. Arvind Durai.
Paperback, 528 pages
Publisher: Cisco Press
Publication Date: 2008-09-08
Edition: 1

Reviews :

   

Cisco Secure Firewall Services Module (FWSM)

 

Best practices for securing networks with FWSM

 

Ray Blair, CCIE® No. 7050

Arvind Durai, CCIE No. 7016

 

The Firewall Services Module (FWSM) is a high-performance stateful-inspection firewall that integrates into the Cisco® 6500 switch and 7600 router chassis. The FWSM monitors traffic flows using application inspection engines to provide a strong level of network security. The FWSM defines the security parameter and enables the enforcement of security policies through authentication, access control lists, and protocol inspection. The FWSM is a key component to anyone deploying network security.

 

Cisco Secure Firewall Services Module (FWSM) covers all aspects of the FWSM. The book provides a detailed look at how the FWSM processes information, as well as installation advice, configuration details, recommendations for network integration, and reviews of operation and management. This book provides you with a single source that comprehensively answers how and why the FWSM functions as it does. This information enables you to successfully deploy the FWSM and gain the greatest functional benefit from your deployment. Practical examples throughout show you how other customers have successfully deployed the FWSM.

 

By reading this book, you will learn how the FWSM functions, the differences between the FWSM and the ASA Security Appliance, how to implement and maintain the FWSM, the latest features of the FWSM, and how to configure common installations.

 

Ray Blair, CCIE® No. 7050, is a consulting systems architect who has been with Cisco for more than 8 years, working primarily on security and large network designs. He has 20 years of experience in designing, implementing, and maintaining networks that have included nearly all networking technologies. Mr. Blair maintains three CCIE certifications in Routing and Switching, Security, and Service Provider. He is also a CNE and a CISSP.

 

Arvind Durai, CCIE No. 7016, is an advanced services technical leader for Cisco. His primary responsibility has been in supporting major Cisco customers in the enterprise sector. One of his focuses has been on security, and he has authored several white papers and design guides in various technologies. Mr. Durai maintains two CCIE certifications, in Routing and Switching and Security.

 

• Understand modes of operation, security levels, and contexts for the FWSM
• Configure routing protocols and the host-chassis to support the FWSM
• Deploy ACLs and Authentication, Authorization, and Accounting (AAA)
• Apply class and policy maps
• Configure multiple FWSMs for failover support
• Configure application and protocol inspection
• Filter traffic using filter servers, ActiveX, and Java filtering functions
• Learn how IP multicast and the FWSM interact
• Increase performance with firewall load balancing
• Configure IPv6 and asymmetric routing
• Mitigate network attacks using shunning, anti-spoofing, connection limits, and timeouts
• Examine network design, management, and troubleshooting best practices

 

This security book is part of the Cisco Press® Networking Technology series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.

 

Category: Networking: Security

Covers: Firewall security

 

...

Authors: Julia H. Allen. Sean Barnum. Robert J. Ellison. Gary McGraw. Nancy R. Mead.
Paperback, 368 pages
Publisher: Addison-Wesley Professional
Publication Date: 2008-05-11
Edition: 1

Reviews :

   

“This book’s broad overview can help an organization choose a set of processes, policies, and techniques that are appropriate for its security maturity, risk tolerance, and development style. This book will help you understand how to incorporate practical security techniques into all phases of the development lifecycle.”

      —Steve Riley, senior security strategist, Microsoft Corporation

 

“There are books written on some of the topics addressed in this book, and there are other books on secure systems engineering. Few address the entire life cycle with a comprehensive overview and discussion of emerging trends and topics as well as this one.”

      —Ronda Henning, senior scientist-software/security queen, Harris Corporation

 

Software that is developed from the beginning with security in mind will resist, tolerate, and recover from attacks more effectively than would otherwise be possible. While there may be no silver bullet for security, there are practices that project managers will find beneficial. With this management guide, you can select from a number of sound practices likely to increase the security and dependability of your software, both during its development and subsequently in its operation.

 

Software Security Engineering draws extensively on the systematic approach developed for the Build Security In (BSI) Web site. Sponsored by the Department of Homeland Security Software Assurance Program, the BSI site offers a host of tools, guidelines, rules, principles, and other resources to help project managers address security issues in every phase of the software development life cycle (SDLC). The book’s expert authors, themselves frequent contributors to the BSI site, represent two well-known resources in the security world: the CERT Program at the Software Engineering Institute (SEI) and Cigital, Inc., a consulting firm specializing in software security.

 

This book will help you understand why

• Software security is about more than just eliminating vulnerabilities and conducting penetration tests
• Network security mechanisms and IT infrastructure security services do not sufficiently protect application software from security risks
• Software security initiatives should follow a risk-management approach to identify priorities and to define what is “good enough”—understanding that software security risks will change throughout the SDLC
• Project managers and software engineers need to learn to think like an attacker in order to address the range of functions that software should not do, and how software can better resist, tolerate, and recover when under attack

Chapter 1: Why Is Security a Software Issue? 1

1.1 Introduction 1

1.2 The Problem 2

1.3 Software Assurance and Software Security 6

1.4 Threats to Software Security 9

1.5 Sources of Software Insecurity 11

1.6 The Benefits of Detecting Software Security Defects Early 13

1.7 Managing Secure Software Development 18

1.8 Summary 23

 

Chapter 2: What Makes Software Secure? 25

2.1 Introduction 25

2.2 Defining Properties of Secure Software 26

2.3 How to Influence the Security Properties of Software 36

2.4 How to Assert and Specify Desired Security Properties 61

2.5 Summary 71

 

Chapter 3: Requirements Engineering for Secure Software 73

3.1 Introduction 73

3.2 Misuse and Abuse Cases 78

3.3 The SQUARE Process Model 84

3.4 SQUARE Sample Outputs 91

3.5 Requirements Elicitation 99

3.6 Requirements Prioritization 106

3.7 Summary 112

 

Chapter 4: Secure Software Architecture and Design 115

4.1 Introduction 115

4.2 Software Security Practices for Architecture and Design: Architectural Risk Analysis 119

4.3 Software Security Knowledge for Architecture and Design: Security Principles, Security Guidelines, and Attack Patterns 137

4.4 Summary 148

 

Chapter 5: Considerations for Secure Coding and Testing 151

5.1 Introduction 151

5.2 Code Analysis 152

5.3 Coding Practices 160

5.4 Software Security Testing 163

5.5 Security Testing Considerations Throughout the SDLC 173

5.6 Summary 180

 

Chapter 6: Security and Complexity: System Assembly Challenges 183

6.1 Introduction 183

6.2 Security Failures 186

6.3 Functional and Attacker Perspectives for Security Analysis: Two Examples 189

6.4 System Complexity Drivers and Security 203

6.5 Deep Technical Problem Complexity 215

6.6 Summary 217

 

Chapter 7: Governance, and Managing for More Secure Software 221

7.1 Introduction 221

7.2 Governance and Security 223

7.3 Adopting an Enterprise Software Security Framework 226

7.4 How Much Security Is Enough? 236

7.5 Security and Project Management 244

7.6 Maturity of Practice 259

7.7 Summary 266

 

Chapter 8: Getting Started 267

8.1 Where to Begin 269

8.2 In Closing 281

...

Authors: Michael Noel.
Paperback, 576 pages
Publisher: Sams
Publication Date: 2005-09-03


Reviews :

   

A detailed look into best practice design, deployment, and maintenance of an ISA Server 2004 Environment.  Written by industry expert Michael Noel, of Convergent Computing, ISA Server 2004 Unleashed provides guidance for ISA deployment scenarios, including step by step guides for configuring ISA to secure Exchange Outlook Web Access, deploying ISA Server 2004 Enterprise edition arrays, setting up Site to Site VPNs, deploying ISA as a reverse proxy in the DMZ of a firewall, and much more.  This book covers ISA in great detail, with emphasis on real-world situations and labor-saving scripts that help administrators take control of an ISA environment and leverage its full potential to provide unprecedented levels of security to an environment.

...

Authors: Chris Wysopal. Lucas Nelson. Dino Dai Zovi. Elfriede Dustin.
Paperback, 312 pages
Publisher: Addison-Wesley Professional
Publication Date: 2006-11-27
Edition: 1

Reviews :

   

Risk-based security testing, the important subject of this book, is one of seven software security touchpoints introduced in my book, Software Security: Building Security In. This book takes the basic idea several steps forward. Written by masters of software exploit, this book describes in very basic terms how security testing differs from standard software testing as practiced by QA groups everywhere. It unifies in one place ideas from Michael Howard, David Litchfield, Greg Hoglund, and me into a concise introductory package. Improve your security testing by reading this book today.”

–Gary McGraw, Ph.D., CTO, Cigital; Author, Software Security, Exploiting Software, Building Secure Software, and Software Fault Injection; www.cigital.com/~gem

 

“As 2006 closes out, we will see over 5,000 software vulnerabilities announced to the public. Many of these vulnerabilities were, or will be, found in enterprise applications from companies who are staffed with large, professional, QA teams. How then can it be that these flaws consistently continue to escape even well-structured diligent testing? The answer, in part, is that testing still by and large only scratches the surface when validating the presence of security flaws. Books such as this hopefully will start to bring a more thorough level of understanding to the arena of security testing and make us all a little safer over time.”

–Alfred Huger, Senior Director, Development, Symantec Corporation

 

“Software security testing may indeed be an art, but this book provides the paint-by-numbers to perform good, solid, and appropriately destructive security testing: proof that an ounce of creative destruction is worth a pound of patching later. If understanding how software can be broken is step one in every programmers’ twelve-step program to defensible, secure, robust software, then knowledgeable security testing comprises at least steps two through six.”

–Mary Ann Davidson, Chief Security Officer, Oracle

 

“Over the past few years, several excellent books have come out teaching developers how to write more secure software by describing common security failure patterns. However, none of these books have targeted the tester whose job it is to find the security problems before they make it out of the R&D lab and into customer hands. Into this void comes The Art of Software Security Testing: Identifying Software Security Flaws. The authors, all of whom have extensive experience in security testing, explain how to use free tools to find the problems in software, giving plenty of examples of what a software flaw looks like when it shows up in the test tool. The reader learns why security flaws are different from other types of bugs (we want to know not only that ‘the program does what it’s supposed to,’ but also that ‘the program doesn’t do that which it’s not supposed to’), and how to use the tools to find them. Examples are primarily based on C code, but some description of Java, C#, and scripting languages help for those environments. The authors cover both Windows and UNIX-based test tools, with plenty of screenshots to see what to expect. Anyone who’s doing QA testing on software should read this book, whether as a refresher for finding security problems, or as a starting point for QA people who have focused on testing functionality.”

–Jeremy Epstein, WebMethods

 

State-of-the-Art Software Security Testing: Expert, Up to Date, and Comprehensive

 

The Art of Software Security Testing delivers in-depth, up-to-date, battle-tested techniques for anticipating and identifying software security problems before the “bad guys” do.

 

Drawing on decades of experience in application and penetration testing, this book’s authors can help you transform your approach from mere “verification” to proactive “attack.” The authors begin by systematically reviewing the design and coding vulnerabilities that can arise in software, and offering realistic guidance in avoiding them. Next, they show you ways to customize software debugging tools to test the unique aspects of any program and then analyze the results to identify exploitable vulnerabilities.

 

Coverage includes

• Tips on how to think the way software attackers think to strengthen your defense strategy
• Cost-effectively integrating security testing into your development lifecycle
• Using threat modeling to prioritize testing based on your top areas of risk
• Building testing labs for performing white-, grey-, and black-box software testing
• Choosing and using the right tools for each testing project
• Executing today’s leading attacks, from fault injection to buffer overflows
• Determining which flaws are most likely to be exploited by real-world attackers

 

This book is indispensable for every technical professional responsible for software security: testers, QA specialists, security professionals, developers, and more. For IT managers and leaders, it offers a proven blueprint for implementing effective security testing or strengthening existing processes.

 

Foreword xiii

Preface xvii

Acknowledgments xxix

About the Authors xxxi

 

Part I: Introduction

Chapter 1: Case Your Own Joint: A Paradigm Shift from Traditional Software Testing  3

Chapter 2: How Vulnerabilities Get Into All Software  19

Chapter 3: The Secure Software Development Lifecycle  55

Chapter 4: Risk-Based Security Testing: Prioritizing Security Testing with Threat Modeling  73

Chapter 5: Shades of Analysis: White, Gray, and Black Box Testing  93

 

Part II: Performing the Attacks

Chapter 6: Generic Network Fault Injection  107

Chapter 7: Web Applications: Session Attacks  125

Chapter 8: Web Applications: Common Issues  141

Chapter 9: Web Proxies: Using WebScarab  169

Chapter 10: Implementing a Custom Fuzz Utility  185

Chapter 11: Local Fault Injection  201

 

Part III: Analysis

Chapter 12: Determining Exploitability  233

 

Index  251

...

Authors: Graham Pulford.
Hardcover, 608 pages
Publisher: Butterworth-Heinemann
Publication Date: 2007-10-19


Reviews :

    High-Security Mechanical Locks comprehensively surveys and explains the highly technical area of high security locks in a way that is accessible to a wide audience. Well over 100 different locks are presented, organized into 6 basic types. Each chapter introduces the necessary concepts in a historical perspective and further categorizes the locks. This is followed by detailed "how it works" descriptions with many pictures, diagrams and references. The descriptions are based on actual dissections of the real locks.

The scope is limited to key operated mechanical locks, thus keyless combination locks and digital locks are not covered. The book does not deal with routine locksmithing topics such as installation and servicing of locks. The sensitive area of picking and bypassing of locks is dealt with only at a high level without giving detailed information that would be unacceptable in the wrong hands.

* Comprehensive coverage of over 100 different types of 19th and 20th century key-operated locks, unified in a simple classification scheme
* Detailed operating principles - clear "how it works" descriptions
* Manipulation resistance rating for each lock on a scale of 1 to 5...

Authors: John R. Vacca.
Hardcover, 408 pages
Publisher: Auerbach Publications
Publication Date: 2004-05-11
Edition: 1

Reviews :

    With the recent Electronic Signatures in Global and National Commerce Act, public key cryptography, digital signatures, and digital certificates are finally emerging as a ubiquitous part of the Information Technology landscape. Although these technologies have been around for over twenty years, this legislative move will surely boost e-commerce activity. Secure electronic business transactions, such as contracts, legal documents, insurance, and bank loans are now legally recognized. In order to adjust to the realities of the marketplace, other services may be needed, such as a non-repudiation service, digital notary, or digital time-stamping service. The collection of these components, known as Public Key Infrastructure (PKI), is paving the way for secure communications within organizations and on the public Internet....

Authors: Linda Criddle.
Paperback, 240 pages
Publisher: Microsoft Press
Publication Date: 2006-10-18


Reviews :

    Learn the 14 ways in which you can help make the Internet a safer place for you and your family. You teach your children to look both ways before crossing the street. You tell them not to talk to strangers. But do you really know how to teach them to safely use the Internet? In this book, Linda Criddle, a leading child safety expert, offers a practical education about what is safe, what is not, and how taking a few precautions can help your children avoid putting themselves at risk. Discover what the risks are today and common ways in which people inadvertently expose themselves and accidentally reveal information. Learn how to be alert, avoid instant messaging and e-mail dangers, blog and play games safely, and avoid harassment and bullying....