This is a introduction to computer security for programmers. It's subtitled, "What every programmer needs to know." By reading this book I learned... I learned that I'd already learned the foundations of computer security. That doesn't mean that this book is worthless; actually this book is pretty good. I'm just saying that you can learn most of this material in a haphazard fashion by reading comp.risks for 20+ years. What's that you say? You don't want to read something for 20+ years? OK, reading this book would be quicker; you can polish it off in a few hours, longer if you work through the exercises.
If you retain what you've learned, maybe I won't be reading about you in comp.risks. Let's hope that doesn't happen. Why do I learn so much from comp.risks? Because I remember what I read there. Why do I remember? Because it's full of security horror stories. Some poor slob programmer forgot to check this one little thing, and look at how many things fell apart as a result. Scary stories.
Actually, I did get something out of this book. There was some good advice on how to think about escaping & unescaping text for db-backed web apps (i.e., for most of the software that folks write these days) without going nuts keeping track of it all. For that, I'm glad that I read this book. I learned what triple-DES is. For those things and... you know, when you learn something haphazardly, you never really know how well you've learned it? This book was reassuring.
Labels: book