Security Cluelessness
September 11, 2005 10:00 PM   Subscribe

I'd like to get a handle on computer security. Where should I start? I'd like to stress that I am NOT talking about spyware and viruses here, but the more interesting things like authentication and authorization.

At work, I've had to get up to speed on a great number of things, but so far the new aspects of my experience haven't intersected the security aspects of the business. I'd like to know more before they do, and in support of that I want some advice on how to learn it.

I'm talking about (for example only!) JAAS, X.501 (?), SAML, et al. Where do they fit in, what is a complete system made up of, what are some relative merits, et al. Something not flat-out entry level (ie: Computer Security for Dummies) but rather an introduction for someone who knows how to program in a serious way, but doesn't know a damned thing about these beasties.

I'd prefer a book, if at all possible, although web sites are welcome as well.
posted by ChrisR to Computers & Internet (13 answers total)

Bruce Schneier's Applied Cryptography is pretty much a classic. Schneier provides both an in-depth view and a broad overview of security matters, so whether you feel like skimming or studying the book will probably be valuable to you.

I believe it also has code exmaples, so that could be pretty useful to you.
posted by fishfucker at 10:08 PM on September 11, 2005

Not to butt in, but Applied Cryptography is not really directly applicable to the topics you're asking about, but does discuss several of the underlying encryption algorithms used in other security technologies you may be interested in, outlining implementation strengths and weaknesses. And, yes, the book does have source code.
posted by Rothko at 10:48 PM on September 11, 2005

you should subscribe to the new podcast, Security Now:

This is fantastic and DOES spend a lot of time on viruses and worms, but also the issues you are talking about. There are only 4 shows so far so it won't take you long to get through them.

Not to be preachy here, but you might want to pick up another discipline if you don't find spyware and viruses interesting. These things, and other "real world" stuff, like human behavior (writing passwords down on paper, etc) are vital to get a full understanding of good security.
posted by phildog at 12:45 AM on September 12, 2005

Maybe this is more basic than what you were looking for, but when I was working as a computer salesmen and people asked what they could do to protect themselves from various Internet threats, I would generally print them off a copy of this:

Even is your interest goes beyond protecting your own machine, looking at a list like this and considering the security trade-offs involved should be useful.
posted by sindark at 12:55 AM on September 12, 2005

Best answer: First, some books:

Ross Anderson's "Security Engineering" is great. It's a developer's reference with lots of explanation and code examples of how to do things right in different contexts.

A second on Schneier's Applied Cryptography, but make sure you get the second edition. For a higher-level view (i.e. no code) on security concepts, Secrets and Lies is superb, particularly to get you into the mind frame of thinking about security in the right way.

Despite the terrible name, the Hacking Exposed books by the guys from Foundstone (Scambray, McClure, Kurtz) is a superb introduction on how to actually break into systems, including the tools and commands you can use from home. Currently on the 5th edition.

So, I suggest you start with Secrets and Lies, then move onto the Anderson book. This should give you a good grounding in the theory and on how you'd implement with practical coding.
From there you should be able to pick up any specific technologies through Security Focus and general googling.
posted by quiet at 12:57 AM on September 12, 2005

Not to be preachy here, but you might want to pick up another discipline if you don't find spyware and viruses interesting.

I got the impression that he only said that to differentiate his question from the vastly more common "how can I protect my Windows box from the Internet?" ones.

Schneier is great. The Hacking Exposed books look good, I have an older one that I still haven't read much of, but the way it's laid out is pretty intelligent.

One huge tip that you may already have undertaken (hard to tell) is to learn UNIX. Simply learning how to administer a Linux/BSD server, and reading the various literature associated with that practice, will expose you to a lot of basic security knowledge and concepts that Windows administration/usage doesn't.
posted by cyrusdogstar at 5:14 AM on September 12, 2005

With the recommendations for Applied Cryptography here I guess I should mention that I am reading Secrets and Lies now, and the first thing that Scneier talks about is how wrong he was about so many things when he wrote Applied Cryptography. He almost seems to say that it's not worth reading. Granted I haven't read it, but when the author of a book gives that kind of warning I would definitely give it some thought.
posted by Who_Am_I at 6:48 AM on September 12, 2005

Response by poster: phildog writes "Not to be preachy here, but you might want to pick up another discipline if you don't find spyware and viruses interesting. These things, and other 'real world' stuff, like human behavior (writing passwords down on paper, etc) are vital to get a full understanding of good security."

As cyrusdogstar says above, I'm more interested in specific aspects of security, and wanted to differentiate my question.

For clarification, maybe it'll help if I give a bit of background on what we do. We write a mail server, a message delivery system (BIG scale) and administration software in the form of PHP, Scripts, and J2EE front ends. Security is very important to the company. Is there anything I could focus on that would help get the hang of the complexities of this sort of system?
posted by ChrisR at 8:08 AM on September 12, 2005

In before the inevitable "if you want security, don't use PHP" snark. Which does have a fair amount of merit, but like everything else, the language is only a tool in the end, so if you write it well, PHP might still be the correct tool for the job.

Back on topic: If you're writing such large scale and complex apps, you'll need to do a LOT of reading to effectively secure even a middling-sized part of what your company produces. You may wish to focus on 'holistic security', which I don't think is really a discipline as much as a general mindset--taking everything into account and examining the system as a whole.

In other words, knowing what PHP functions lead to gaping security holes is useful, but what may be more useful is the general tenet 'Don't trust user input' which can be applied across the board. Or knowing how to properly apply defense-in-depth. Knowing that security through obscurity very, very rarely works. Stuff like that.
posted by cyrusdogstar at 10:31 AM on September 12, 2005

Response by poster: I'm less interested in hearing about security holes in various platforms than I am in learning about the security models for inter-application and inter-corporation communications. Application-level and protocol-level authentication, etc.

Whether or not PHP has flaws isn't material to my interest, neither is Windows/Java/foo/bar/baz or the other thing. Rather, there are IETF standards for this, which interact with each other in some ways, and I want to know more about that. To which end that Security Engineering book looks promising.
posted by ChrisR at 3:15 PM on September 12, 2005

Not to be snarky, but -- if you're interested in what the standards say, then I'd strongly recommend reading the standards. You should be able to grab free copies from a library (particularly a university library).
Having just read a bunch of them, I can tell you that they're pretty dry, but definitely readable.
posted by coriolisdave at 4:16 PM on September 12, 2005

You might also want to consider checking out the many study guides for the CISSP exam. The CISSP certification - geared more towards technically oriented management-types than techies - is described as "a mile wide and two inches deep", giving you a good overview of all aspects of security.

They use a system referred to as the Common Base of Knowledge, or CBK, which breaks the security field into ten domains. They are:

Security Management Practices
Security Architecture and Models
Access Control Systems and Methodology
Application Development Security
Operations Security
Physical Security
Telecommunications, Network, and Internet Security
Business Continuity Planning
Law, Investigations, and Ethics

If you do some study toward this area, you will not only get a greater understanding of the security field in general, but some progress toward a good certification.

Full disclosure: I am a CISSP.
posted by tkolstee at 3:27 PM on September 13, 2005

« Older What's the best way to keep my apartment clean of...   |   Name my cousin's new observatory. Newer »
This thread is closed to new comments.