[.ca] Computer Security: Art and Science (ISBN 0201440997)

overrated:
I just recently finished a class in computer and network security that used this as its textbook. It has too much theory and not enough application. I enjoy reading, but this book doesn't make for good reading. It's incredably dull, and unless you're very interested in the engineering side of security, stay as far away from this book as you can. It doesn't even cover many of the biggest threats to computer security today, and the few that it does mention don't get any in-depth discussion.

Superb:
This book gives an excellent introduction to the subject of computer security, both from a practical and theoretical point of view. Computer scientists and not security professionals will probably gain the most from the reading of the book, but there is enough practical discussion to allow the latter to gain more insight into various aspects of computer security, particularly in the mathematics of encryption. The book is designed for use in academic classroom settings, and the author gives two different outlines for use in both undergraduate and graduate level courses. The book is divided up into 9 parts, only parts 2 and 3 of which I read in any detail, with the rest only briefly perused. For this reason only these two parts will be reviewed here. Part 2 of the book is a view of security from the standpoint of theoretical computer science. The author discusses models for the decidability of security systems, i.e. is there a generic algorithm that will determine whether a computer system is secure? As expected, this question is addressed in the context of Turing machines, and the author shows that it is undecidable whether a given state of a given protection system is safe for a given generic right. However the proof proceeds by contradiction, and those of us who insist on constructive proofs in all of mathematics will not accept this one. It would be interesting to find a constructive proof of this result. If the protection system is restricted in some way then they safety question is decidable. The author discusses such a system, the "Take-Grant Protection Model" in terms of directed graphs, and he shows that this model is decidable in linear time with respect to the size of the graph. He then explains the reasons why a safety model can be decidable versus one that cannot be, via a highly technical discussion of the "Schematic Protection Model" (SPM). This section is very interesting due to the nature of the mathematical constructions that are used. These constructions make it readily apparent why the (undecidable) Harrison-Ruzzo-Ullman (HRU) model is more expressive than the SPM. The expressive power of the different models derives from the notion of a 'type', and this motivates the author to consider the 'typed access matrix model' and its utility in detailing a system's safety properties. In Part 3, the author gets down to more practical matters, and discusses the implementation of security policies. Taking a computer system to be a finite-state automaton with transition functions that change state, a security policy is defined as a statement that partitions these states into 'secure' and 'nonsecure' states. Secure systems are defined as those that cannot enter a nonsecure state if they are in a secure state. All throughout this part the author emphasizes that fact that all security policies are based on assumptions that would lead to the destruction of these policies if they are false. The author discusses a practical example of a security policy in this part. Also discussed is the relation between security and precision, with the idea of a covert channel arising in this context. The author proves that there is no general procedure for constructing a system that conforms exactly to a specific security policy but that allows all actions that the policy allows. The Bell-LaPadula confidentiality model, which has its origins in military applications, is also discussed in Part 3. The author explains a confidentiality policy as being a 'information flow policy', which prevents the unauthorized disclosure of information, with unauthorized alteration of information being secondary. An explicit example of this security involving a UNIX operating system is discussed. A formal model is then proposed, and the author then uses the accompanying formalism to prove the 'basic security theorem'. The formal model constructed by the author is interesting in that it can be viewed as a (discrete) dynamical system, with transitions governed by decisions that are responding to requests for access. A system is called secure if it satisfies three conditions, namely the 'simple security condition', the '*-property', and the 'discretionary security property'. The first condition states that a subject that can read or write to an object must dominate it. The *-property states that if a subject can write to an object, the classification of the object must dominate the subject's clearance; if the subject can also read the object, the subject's clearance must be the same as the object's classification. The discretionary security property relates the authority of the access control matrix to allow the controller of an object to condition access based on identity. The author also discusses in detail the objections to the Bell-LaPadula model of computer security. The author then directs his attention to integrity policies, wherein the emphasis is on ensuring data integrity, and he discusses various integrity security policies in this regard. One of these is the Biba integrity model, which as it turns out is the mathematical dual of the Bell-Lapadula model, wherein a system is now composed of a set of subjects, objects, and integrity levels. The higher the "integrity level", the more confidence there is that a program will execute correctly. This model is then generalized to the Lipner integrity matrix model, which is a hybrid of Biba and Bell-Lapadula, this being done to obtain a model more suitable for commercial needs. The author then considers the Clark-Wilson integrity model, which uses transactions as the basic operation, and wherein data subjected to integrity controls becomes 'constrained data items.' Various certification and enforcement rules are imposed that give this model more commercial applicability than the others, even though the certification process can be very complex and the prone to error. The author compares the Clark-Wilson model with the Biba model and is clearly on the side of the former in terms of practicality, although in the exercises he asks the reader to construct an emulation of the Biba model using Clark-Wilson.

One of few books that can qualify as a textbook in infosec:
Please understand that the Amazon star system, while very powerful has limits, I feel this book is 5 stars as a textbook for an undergrad computer security course, 4 stars for a graduate student and 3 stars for a book on the average information security worker's shelf. Computer Security Art and Science has been years in the making and for good reason; it is over a thousand pages. The book seems best suited for four groups of readers. The first group is college students; this will probably be a popular choice as a textbook for undergraduate level students and with additional materials, graduate level students. It is a complete guide to computer security terminology and theory. Other groups of readers that would benefit from this book include security knowledgeable managers seeking to assess the knowledge of potential employees especially in policy and architecture positions. A third group includes anyone preparing for information security certifications. If you are wish to certify you will benefit from a close reading of this text before attempting your examination. Finally, anyone seeking to understand the big picture of information security would benefit from Computer Security Art and Science. However the book's value is primarily as a textbook! Like most authors writing a security book, Matt has chosen to start at a basic level beginning with a discussion of confidentiality, integrity and availability. As a reviewer I was quietly wondering how long he would stay there. The answer proved to be one chapter only and at the back of the chapter one the author has included insightful, thought provoking study questions. If I were considering hiring someone who claimed to have experience in information security that could not answer these questions, I would show them the door. Now to consider the rest of the book! On the first page of chapter two we are introduced to logical equations. This is where the casual reader is likely to get off the bus while the diligent student with a qualified instructor gets on. As soon as I saw the equations with no explanation of how to read them, I could see someone browsing in a bookstore shut the cover and move on. Be brave and press on is my advice; the book is well worth it even if some of the illustrations are beyond comprehension without a teacher's guide. It says in the preface this book was designed to be a college level textbook. They have to put a few inscrutable pages in the book so the professors can appear to be smarter than the students. The cryptography section, chapters 9 - 11 are very approachable and while not as in depth as some other sections, they would help anyone preparing for the various industry security certifications including CompTIA's Security +, ISC2's CISSP and SANS' GSEC. In fact the entire book would be beneficial for any of these. The table of contents says that part 6 of the book, assurance, chapters 18 - 21, were contributed by a different author, Elisabeth Sullivan. I read those chapters closely and could not detect a different tone or level of quality; the authors are to be congratulated for that. Nice use of humor on the heading title for 18.1.1, "The Need for Assurance" and where else can you read about "Extreme Programming". No book is perfect, the intrusion detection and penetration testing discussions need to be beefed up, but chapter 29, Program Security more than makes up for them. That chapter should be required reading before anyone is allowed to touch a compiler. I donate most of the books people send me to review to my local library, but this one stays on the shelf and I am setting an iCal reminder to re-read the policy and audit sections a couple months from now.

Excellent, but not for the newbie:
Computer Security: Art and Science is an excellent book. But not for the newbie. It is on the same lines as Schneier's Applied Cryptography. Excellent, but get your math skills out.

An excellent college-level educational resource:
Computer Security: Art And Science by Matt Bishop (Associate Professor, Department of Computer Science, University of California - Davis) is an extensive, 1084-page instructional introduction to the science and challenges of computer security, and which is useful as either a classroom text or as a self-teaching tool. Individual chapters address all aspects of computer security including methodologies and technology for improved security, ways to analyze vulnerability and detect intrusions, computer security examples, ways to limit access privileges, digital signatures, and a great deal more. An excellent college-level educational resource for the digital age, Computer Security is an essential, accessible, core addition to any personal or professional computer security reference collection.