The Absorption Company - Shop now
To share your reaction on this item, open the Amazon app from the App Store or Google Play on your phone.
This edition of this title is not available for purchase in your country. Choose an available edition from the options above
You've subscribed to ! We will preorder your items within 24 hours of when they become available. When new books are released, we'll charge your default payment method for the lowest price available during the pre-order period.
Update your device or payment method, cancel individual pre-orders or your subscription at
Your Memberships & Subscriptions
Kindle app logo image

Download the free Kindle app and start reading Kindle books instantly on your smartphone, tablet, or computer - no Kindle device required.

Read instantly on your browser with Kindle for Web.

Using your mobile phone camera - scan the code below and download the Kindle app.

QR code to download the Kindle App

Follow the author

Something went wrong. Please try your request again later.

Thinking Security: Stopping Next Year's Hackers (Addison-Wesley Professional Computing Series) 1st Edition, Kindle Edition

4.6 4.6 out of 5 stars 13 ratings

If you’re a security or network professional, you already know the “do’s and don’ts”: run AV software and firewalls, lock down your systems, use encryption, watch network traffic, follow best practices, hire expensive consultants . . . but it isn’t working. You’re at greater risk than ever, and even the world’s most security-focused organizations are being victimized by massive attacks.

 

In Thinking Security, author Steven M. Bellovin provides a new way to think about security. As one of the world’s most respected security experts, Bellovin helps you gain new clarity about what you’re doing and why you’re doing it. He helps you understand security as a systems problem, including the role of the all-important human element, and shows you how to match your countermeasures to actual threats. You’ll learn how to move beyond last year’s checklists at a time when technology is changing so rapidly.

 

You’ll also understand how to design security architectures that don’t just prevent attacks wherever possible, but also deal with the consequences of failures. And, within the context of your coherent architecture, you’ll learn how to decide when to invest in a new security product and when not to.

 

Bellovin, co-author of the best-selling Firewalls and Internet Security, caught his first hackers in 1971. Drawing on his deep experience, he shares actionable, up-to-date guidance on issues ranging from SSO and federated authentication to BYOD, virtualization, and cloud security.

 

Perfect security is impossible. Nevertheless, it’s possible to build and operate security systems far more effectively. Thinking Security will help you do just that.

Due to its large file size, this book may take longer to download

Shop this series

See full series
This option includes 10 books. This option includes 12 books. See included books
1 unreleased or unavailable book is excluded.
Shop this series
There are 13 books in this series.
Bundle price: Kindle price
Bundle price: Kindle price
Bundle price: Kindle price
Bundle price: Kindle price
By placing your order, you're purchasing a license to the content and you agree to the Kindle Store Terms of Use.

This option includes 3 books.

This option includes 5 books.

This option includes 10 books.

This option includes 12 books.

Something went wrong.
Bundle price: Kindle price
Bundle price: Kindle price
Bundle price: Kindle price
Bundle price: Kindle price
By placing your order, you're purchasing a license to the content and you agree to the Kindle Store Terms of Use.

Editorial Reviews

About the Author

Steven M. Bellovin , a professor in the department of computer science at Columbia University, has played an active role in securing the Internet. He has received the Usenix Lifetime Achievement Award and the NIST/NSA National Computer Systems Security Award. He is a member of the National Academy of Engineering and of the Cybersecurity Hall of Fame, and has served as Chief Technologist of the Federal Trade Commission and as Security Area director for the Internet Engineering Task Force. He is coauthor of Firewalls and Internet Security, now in its second edition (Addison-Wesley, 2003).

Product details

  • ASIN ‏ : ‎ B018WFEESS
  • Publisher ‏ : ‎ Addison-Wesley Professional; 1st edition (December 3, 2015)
  • Publication date ‏ : ‎ December 3, 2015
  • Language ‏ : ‎ English
  • File size ‏ : ‎ 21728 KB
  • Simultaneous device usage ‏ : ‎ Up to 5 simultaneous devices, per publisher limits
  • Text-to-Speech ‏ : ‎ Enabled
  • Screen Reader ‏ : ‎ Supported
  • Enhanced typesetting ‏ : ‎ Enabled
  • X-Ray ‏ : ‎ Not Enabled
  • Word Wise ‏ : ‎ Not Enabled
  • Print length ‏ : ‎ 648 pages
  • Customer Reviews:
    4.6 4.6 out of 5 stars 13 ratings

About the author

Follow authors to get new release updates, plus improved recommendations.
Steven M. Bellovin
Brief content visible, double tap to read full content.
Full content visible, double tap to read brief content.

Discover more of the author’s books, see similar authors, read book recommendations and more.

Customer reviews

4.6 out of 5 stars
13 global ratings

Review this product

Share your thoughts with other customers

Top reviews from the United States

  • Reviewed in the United States on February 13, 2016
    Prof. Bellovin is a well-known IT security expert. His book is quite thought-provoking, very recently published. At times it can seem a bit academic in tone. That's OK for me, as his information is very sound and thoroughly researched. It's a very dense, sometime tongue-in-cheek narrative. I'm not quite done with reading it my usual twice for books of this nature, but I will. I highly recommend acquiring and reading it, if you work or have responsibilities in the Information Technology Security area. You may not agree with each and every thing he says, but the book will lead you to sit back and reexamine many of the existing IT security "givens," upon which he casts well-deserved criticism. Owing to the publishing cycle, Microsoft's most recent desktop operating system, Windows 10, is not mentioned in the book. I hope there will be a second edition soon.
    2 people found this helpful
    Report
  • Reviewed in the United States on December 4, 2015
    As a security practitioner on the "front-lines", I really enjoyed this book. Good coverage of threat modeling, and rational defense tactics and strategy. Most of the focus is on first principles (centralized auditing, logging, authentication, rational cloud storage & vm techniques, practical crypto considerations) which are easy to lose sight of in the trenches. Strongly recommended for students, technology professionals, and security researchers. Really, well done Dr. Bellovin.
    7 people found this helpful
    Report
  • Reviewed in the United States on February 13, 2017
    Preliminaries: I requested the book for review from a publisher agent (one year delay for which I deeply apologize).

    TL/DR: Computer security practice is in terrible shape. It will remain in terrible shape as long as we fail to heed Thinking Security’s central message: Revisit on a much more frequent basis the assumptions that inform ‘best practices’ security advice, and retool accordingly. The rapid co-evolution of technology and threats demands no less.

    Consider the assumptions underlying the advice to pick strong passwords. Suggested by a 1979 Morris-Thompson paper in an era of electromechanical dumb terminals and few logins with no local computational power to speak of, this advice turns out to be spectacularly ineffective in the era of “smart” phones, tablets, dozens of individual credentials stored non-locally, and 7-8 orders of magnitude increase in computing power. Threats evolved from essentially tech exploration of the 1980s (watch “Freedom Downtime" to get a feel for these bygone times) to the current Crimeware-as-a-service model, complete with bulk discounts, auctions, monetization, ticketing; money-back guarantees and help desk. Attackers succeed because they violate assumptions (google “2010 bilar assumption subversion” for a discussion).

    Keeping this framing in mind, one goal of Thinking Security is to help the diligent practitioners think through the implications of security decisions.
    Bellovin tells us to look for the blindspots (“what aren’t you showing me?’) that may skew such decisions. He stays clear of the current quantification absolutism, stating plainly that no reliable numbers for a given component’s trustworthiness exists. Furthermore, should they hypothetically exist, they’d be unlikely to be useful in different contexts. I appreciated his effective “make it easier for programmers to do the right thing than the wrong one” (ESAPI safety wrappers, LANGSEC based parsers come to mind). The commonsense advice to discuss technical risks in a comprehensible fashion, framing it in terms of effects (“attacker can steal login credentials and we are liable”) rather than vectors (“2nd order MSSQL injection”) is far too often ignored.

    Aside from “mindware”, the second goal of "Thinking Security" is teaching architecture design that can deal with failure, illustrated by quasi-realistic hypothetical scenarios in the medical practice, e-commerce and IoT space. A critique of the traditional ‘walls and doors’ paradigm would have benefited from a discussion of Google’s no perimeter zero-trust BeyondCorp model.

    In closing, Bellovin mentions that he has yet to see a system analysis that makes explicit the time and threat assumptions. This is a topic near and dear to my heart, and one in which there has been very recently unexpected progress (google “bilar medium attacker work effort”). He furthermore wishes for a magic wand that could fix all of today’s security problems, the wand needing to be kept in motion, continually casting and re-casting spells. In that context, it is a lost opportunity that security and resiliency-oriented workflows like Mozilla’s test-driven CI/CD security and Etsy’s/Netflix’s Chaos Engineering were not brought up.

    The book’s stated primary purpose is to teach how to think about change; outlasting, as it were, any specific facts cited. It’s a deep, thinking man’s meta-security treatise which this short review cannot possibly do justice.
    5 people found this helpful
    Report

Top reviews from other countries

  • Squad
    5.0 out of 5 stars Great book
    Reviewed in Germany on October 23, 2016
    I find this book very good. It provides a lot of details and ideas on what to consider about most security topics. However, since the book speaks also about tomorrow, I would have liked some words on the role of artificial intelligence in cybersecurity.

Report an issue


Does this item contain inappropriate content?
Do you believe that this item violates a copyright?
Does this item contain quality or formatting issues?