Ben's Book of the Month: Review of "Computer Security and the Internet"

Posted on by Ben Rothke

One of the issues with cryptographers is that they often are not the best writers. They can write crypto algorithms that make the world secure, but they are often challenged to write in a manner that an information security professional can understand. Crypto is so unique that even RSA Conference has a separate Cryptography Track.


Paul C. van Oorschot is a cryptographer and Professor of Computer Science at Carleton University in Ottawa, Ontario (note to Americans, Carleton University is not Carleton College, which is in Minnesota). While he may be a cryptographer of par excellence, in Computer Security and the Internet: Tools and Jewels from Malware to Bitcoin (Springer), he is also a superb writer. The book is a technical tour de force and is a helpful reference.


While van Oorschot is an academic, and the book has its primary audience in students in a one-term or two-term, third- or fourth-year undergraduate course in computer science, those in the corporate world looking for a highly technical reference will find the book to be quite valuable.


At a little over 400 pages, the book covers all the core areas of information security. It cannot be fully comprehensive, and while it may sacrifice depth for breadth, van Oorschot provides countless references in every chapter for the reader who wants to (and should) dig deeper into the topic.


A common mistake in information security is that hardware and software can protect you. Every company that has suffered a breach finds that is simply not the case. In Chapter 1, van Oorschot lists 22 design principles for computer security.


He notes that no complete checklist exists that system designers can follow to guarantee that computer-based systems are secure. The reasons are many, including significant variations across technologies, environments, applications, requirements, and more. However, the design principles he details are critical for firms to consider if they are serious about security. Security hardware and software do not and cannot work in a vacuum. And if they are not deployed in the framework of a secure architecture, they will just be the technologies that can be blamed in the event of a breach.


Some of the core design principles he details include open-design, isolated components, database validations, and more. These are core considerations that are often not considered and, worse, ignored. Any organization that takes this list of 22 design principles to heart will undoubtedly have better security controls to show for it.


Even with those design principles, the next section in the book is about why computer security is hard. van Oorschot observes, as Andrew Stewart wrote in A Vulnerable System: The History of Information Security in the Computer Age, that many of today’s fundamental problems in computer security remain from decades ago, despite massive changes in computer hardware, software, applications, and environments. He lists 20 detailed reasons this is the case.


And it is worth noting that the 20 reasons are but a partial list. Security professionals should not be depressed by this any more than an oncologist would be depressed by high morbidity rates in their profession. These 20 reasons can be seen as opportunities for improvement. The bottom line is that computer security is not simple, is fraught will challenges, and includes many difficulties on the road. Nevertheless, with all that, it is a fascinating and challenging career and an essential imperative to ensure secure computing.


Computer Security and the Internet: Tools and Jewels from Malware to Bitcoin is your go-to guide for those looking for a solid computer security introduction. As a first-rate computer scientist and writer, van Oorschot has written a book that will make you a much smarter and better information security professional.

Ben Rothke

Senior Information Security Manager, Tapad

Technology Infrastructure & Operations

cryptography data security software integrity

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs