VBug have kindly given me a couple of books to review; so here's the first one, a review of Defeating The Hacker by Robert Schifreen.

This review was originally posted on the VBug blog.

I never have high hopes for "non-technical" security books, I tend to read these things with a developers eye they usually skimp and scrape on detail. Shifreen's attempt is riddled with inconsistencies, inaccuracies and out of date information.

The good side; each chapter is easy to read, covering a single topic with a checklist of five action points, the "Fundamental Five". The information contained in each chapter is generally relevant, albeit with varying degrees of technical depth.

The bad side; the inconsistency. For example the chapter on firewalls states

"When I ask penetration testers how often they manage to bypass a company's firewall, they talk of a 70% success rate. Yet if you peruse the glossy brochures published by those who sell firewalls, the implication is that the product offers 100% protection and is completely unhackable. So who's telling the truth? Actually everyone is."

He goes on to explain that firewalls only protect the outside, which is true, but there's no mention of exploits, either of the firewall or of, for example, a public facing website behind that firewall which can be used to piggyback in thus leaving a major problem untouched.

He covers a lot about operating system vulnerabilities, covering Windows but when it comes to web site development problems he switches to PHP and MySQL, leaving ASP and ASP.Net developers out in the dark. When wireless security is covered WPA is touched upon without stating the need to have drivers to support it. When email is covered SPF/SenderID et al don't get mentioned. When he talks about robots.txt, a way of stopping google et al from crawling particular pages he fails to mention that anyone, including that evil hacker can read the file and discover part of your directory structure. The chapter on P2P seems like padding, and the chapter on DRM treats it as a security tool which is a shallow treatment of the topic. At one point he bemoans the problems of USB devices, only to recommend them later in the book.

The book doesn't seem to know what target audience it aims for, some topics touch home users, some touch business managers and the treatment of SQL injection is aimed at developers. This is typical of the slapdash attempt to cover too much in too little space.

Would I recommend it? For developers no, get hold of Writing Secure Code instead. For managers of small businesses, perhaps. It's a reasonable introduction to the topic although, of course, a little knowledge is a dangerous thing but raising awareness is always useful.