<![CDATA[Doug added 'The First Directorate: My 32 Years in Intelligence and Espionage Against the West']]>

false

47 true 5809667 read 10 true 266087 currently-reading 12 true 266086 to-read 6 false 292628 couldnt-finish 2 false 266105 handy-for-re-reading <![CDATA[Doug added 'The First Directorate: My 32 Years in Intelligence and Espionage Against the West']]> http://www.goodreads.com/review/show/79198038 The First Directorate: My 32 Years in Intelligence and Espionage Against the West (Hardcover) by Oleg Kalugin
bookshelves: to-read
a recommendation from Mom ]]> <![CDATA[Doug added 'The Tipping Point']]> http://www.goodreads.com/review/show/59922450 The Tipping Point (Paperback) by Malcolm Gladwell
bookshelves: to-read
]]> <![CDATA[Doug added 'Consider Phlebas']]> http://www.goodreads.com/review/show/58460410 Consider Phlebas (Paperback) by Iain M. Banks
bookshelves: currently-reading
]]> <![CDATA[Doug added 'Fifty Dead Men Walking']]> http://www.goodreads.com/review/show/53104491 Fifty Dead Men Walking (Paperback) by Martin McGartland
bookshelves: to-read
]]> <![CDATA[new comment from Doug]]> http://www.goodreads.com/review/show/43091980 Doug's review of The Goal
by Eliyahu M. Goldratt

I can't believe there was ever a time people ran a business without thinking about cash flow. ]]> <![CDATA[Doug added 'Vibes']]> http://www.goodreads.com/review/show/45028203 to: Vibes (Hardcover) by Amy Kathleen Ryan
bookshelves: couldnt-finish
A recommendation from Amy Ryan.

I bought book this because I like the author. I read the first five or ten pages, and the writing style is light, clever and hilarious. I laughed on every page but had to admit I don't find a lot of interest in young adult fiction and wasn't connecting with the 15 year old female protagonist.

I passed it off to a bored 14 year old girl at my dinner party full of boring adults last night, and by the time everyone was putting on scarves and packing up to leave she had read through half the book! It's hers now; I'm hoping she passes it on to a friend when she's done. ]]> <![CDATA[Doug added 'The New School of Information Security']]> http://www.goodreads.com/review/show/43606346 to: The New School of Information Security (Hardcover) by Adam Shostack
Recommendation from Robin Shostack...

This book speaks to CIO/CSOs and not to security professionals. I recommend this book for anybody who consumes security solutions or needs to make security software purchasing decisions.

The book is full of good, rich examples and is well written.

I have a big problem in that I flatly disagree with the thesis, which is that the "new" focus on security should be an intense review of security breaches.

Let me back up. I think you can act upon security in a number of ways. I'm splitting the levels of understanding into four for purposes of this review. The most regressive, ineffective method is to concentrate on breaches. Not to say there's no value in this; studying failures is good, I want somebody to do it and I want to read the results. But it's not actually doing anything. You've still lost your data, or lost your reputation, or perhaps you've already gone out of business.

The status quo is what I would call the "sophomore" level: focusing on attacks. Intrusion detection falls in this space, and it can be effective and you probably don't want to do without it... but it's not a good return on effort.

To begin thinking about the security problem with an adult perspective is to place your focus on threats. You simply get a lot more bang out of understanding what's at stake and how an attacker (or bug) would most likely compromise what you care about the most.

The highest level of understanding I can think of is to focus on prevention. This is either the next step from understanding threats, or it's simultaneous with doing so. Should we even hold that thing the attackers want so badly? Is there missing input validation in my gateway application to that resource? Are access controls really set up the way they were designed to be?

I felt a little lost in that the endnotes were not numbered, but maybe I'm a just a nerd and it's for the best.

The publisher stuck a sneak preview of _Geekonomics_ into the end and I'm interested in reading that now. ]]> <![CDATA[Doug added 'Secure Programming with Static Analysis: Getting Software Security Right with Static Analysis']]> http://www.goodreads.com/review/show/9714509 to: Secure Programming with Static Analysis: Getting Software Security Right with Static Analysis (Addison-Wesley Software Security) by Brian Chess
Disclaimer: I work with Brian and Jacob at Fortify.

Wow, does what it says on the tin. Explains the nose to tail of what static analysis will do for you, including how you should interpret the results and what you should expect to get out of it.

In terms of real world use, the book is light on the subject of how static analysis fits in with dynamic analysis, architectural reviews, threat modeling etc. but this is outside the stated scope anyway.

I'm a strong believer that computer assisted code reviews are the only way we as a civilization are going to escape from the information security problem we have now.

An excellent reference for the low level of how best to remedy or mitigate all the most common types of vulnerabilities. I got hold of an electronic copy and reference this all the time in my professional work. ]]> <![CDATA[Doug added 'Slouching Towards Bethlehem: Essays']]> http://www.goodreads.com/review/show/43417618 Slouching Towards Bethlehem: Essays (Paperback) by Joan Didion
bookshelves: to-read
I read an excerpt from these in school and have always wanted to read the whole thing. ]]> <![CDATA[Doug added 'The Goal']]> http://www.goodreads.com/review/show/43091980 to: The Goal (Paperback) by Eliyahu M. Goldratt
bookshelves: to-read
A recommendation from Roger Thornton ]]>