Editor: Marty Stytz, mstytz@att.
net
BookReviews
Building a Foundation
NANCY R. M EAD
Software Engineering Institute
M any security faculty
members and practi-
tioners bemoan the lack
of good books in the field. Those of
us who teach often find ourselves
forced to rely on collections of pa-
pers to fortify our courses. In the last
few years, however, we’ve started to
Reviewed in this issue:
Matt Bishop, Computer Security: Art and Science, Addison-
Wesley, 2003, ISBN 0-201-44099-7; 1,084 pages, US$74.99
see the appearance of some high-
quality books to support our en-
deavors. Matt Bishop’s book—Com-
puter Security: Art and Science—is
definitely hefty and packed with lots
of information. It’s a large book
(with more than 1,000 pages), and it
covers most any computer security
topic that might be of interest.
Fortunately, Bishop breaks all this
information down into eight, easy-
to-follow parts: Introduction, Foun-
dations, Policy, Implementation I
(Cryptography), Implementation II
(Systems), Assurance, Special Topics,
and Practicum. The Foundations
section discusses basic security issues
at the definitional level. The Policy
section addresses the relationship be-
tween policy and security, examin-
ing several types of policies in the
process. Implementation I covers
cryptography and its role in security.
Implementation II describes how to
apply policy requirements in sys-
tems. The Assurance section, which
14 PUBLISHED BY THE IEEE COMPUTER SOCIETY
Elisabeth Sullivan wrote, introduces
assurance basics and formal methods.
The Special Topics section discusses
malicious logic, vulnerability analy-
sis, auditing, and intrusion detection.
Finally, the Practicum ties all the pre-
viously discussed material to real-
world examples. A ninth additional
section, called End Matter, discusses
miscellaneous supporting mathe-
matical topics and concludes with an
example. At a publisher’s list price of
US$74.99, you’ll want to know why
you should consider buying such an
expensive book.
Several things set it apart from
other, similar, offerings. Most im-
portantly, the book provides numer-
ous examples and, refreshingly, defi-
nitions. A vertical bar alongside the
examples distinguishes them from
other text, so picking them out is
easy. The book also includes a bibli-
ography of over 1,000 references.
Additionally, each chapter includes a
summary, suggestions for further
reading, research issues, and practice
exercises. The format and layout are
good, and the fonts are readable.
The book is aimed at several audi-
ences, and the preface describes many
roadmaps, one of which discusses de-
pendencies among the various chap-
T his is the debut of our book review department. In this department,
we’ll take a look at books we feel are important to the industry. If
you’d like to review a book, please email Book Reviews editor Marty Stytz
at mstytz@att.net.
■ 1540-7993/03/$17.00 © 2003 IEEE ■ IEEE SECURITY & PRIVACY
ters. Instructors can use it at the ad-
vanced undergraduate level or for in-
troductory graduate-level computer-
security courses. The preface also
includes a mapping of suggested top-
ics for undergraduate and graduate
courses, presuming a certain amount
of math and theoretical computer-
science background as prerequisites.
Practitioners can use the book as a re-
source for information on specific
topics; the examples in the Practicum
are ideally suited for them.
So, what’s the final verdict? Prac-
titioners will want to consider this
book as a reference to add to their
bookshelves. Teachers of advanced
undergraduate or introductory grad-
uate courses in computer security
should consider it as a textbook.
With its extensive definitions, ex-
amples, exercises, and suggested
readings, it makes an educator’s job
much easier—I’ve already found
material that I can use in a report I’m
working on.
Nancy R. Mead is a senior member of the
technical staff and team leader for Sur-
vivable Systems Engineering at the Soft-
ware Engineering Institute, and a faculty
member at Carnegie Mellon University.
She has a PhD in mathematics. Contact
her at nrm@sei.cmu.edu.