[TUHS] Off topic: Books on Unix security?

[TUHS] Off topic: Books on Unix security?

[Aharon Robbins]

Hi All.

In a book I'm updating, I have the following references for
Unix security.

1. Practical UNIX & Internet Security, 3rd edition, by Simson Garfinkel,
Gene Spafford, and Alan Schwartz, O’Reilly & Associates, Sebastopol,
CA, USA, 2003. ISBN-10: 0-596-00323-4, ISBN-13: 978-0596003234.

2. Building Secure Software: How to Avoid Security Problems the Right Way,
by John Viega and Gary McGraw. Addison-Wesley, Reading, Massachusetts,
USA, 2001. ISBN- 10: 0-201-72152-X, ISBN-13: 978-0201721522.

3. “Setuid Demystified,” by Hao Chen, David Wagner, and Drew
Dean. Proceedings of the 11th USENIX Security Symposium, August 5–9,
2002. http://www.cs.berkeley.  edu/~daw/papers/setuid-usenix02.pdf.

One of my reviewers asked if these weren't "dusty references".
So, before I just refer to them as "classics", can anyone recommend
more recent books?  Feel free to answer in private.

Thanks,

Arnold

[TUHS] Re: Off topic: Books on Unix security?

[Kevin Bowling]

[-- Attachment #1: Type: text/plain, Size: 1706 bytes --]

On Fri, May 2, 2025 at 5:21 AM Aharon Robbins <arnold@skeeve.com> wrote:

> Hi All.
>
> In a book I'm updating, I have the following references for
> Unix security.
>
> 1. Practical UNIX & Internet Security, 3rd edition, by Simson Garfinkel,
> Gene Spafford, and Alan Schwartz, O’Reilly & Associates, Sebastopol,
> CA, USA, 2003. ISBN-10: 0-596-00323-4, ISBN-13: 978-0596003234.
>
> 2. Building Secure Software: How to Avoid Security Problems the Right Way,
> by John Viega and Gary McGraw. Addison-Wesley, Reading, Massachusetts,
> USA, 2001. ISBN- 10: 0-201-72152-X, ISBN-13: 978-0201721522.
>
> 3. “Setuid Demystified,” by Hao Chen, David Wagner, and Drew
> Dean. Proceedings of the 11th USENIX Security Symposium, August 5–9,
> 2002. http://www.cs.berkeley.  edu/~daw/papers/setuid-usenix02.pdf.
>
> One of my reviewers asked if these weren't "dusty references".
> So, before I just refer to them as "classics", can anyone recommend
> more recent books?  Feel free to answer in private.
>

I’d have to rummage around for a definitive answer but I think things have
fractured a bit and OS level security is either a chapter or section in
academic or professional books.  That is mostly survey or long standing
information, the edge is all in open source code and/or
papers/presentations.

There are several recent cryptography books aimed at a more practitioner
level I can recommend if that is relevant to your quest.

The main book that comes to mind 0321822137 is a C and C++ security survey
that is worthwhile but not OS specific.

I’d also like to know your title so I can add it to my collection when it
is ready!


> Thanks,
>
> Arnold
>

[-- Attachment #2: Type: text/html, Size: 2580 bytes --]

[TUHS] Re: Off topic: Books on Unix security?

[Rich Salz]

[-- Attachment #1: Type: text/plain, Size: 171 bytes --]

The Bellovin and Cheswick book(s) although it's more about network security
and firewalls.
The OWASP guides.
Practical UNIX and Internet security Book by Simson Garfinkel

[-- Attachment #2: Type: text/html, Size: 235 bytes --]

[TUHS] Re: Off topic: Books on Unix security?

[Rik Farrow]

[-- Attachment #1: Type: text/plain, Size: 469 bytes --]

Paul von Oorschot's Tools and Jewels:

https://people.scs.carleton.ca/~paulv/toolsjewels.html

This was designed as a textbook for security, and includes very good
coverage of cryptography.

Rik

On Sun, May 4, 2025 at 5:06 AM Rich Salz <rich.salz@gmail.com> wrote:

> The Bellovin and Cheswick book(s) although it's more about network
> security and firewalls.
> The OWASP guides.
> Practical UNIX and Internet security Book by Simson Garfinkel
>
>

[-- Attachment #2: Type: text/html, Size: 933 bytes --]

[TUHS] Re: Off topic: Books on Unix security?

[arnold]

Thanks to everyone who responded.  Besides the original three in
my quoted email, here are the additional ones I was recommended
and have added to the list in my book.

Some were recommended by more than one person. In any case,
thank you all!

4. Secure Coding in C and C++, 2nd Edition, by Robert Seacord. ISBN-10:
0321822137, ISBN-13: 978-0321822130, Addison-Wesley Professional, Reading,
Massachusetts, USA, 2013.

5. Secure Coding: Principles and Practices, by Mark G. Graff,
Kenneth R. Van Wyk, and Debby Russell. ISBN-10: 0596002424, ISBN-13:
978-0596002428. O’Reilly Media, Inc., USA, 2003.

6. Writing Secure Code, 2nd Edition, by Michael Howard and David
LeBlanc. ISBN-10: 0735617228, ISBN-13: 978-0735617223. Microsoft Press,
USA, 2003.

7. Computer Security and the Internet—Tools and Jewels from
Malware to Bitcoin, 2nd Edition, by Paul C. van Oorschot. ISBN-13:
978-3-030-83410-4. Springer Nature Switzerland AG, 2021.

8. Thinking Security: Stopping Next Year’s Hackers by Steven
M. Bellovin. ISBN-10: 0134277546, ISBN-13: 978-0134277547. Addison-Wesley
Professional, Reading, Mas- sachusetts, USA, 2015.

9. Security Engineering: A Guide to Building Dependable Distributed
Systems, 3rd Edi- tion, by Ross Anderson. ISBN-10: 1119642787, ISBN-13:
978-1119642787. Wiley, USA, 2020.

10. Designing Secure Software: A Guide for Developers, by Loren
Kohnfelder. ISBN-10: 1718501927, ISBN-13: 978-1718501928. No Starch Press,
USA, 2021.

11. Building Secure and Reliable Systems: Best Practices for
Designing, Implementing, and Maintaining Systems, by Heather Adkins,
Betsy Beyer, Paul Blankinship, Piotr Lewandowski, Ana Oprea, and Adam
Stubblefield. ISBN-10: 1492083127, ISBN-13: 978-1492083122. O’Reilly
Media, USA, 2020.

12. Secure By Design, by Daniel Deogun, Dan Bergh Johnsson, and Daniel
Sawano. ISBN-10: 1617294357, ISBN-13: 978-1617294358. Manning, USA, 2019.


Aharon Robbins <arnold@skeeve.com> wrote:

> Hi All.
>
> In a book I'm updating, I have the following references for
> Unix security.
>
> 1. Practical UNIX & Internet Security, 3rd edition, by Simson Garfinkel,
> Gene Spafford, and Alan Schwartz, O’Reilly & Associates, Sebastopol,
> CA, USA, 2003. ISBN-10: 0-596-00323-4, ISBN-13: 978-0596003234.
>
> 2. Building Secure Software: How to Avoid Security Problems the Right Way,
> by John Viega and Gary McGraw. Addison-Wesley, Reading, Massachusetts,
> USA, 2001. ISBN- 10: 0-201-72152-X, ISBN-13: 978-0201721522.
>
> 3. “Setuid Demystified,” by Hao Chen, David Wagner, and Drew
> Dean. Proceedings of the 11th USENIX Security Symposium, August 5–9,
> 2002. http://www.cs.berkeley.  edu/~daw/papers/setuid-usenix02.pdf.
>
> One of my reviewers asked if these weren't "dusty references".
> So, before I just refer to them as "classics", can anyone recommend
> more recent books?  Feel free to answer in private.
>
> Thanks,
>
> Arnold

[TUHS] Re: Off topic: Books on Unix security?

[Grant Taylor via TUHS]

On 5/2/25 7:21 AM, Aharon Robbins wrote:
> 1. Practical UNIX & Internet Security, 3rd edition, by Simson 
> Garfinkel, Gene Spafford, and Alan Schwartz, O’Reilly & Associates, 
> Sebastopol, CA, USA, 2003. ISBN-10: 0-596-00323-4, ISBN-13: 
> 978-0596003234.
...
> One of my reviewers asked if these weren't "dusty references".  So, 
> before I just refer to them as "classics", can anyone recommend more 
> recent books?  Feel free to answer in private.

Having read (most of) Practical UNIX & Internet Security, 3rd edition, 
and other similar texts...

I've come to the realization that we as an industry haven't really moved 
beyond all of the problems taught to us in the '90s.  It's really 
amazing to me how much of the advice given in those "classic" tombs is 
still as germane today as it was 30 years ago.

Sure, some things have fallen off the bottom.  But mostly, we've just 
added things on top.

Fundamentals may get old, but they usually don't become wrong.



-- 
Grant. . . .

[TUHS] Re: Off topic: Books on Unix security?

[arnold]

Hi.

Grant Taylor via TUHS <tuhs@tuhs.org> wrote:

> Having read (most of) Practical UNIX & Internet Security, 3rd edition, 
> and other similar texts...
>
> I've come to the realization that we as an industry haven't really moved 
> beyond all of the problems taught to us in the '90s.

Sad, but true.

> It's really 
> amazing to me how much of the advice given in those "classic" tombs is 

Um, "tomes" is what I think you meant. :-)

> still as germane today as it was 30 years ago.
>
> Sure, some things have fallen off the bottom.  But mostly, we've just 
> added things on top.
>
> Fundamentals may get old, but they usually don't become wrong.

This last statement is exactly right. And in fact, it is my book on the
fundamental *nix APIs that I'm updating....

Feel free to ping me privately if you want more info.

Much thanks,

Arnold

P.S. Can I quote your statement?

[TUHS] Off topic: Books on Unix security?

[Norman Wilson]

Aharon Robbins:

  So, before I just refer to them as "classics", can anyone recommend
  more recent books?  Feel free to answer in private.

===

`Unix security' is not the most-specific of terms.  Can
you give more context?

Norman Wilson
Toronto ON