Beautiful Security is a very interesting book. It is way more than just a collection of essays about information security. Besides the success story of OWASP - the Open Web Application Security Project - it tells various other stories which significantly influenced the evolution of what we call today “Information Security”. Beautiful Security aims to nudge the reader into creative thinking. Therefore it provides ideas like a fully encrypted database - which clearly helps you, when a hacker steals your data. Since absolutely everything in such a database is encrypted the heist is completely useless unless you manage do get your hand on the encryption key and decipher the stolen data. I already mentioned this approach in an other post.

It was the first time within this book, that I read the history of PGP, aka pretty good privacy. I must admit, that I have been using this software for years, but never cared about its past. The author explains in great detail the differences between a web of trust and strictly hierarchical structure like in a certification authorities as well as the ups and downs of PGP popularity.

In an other chapter the problems with ad-networks are discussed in great detail. This essay comes in very handy, when you need to explain to a non technical person, what can happen with a high jacked advertising network and why an ad-blocker is an useful browser extension. Also the author does not offer a real solution to the problems, as for example the distribution of malware via such networks by malicious ad providers.

By the way - malware - an other chapter discusses, how to safely analyze such code by using honey pots. You can follow this discussion step by step as manual to set up your own honey pots from scratch. The essay ends with a short outlook on the honey browser project. Seriously, a very good approach and thought provoking step that every reader should jump on and adopt to her own situation and company.

An of course this book would not be complete without a chapter on metrics. The approach taken by the author reminds the reader about medical metrics. She suggests to collect a set of vital signs for your systems, so that you can tell, when they are starting to misbehave. Clearly to implement such a program not only needs a lot of understanding the environment you work in, but also to convince the management that they do need to really understand the numbers shown to them as vital signs. Having tried this approach several times, it is hard work which pays off in ways you can not imagine. You can easily communicate with managers once they understood their IT landscape as an living, breathing organism and that IT-Security is a process that evolves with this organism as it grows up some how gets easy to grasp. :)

To conclude, I highly recommend this book. It is a true classic. If you get asked, how to get a start in information security or what you are actually doing at work - this book provides the reader with answers and ideas. However, time has changed and so have the main topics in IT-Security. I am curious to see a new edition of this book with slightly different topics, like application aware SIEMs and so on.

Cheers!