This book hopes to change the common view that security research is boring: “It will show that security is about the most exciting career you can have. It is not tedious, not bureaucratic, and not constraining.” With contributions from industry luminaries such as Mark Curphey, Randy Sabett, and Anton Chuvakin, it almost pulls it off.

The book has 16 chapters by various authors, on different topics, and is arranged in a loosely connected manner. Topics vary from log file analysis to ad click fraud detection, to security vision in cloud and social networks. While this potpourri of security topics may seem a bit cluttered, the editors do a good job of piecing the topics together to provide an engaging read.

In chapter 1, Peiter Zatko shows security professionals an alternative way to engage with a developer whose code or system they need to engage with. Using a psychological perspective, he looks at external influences and restrictions placed on the implementers that allow weak security to be introduced into the system. Jim Stickley looks at social engineering exploits in wireless networking, in chapter 2. He describes how he went about proving weakness by setting up a phony wireless access point in a public place, and then capturing personal details from trusting users of the access point. Chapter 3, by Elizabeth Nichols, takes a jab at one of the harder general problems in security research--quantifying security metrics. Contrasting with the medical field, Nichols shows how the inability to define and stick to a set of metrics is making it harder for the security industry to quantify necessary breaches and actions. In chapter 4, Chenxi Wang examines the workings of the underground economy for malware and viruses, including the information stolen using these tools. This is a very important line of research in an era when security threats are so intertwined with incentivizing economic factors.

Chapter 5, by Ed Bellis, looks at the various safety protocols used in the credit card and e-commerce industry to ensure the safety of online transactions. Bellis proposes a new model for credit transactions, to counter existing weaknesses in the system. Online advertising and associated scams are covered in the next chapter, by Benjamin Edelman. Chapter 7, by Phil Zimmermann and Jon Callas, looks at the evolution of the Pretty Good Privacy (PGP) program’s web of trust, one of the most influential aspects of PGP. The web of trust mechanism in PGP has evolved a lot, and this chapter examines the reasons for the trust model and the way PGP has evolved to provide more robustness. Chapter 8 looks at honeyclients--“systems that drive a piece of potentially vulnerable client software, such as a Web browser, to potentially malicious Web sites, and then monitor system behavior for indicators of compromise.” The author, Kathy Wang, explains the workings of the system, the lessons learned from operating it, and the analysis of the results gathered from the clients.

In chapter 9, one of the best chapters in this collection, Mark Curphey looks at the security potential of exciting new technologies such as cloud computing, business processes, and social networking. This is the only chapter that brings out the beauty and excitement of working in the area of security. In chapter 10, John McManus criticizes the quick-and-dirty approach to system security that is currently practiced, and makes the case for a more rounded view of system design. Chapter 11, by Jim Routh, looks at the process used by a firm in tackling the security of the software it produces, as well as the software produced by external parties and used within the firm. Chapter 12, by Randy Sabett, entertainingly tackles how to do the right thing, from the perspective of the law, and reduce exposure to liability. Chapter 13, by Anton Chuvakin, looks at the usefulness of logs for investigative and regulatory purposes, and the challenges faced when analyzing these logs. In chapter 14, Grant Geyer and Brian Dunphy continue with the use of host logging in understanding the details of security incidents. Peter Wayner presents, in chapter 15, work that uses one-way hash functions for anonymizing data in databases, while still allowing them to be used in privacy-preserving analysis. The book ends with Michael Wood and Fernando Francisco’s chapter on the use of artificial intelligence (AI) and machine learning to manage virtual and persistent systems, to improve their security.

Although it fails to convince readers that security is “the most exciting career you can have,” this is not a bad book. If nothing else, it provides a good overview of the exciting work being done in various fields of information and system security.