Paul C. van Oorschot is a master who has made many diverse contributions to computer system security (very much including systems connected by the Internet), from applied cryptography to system usability. This range is a strength of the book: while it is obvious that a usable system that is cryptographically insecure is bad, a system that is cryptographically secure but too hard to use is equally bad and will lead to well-known disasters like passwords on Post-its. As the author asks early on: what use is password strength and changing policy that saves $1000/month if it costs $2500/month in help desk time?

A particular strength here is the use of physical analogies to illustrate key ideas, for example, a hotel room safe (is the threat a thief or the staff?). There is no cookbook for building secure systems, not least because the threat model varies (a topic discussed early on) and is part of the definition of “secure.” However, Section 1.7 has a very useful list of 20 design principles. This is marked as “readers may omit on first reading.” It’s actually quite hard to read at first if you are new to the field, but if I were teaching out of this book, I would use it as an end-of-course summary, as well as a checklist for designs.

The book is extremely pragmatic, listing problems, solutions, and (when appropriate) why those solutions aren’t working, or at least aren’t working as well as one would like. This is a perennial problem in security: old issues that “everyone knows to avoid” keep cropping up, with SQL injection as the poster child. Here I think the author could have gone further and pointed out the major issue: new developers are not taught the things “everyone knows” (see [1] for an analysis of the lack of SQL injection coverage in major textbooks).

Chapter 2, “Cryptographic Building Blocks,” steers an excellent middle course between detail and “magic.” It’s almost identical to the corresponding section in my own lectures, with the only difference being that I talk here about specialist hash functions for password protection. The author mentions it in chapter 3, but there is no cross-reference.

Chapter 3, on user authentication, is again very pragmatic. The author’s discussion of biometrics is more balanced than much of the hype one typically sees: “the security of biometrics is often overstated.” This is certainly true. I usually quote [2], which explains that a “fingerprint” reader is actually a “lots-of-small-bits-of-fingerprints” reader.

Chapter 8 on public key infrastructure (PKI) and certificates is good, and goes deeper than I do in my lectures. This will be further reading for my students.

Chapter 9, “Web and Browser Security,” assumes some prior knowledge. The author has gone for a six-page whistle-stop-tour approach, without many references. This is a valid approach, but instructors using this text will have to find appropriate sources to fill the gaps.

Is this book complete? No. Is there a part I would cut to make room for something else? Not really, though I might change the emphasis. Will I recommend it to my students? Yes.