My apologies to everyone I was supposed to follow up with in January - I've been writing a textbook. I'll get back to you late February/early March, I'm locking down and getting this done so we can address the systemic roots of this ridicuous cyber security problem we have all found ourselves in.
The book is called:
A secure by design, secure by default perspective for technical and business stakeholders alike.
The textbook is 120 pages of expansion on a coding style guide I have maintained for over 20 years and which I hand to every engineer I manage. The previous version was about 25 pages, so this edition is a bit of a jump!
Secure-by-design, secure-by-default software engineering. The handbook.
It covers the entirety of software engineering at a very high level, but has intricate details of information security baked into it, including how and why things should be done a certain way to avoid building insecure technology that is vulnerable to attack. Not just tactical things, like avoiding 50% of buffer overruns or most SQL injection attacks (and leaving the rest of the input validation attacks unaddressed). This textbook redefines the entire process of software engineering, from start to finish, with security in mind from page 1 to page 120.
Safe coding and secure programming are not enough to save the world. We need to start building technology according to a secure-by-design, secure-by-default software engineering approach, and the world needs a good reference manual on what that is.
This forthcoming textbook is it.
Latest Excerpts
(DOI: 10.13140/RG.2.2.23515.03368)
(DOI: 10.13140/RG.2.2.23515.03368)
(DOI: 10.13140/RG.2.2.23515.03368)
The elements of authenticity & authentication (DOI: 10.13140/RG.2.2.12609.84321)
(DOI: 10.13140/RG.2.2.11228.67207/1)
(DOI: 10.13140/RG.2.2.23428.50561)
Audience
I'm trying to write it so it's processes and methodologies:
- Can be baked into a firm by CXOs using strategic management principles; or
- embraced directly by engineers and their team leaders without the CEOs shiny teeth and meddlesome hands getting involved.
Writing about very technical matters for both audiences is hard and time consuming, but I think I'm getting the hang of it!
Abstract from the cover page
The foreword/abstract from the first page of the text reads as follows:
"The audience of this textbook is engineering based, degree qualified computer science professionals looking to perfect their art and standardise their methodologies and the business stakeholders that manage them. This book is not a guide from which to learn software engineering, but rather, offers best practices canonical guidance to existing software engineers and computer scientists on how to exercise their expertise and training with integrity, class and style. This text covers a vast array of topics at a very high level, from coding & ethical standards, to machine learning, software engineering and most importantly information security best practices.
It also provides basic MBA-level introductory material relating to business matters, such as line, traffic & strategic management, as well as advice on how to handle estimation, financial statements, budgeting, forecasting, cost recovery and GRC assessments.
Should a reader find any of the topics in this text of interest, they are encouraged to investigate them further by consulting the relevant literature. References have been carefully curated, and specific sections are cited where possible."
The book is looking pretty good: it is thus far what it is advertised to be.
Helping out and donating
The following link will take you to a LinkedIn article that I am publishing various pre-print extracts (some are also published above).
If you are in the field of computer science or software engineering, you might be able to help by providing some peer-review. If not, there is a link to an Amazon booklist that you can also contribute to this piece of work by donating a book or two.
And feel free just to take a look and see where we're going and what's being done to ensure that moving forward, we stop engineering such terribly insecure software. Any support to that end would be most appreciated.
Edited 22-Mar-23: added usability testing proof
Edited 22-Mar-23: added Pillars of Cybersecurity