Matt Bishop has published a new version of his magisterial text _Computer Security: Art and Science_, which was originally published in 2002.
Bishop is the equivalent of a rock star in the world of information assurance education. Professor in the Department of Computer Science at the University of California in Davis, he has contributed immensely to the field since the late 1970s and his early years at Purdue University, where he received his PhD in 1984. He’s a wonderful speaker - I’ve had the pleasure of hearing him several times over the years - and I’m sure his students must be thrilled to be in his courses.
As he explains in his introduction to the new _Introduction to Computer Security_, his earlier text is intended for students (and anyone else) interested in the mathematical foundations of information assurance. However, he writes, the new book “is suited for computer security professionals, students, and prospective readers who have a less formal mathematical background, or who are not interested in the mathematical formalisms and would only be distracted by them, or for courses with a more practical than theoretical focus.”
He adds, “some students learn best by an informal description of the subject. What is the intuition underlying the ideas and principles of the field? How does the practitioner apply these to improve the state-of-the-art? For these students, this version of the book is more appropriate.”
According to his preface, Bishop has three goals for his new text:
* To show the interrelations between practice and theory - in both directions.
* To distinguish between computer security and cryptography (he points out that cryptography is a set of tools to support information assurance but not a panacea).
* “To demonstrate that computer security is not just a science but also an art” - by which he means that security can never be designed or implemented as a theoretical construct divorced from external reality. “Just as an artist paints his view of the world onto canvas,” he writes, “so does the designer of security features articulate his view of the world of human/machine interaction in the security policy and mechanisms of the system. Two designers may use entirely different designs to achieve the same creation, just as two artists may use different subjects to achieve the same concept.”
Depending on a professor’s needs, the new text can easily be used for a one- or two-semester course of study of information assurance. Each of the 29 chapters includes interesting problems for students. For example, Chapter 1 includes “Argue for or against the following proposition. Ciphers that the government cannot cryptanalyze should be outlawed. How would your argument change if such ciphers could be used provided that the users registered the keys with the government?” Chapter 18 includes, “Map the assurance requirements of the TCSEC [the _Trusted Computer Systems Evaluation Criteria_ or “Orange Book”]… to the assurance requirements of the CC [the Common Criteria].”
The text also has supplements available online, including PowerPoint slides for every chapter, an instructor’s guide (due by the end of December) and information on an answer key for selected exercises.
I think that computer and network security practitioners will find the text a fine addition to their library.
Well done, Matt!