Book Reviews

REVIEW: “Debug It: Find, Repair, and Prevent Bugs in Your Code”, Paul Butcher

BKDEBGIT.RVW   20130122

“Debug It: Find, Repair, and Prevent Bugs in Your Code”, Paul Butcher, 2009, U$34.95/C$43.95, 978-1-93435-628-9
%A   Paul Butcher paul@paulbutcher.com
%C   2831 El Dorado Pkwy, #103-381 Frisco, TX 75033
%D   2009
%G   978-1-93435-628-9 1-93435-628-X
%I   Pragmatic Bookshelf
%O   U$34.95/C$43.95 sales@pragmaticprogrammer.com 800-699-7764
%O  http://www.amazon.com/exec/obidos/ASIN/193435628X/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/193435628X/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/193435628X/robsladesin03-20
%O   Audience n- Tech 2 Writing 1 (see revfaq.htm for explanation)
%P   214 p.
%T   “Debug It: Find, Repair, and Prevent Bugs in Your Code”

The preface states that there are lots of books in the market that teach development and few that teach debugging.  (In my experience, a great many development books include debugging advice, so I’m not sure where the author’s perception comes from.)  The work is structured around a core method for debugging: reproduce, diagnose, fix, and reflect.

Part one presents the basic technique.  Chapter one repeats the description of this core method.  Chapter two encourages the reproduction of the bug.  (This can be more complex than the author lets on.  I have a netbook with some bug in the hibernation function.  Despite constant observation over a period of three and a half years, I’ve yet to find a combination of conditions that reproduces the failure, nor one that prevents it.)  Some of the suggestions given are useful, if pedestrian, while others are pretty pointless.  (Butcher does not address the rather thorny issue of using “real” data for testing.)  In terms of diagnosis, in chapter three, there is limited description of process, but lots of good tips.  The same is true of fixing, in chapter four.  (I most definitely agree with the recommendation to fix underlying causes, rather than effects.)  Reflection, the topic of chapter five, is limited to advice that the problem be considered even after you’ve fixed it.

Part two explores the larger picture.  Chapter six examines bug tracking systems, and eliciting feedback from users and support staff.  Chapter seven advises on trying to address the bugs, but concentrates on “fix early,” with little discussion of priorities or ranking systems.

Part three, entitled “Debug Fu,” turns to related and side issues.  The “Special Cases” in chapter eight seem to be fairly common: software already released, compatibility issues, and “heisenbugs” that disappear when you try to track them.  Chapter nine, on the ideal debugging environment, is about as practical as most such exercises.  “Teach Your Software to Debug Itself” in chapter ten seems confined to a few specific cases.  Chapter eleven notes some common problems in development teams and structures.

The advice in the book is good, and solid, but not surprising to anyone with experience.  Novices who have not considered debugging much will find it useful.

copyright, Robert M. Slade   2013   BKDEBGIT.RVW   20130122

REVIEW: “Intelligent Internal Control and Risk Management”, Matthew Leitch

BKIICARM.RVW   20121210

“Intelligent Internal Control and Risk Management”, Matthew Leitch, 2008, 978-0-566-08799-8, U$144.95
%A   Matthew Leitch
%C   Gower House, Croft Rd, Aldershot, Hampshire, GU11 3HR, England
%D   2008
%G   978-0-566-08799-8 0-566-08799-5
%I   Gower Publishing Limited
%O   U$114.95 www.gowerpub.com
%O  http://www.amazon.com/exec/obidos/ASIN/0566087995/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0566087995/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0566087995/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   253 p.
%T   “Intelligent Internal Control and Risk Management”

The introduction indicates that this book is written from the risk management perspective of the financial services industry, with a concentration on Sarbanes-Oxley, COSO, and related frameworks.  There is an implication that the emphasis is on designing new controls.

Part one, “The Bigger Picture,” provides a history of risk management and internal controls.  Chapter one asks how much improvement is possible through additional controls.  The author’s statement that “[w]hen an auditor, especially an external auditor, recommends an improvement control it is usually with little concern for the cost of implementing or operating that control [or improved value].  The auditor wants to feel `covered’ by having recommended something in the face of a risk that exists, at least in theory” is one that is familiar to anyone in the security field.  Leitch goes on to note that there is a disparity between providing real value and revenue assurance, and the intent of this work is increasing the value of business risk controls.  The benefits of trying quality management techniques, as well as those of quantitative risk management, are promoted in chapter two.   Chapter three appears to be a collection of somewhat random thoughts on risk.  Psychological factors in assessing risk, and the fact that controls have to be stark enough to make people aware of upcoming dangers, are discussed in chapter four.

Part two turns to a large set of controls, and examines when to use, and not to use, them.  Chapter five introduces the list, arrangement, and structure.  Controls that generate other controls (frequently management processes) are reviewed in chapter six.  For each control there is a title, example, statement of need, opening thesis, discussion, closing recommendation, and summary relating to other controls.  Most are one to three pages in length.  Audit and monitoring controls are dealt with in chapter seven.  Adaptation is the topic of chapter eight.  (There is a longer lead-in discussion to these controls, since, inherently, they deal with change, to which people, business, and control processes are highly resistant.)  Chapter nine notes issues of protection and reliability.  The corrective controls in chapter ten are conceptually related to those in chapter seven.

Part three looks at change for improvement, rather than just for the sake of change.  Chapter eleven suggests means of promoting good behaviours.  A Risk and Uncertainty Management Assessment (RUMA) tool is presented in chapter twelve, but, frankly, I can’t see that it goes beyond thinking out alternative courses of action.  Barriers to improvement are noted in chapter thirteen.  Roles in the organization, and their relation to risk management, are outlined in chapter fourteen.  Chapter fifteen examines the special needs for innovative projects.  Ways to address restrictive ideology are mentioned in chapter sixteen.  Seven areas that Leitch advises should be explored conclude the book in chapter seventeen.

A number of interesting ideas are presented for consideration in regard to the choice and design of controls.  However, the text is not a guidebook for producing actual control systems.

copyright, Robert M. Slade   2013   BKIICARM.RVW   20121210

REVIEW: “The Tangled Web: A Guide to Securing Modern Web Applications”, Michael Zalewski

BKTNGWEB.RVW   20121207

“The Tangled Web: A Guide to Securing Modern Web Applications”, Michael Zalewski, 2012, 978-1-59327-388-0, U$49.95/C$52.95
%A   Michael Zalewski
%C   555 De Haro Street, Suite 250, San Francisco, CA   94107
%D   2012
%G   978-1-59327-388-0 1-59327-388-6
%I   No Starch Press
%O   U$49.95/C$52.95 415-863-9900 fax 415-863-9950 info@nostarch.com
%O  http://www.amazon.com/exec/obidos/ASIN/1593273886/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/1593273886/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1593273886/robsladesin03-20
%O   Audience a Tech 2 Writing 1 (see revfaq.htm for explanation)
%P   299 p.
%T   “The Tangled Web: A Guide to Securing Modern Web Applications”

In the preface, the author dismisses security experts as academic, ineffectually worried, and unaware of the importance of the Web.  (Zalewski makes reference to a “confused deputy problem” being “regularly” referred to in academic security literature.  I’ve never heard of it.)  He blames them for the current insecure state of Web applications.  I suspect this is a bit unfair, given the “citizen programmer” status of huge numbers of Web projects, and the time and feature pressure this places on the rest.  It is unfortunate that some security specialists have not regarded the Web as significant, but it is critical that most security specialist don’t know how to program, and most programmers don’t care anything about security.

He also says the book is about repentance, and a step towards normalcy.  (Normalcy is not defined.

Chapter one is an introduction, both to information security, and to Web application development.  Starting off by misattributing one of Gene Spafford’s quotes, the author complains about any and all attempts to structure or define security.  (Rather inconsistently, while he derides taxonomies, he does recommend designing systems so as to deal with “classes” of bugs.  The difference between a class and a taxon is not explained.)

Part one outlines the principal concepts of the Web.  Chapter two starts us off with the URL (Uniform Resource Locator), noting some of the problems with different types of encoding.  From this point in the book, each chapter concludes with a “Security Engineering Cheat Sheet,” listing potential problems, and suggesting broad approaches (without details) to dealing with those issues.  HTTP (the HyperText Transfer Protocol) is the subject of chapter three, primarily concerning the handling of user data.  (Since the author is fond of quotes, I’ll give him one from Tony Buckland, several years before the invention of the Web: “The client interface is the boundary of trustworthiness.”)  Chapters four to eight cover HTML (HyperText Markup Language), CSS (Cascading Style Sheets), browser scripting (concentrating exclusively on JavaScript), non-HTML data (mostly XML), and plug-ins.

Part two turns to browser security features.  Chapter nine talks about isolating content, so that different sites or documents don’t interfere with each other.  Determining where and to whom a page belongs is addressed in chapter ten.  Chapter eleven expands the details of problems caused by allowing disparate documents to interact.  Other security boundaries, such as local storage, networks, ports, and cookies, are reviewed in chapter twelve.  Recognizing content, when the “Content-Type” description may be problematic, is in chapter thirteen.  Chapter fourteen suggests ways to deal with malicious scripts.  Specifically setting or raising permissions is discussed in chapter fifteen.

Part three looks ahead to Web application security issues as they may develop in the future.  New and coming security features are noted in chapters sixteen and seventeen.  Chapter eighteen reviews the all-too-common Web vulnerabilities (such as cross-site scripting and “Referer” leakage).

Absent the complaints about the rest of the security field, this is a decent and technical guide to problems which should be considered for any Web application project.  It’s not a cookbook, but provides solid advice for designers and developers.

copyright, Robert M. Slade   2013   BKTNGWEB.RVW   20121207

REVIEW: “Consent of the Networked”, Rebecca MacKinnon

BKCNSNTW.RVW   20121205

“Consent of the Networked”, Rebecca MacKinnon, 2012, 978-0-465-02442-1, U$26.99/C$30.00
%A   Rebecca MacKinnon
%C   387 Park Ave. South, New York, NY   10016-8810
%D   2012
%G   978-0-465-02442-1 0-465-02442-1
%I   Basic Books
%O   U$26.99/C$30.00 special.markets@perseusbooks.com
%O  http://www.amazon.com/exec/obidos/ASIN/0465024421/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0465024421/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0465024421/robsladesin03-20
%O   Audience n Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   294 p.
%T   “Consent of the Networked: The Worldwide Struggle for Internet Freedom”

In neither the preface nor the introduction is there a clear statement of the intent of this work.  The closest comes buried towards the end of the introduction, in a sentence which states “This book is about the new realities of power, freedom, and control in the Internet Age.”  Alongside other assertions in the opening segments, one can surmise that MacKinnon is trying to point out the complexities of the use, by countries or corporations, of technologies which enhance either democracy or control, and the desirability of a vague concept which she refers to as “Internet Freedom.”

Readers may think I am opposed to the author’s ideas.  That is not the case.  However, it is very difficult to critique a text, and suggest whether it is good or bad, when there is no clear statement of intent, thesis, or terminology.

Part one is entitled “Disruptions.”  Chapter one outlines a number of stories dealing with nations or companies promising freedom, but actually censoring or taking data without informing citizens or users.  The “digital commons,” conceptually akin to open source but somewhat more nebulous (the author does, in fact, confuse open source and open systems), is promoted in chapter two.

Part two turns more directly to issues of control.  Chapter three concentrates on factors the Republic of China uses to strengthen state censorship.  Variations on this theme are mentioned in chapter four.

Part three examines challenges to democracy.  Chapter five lists recent US laws and decisions related to surveillance and repression of speech.  The tricky issue of making a distinction between repression of offensive speech on the one hand, and censorship on the other, is discussed in chapter six.  The argument made about strengthening censorship by taking actions against intellectual property infringement, in chapter seven, is weak, and particularly in light of more recent events.

Part four emphasizes the role that corporations play in aiding national censorship and surveillance activities.  Chapter eight starts with some instances of corporations aiding censorship, but devolves into a review of companies opposed to “network neutrality.”  Similarly, chapter nine notes corporations aiding surveillance.  Facebook and Google are big, states chapter ten, but the evil done in stories given does not inherently relate to size.

Part five asks what is to be done.  Trust but verify, says (ironically) chapter eleven: hold companies accountable.  MacKinnon mentions that this may be difficult.   Chapter twelve asks for an Internet Freedom Policy, but, since the author admits the term can have multiple meanings, the discussion is fuzzy.  Global Information Governance is a topic that makes chapter thirteen apposite in terms of the current ITU (International Telecommunications Union) summit, but the focus in the book is on the ICANN (Internet Committee on Assigned Names and Numbers) top level domain sale scandals.  The concluding chapter fourteen, on building a netizen-centric Internet is not just fuzzy, but full of warm fuzzies.

There are a great many interesting news reports, stories, and anecdotes in the book.  There is a great deal of passion, but not much structure.  This can make it difficult to follow topical threads.  This book really adds very little to the debates on these topics.

copyright, Robert M. Slade   2013   BKCNSNTW.RVW   20121205