The Myths of Security and over one million other books are available for Amazon Kindle. Learn more

Vous voulez voir cette page en français ? Cliquez ici.

Sign in to turn on 1-Click ordering.
More Buying Choices
Have one to sell? Sell yours here
Start reading The Myths of Security on your Kindle in under a minute.

Don't have a Kindle? Get your Kindle here, or download a FREE Kindle Reading App.

The Myths of Security: What the Computer Security Industry Doesn't Want You to Know [Paperback]

John Viega
4.5 out of 5 stars  See all reviews (2 customer reviews)
List Price: CDN$ 37.99
Price: CDN$ 18.80 & FREE Shipping on orders over CDN$ 25. Details
You Save: CDN$ 19.19 (51%)
o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o
Temporarily out of stock.
Order now and we'll deliver when available. We'll e-mail you with an estimated delivery date as soon as we have more information. Your account will only be charged when we ship the item.
Ships from and sold by Gift-wrap available.


Amazon Price New from Used from
Kindle Edition CDN $14.68  
Paperback CDN $18.80  
Save Up to 90% on Textbooks
Hit the books in's Textbook Store and save up to 90% on used textbooks and 35% on new textbooks. Learn more.
Join Amazon Student in Canada

Book Description

June 29 2009 0596523025 978-0596523022 1

If you think computer security has improved in recent years, The Myths of Security will shake you out of your complacency. Longtime security professional John Viega, formerly Chief Security Architect at McAfee, reports on the sorry state of the industry, and offers concrete suggestions for professionals and individuals confronting the issue.

Why is security so bad? With many more people online than just a few years ago, there are more attackers -- and they're truly motivated. Attacks are sophisticated, subtle, and harder to detect than ever. But, as Viega notes, few people take the time to understand the situation and protect themselves accordingly. This book tells you:

  • Why it's easier for bad guys to "own" your computer than you think
  • Why anti-virus software doesn't work well -- and one simple way to fix it
  • Whether Apple OS X is more secure than Windows
  • What Windows needs to do better
  • How to make strong authentication pervasive
  • Why patch management is so bad
  • Whether there's anything you can do about identity theft
  • Five easy steps for fixing application security, and more

Provocative, insightful, and always controversial, The Myths of Security not only addresses IT professionals who deal with security issues, but also speaks to Mac and PC users who spend time online.

Customers Who Bought This Item Also Bought

Product Details

Product Description

About the Author

John Viega is CTO of the Software-as-a-Service Business Unit atMcAfee, and was previously Vice President, Chief Security Architect atMcAfee. He is an active advisor to several security companies,including Fortify and Bit9, and is the author of a number of securitybooks, including Network Security with OpenSSL (O'Reilly) and BuildingSecure Software (Addison-Wesley).

John is responsible for numerous software security tools and is theoriginal author of Mailman, the popular mailing list manager. He hasdone extensive standards work in the IEEE and IETF, and co-inventedGCM, a cryptographic algorithm that NIST (US Department of Commerce)has standardized. He holds a B.A. and M.S. from the University ofVirginia.

Inside This Book (Learn More)
Browse Sample Pages
Front Cover | Copyright | Table of Contents | Excerpt | Index | Back Cover
Search inside this book:

Customer Reviews

3 star
2 star
1 star
4.5 out of 5 stars
4.5 out of 5 stars
Most helpful customer reviews
4.0 out of 5 stars An Insider View of The Security Industry July 26 2009
This 232-page book contains 48 short chapters. It is easy to read even if you are not technically savvy but you will get a lot more out of this book if you are actively participating within the security industry.

Mr. Viega provides the current state of many security issues and topics from his point of view. He certainly has interesting ideas and bold comments on the topics he covers. He also offers some practical advice in some chapters.

I recommend this informative and fun book to anyone interested in reading a collection of short discussions on some security topics written by someone working within the security industry.
Was this review helpful to you?
The author has interesting insider view which escapes most of us and allows him to shed some light on a ubiquitous and pervasive industry which few truly understand. Essentially, he posits the information security product industry is broken and that few are actually trying to fix it. Most of the arguments he forwards are from the "usability and impact" perspective rather than "effectiveness of the related control". As a result, Mr. Viega makes some statements that make me cringe, specifically with respect to host based security measures. Being a information security consultant, I, of course, disagree with him on many topics; although his arguments are well thought out and explained (just, apparently, not convincing enough for me)

This book has the challenge of attempting to reach a wide audience and, as such, at times becomes either too light on topics requiring heavy discussion or too in depth in areas which I thought might have needed a high level overview. Again, I consider my background to influence my interest and retention on these topics and clearly Mr. Viega knows his stuff. At times I found myself looking for more on a specific topic on an idea (Privacy perhaps?) or skipping ten pages on something which wasn't particularly interesting to me. But these are perils of the industry and I can't fault the author for that.

For the most part, I believe the target audience is the computer consumer home hobbyist more than the professional or enterprise concerned. That's not to say that the security professionals won't gain knowledge by reading this book, but rather it's written at a level that anyone with an interest can read. Actually, if you're a budding entrepreneur, Mr.
Read more ›
Was this review helpful to you?
Most Helpful Customer Reviews on (beta) 3.9 out of 5 stars  33 reviews
28 of 31 people found the following review helpful
3.0 out of 5 stars Since consumers don't care about security, why write a book like this for them? Aug. 13 2009
By Richard Bejtlich - Published on
Let me start by saying I usually like John Viega's books. I rated Building Secure Software 5 stars back in 2005 and 19 Deadly Sins of Software Security 4 stars in 2006. However, I must not be the target audience for this book, and I can't imagine who really would be. The book mainly addresses consumer concerns and largely avoids the enterprise. However, if most consumers think "antivirus" when they think "security," why would they bother reading The Myths of Security (TMOS)?

TMOS is strongest when Viega talks about the antivirus (or antimalware, or endpoint protection, or whatever host-centric security mechanism you choose) industry. I didn't find anything to be particularly "myth-shattering," however. I have to agree with two of the previous reviewers. Many of the "chapters" in this book could be blog posts. The longer chapters could be longer blog posts. The lack of a unifying theme really puts TMOS at a disadvantage compared to well-crafted books. I was not a huge fan of The New School of Information Security or Geekonomics (both 4 stars), but those two titles are better than TMOS.

If you want to read books that will really help you think properly about digital security, the two must-reads are still Secrets and Lies by Bruce Schneier and Security Engineering, 2nd Ed by Ross Anderson. I would avoid Bruce's sequel, Beyond Fear -- it's ok, but he muddles a few concepts. (Heresy, I know!) I haven't read Schneier on Security, but I imagine it is good given the overall quality of his blog postings.

If you want to shatter some serious myths, spend time writing a book on the "80% myth," which is stated in a variety of ways by anyone who is trying to demonstrate that insider threats are the worst problem facing digital security. If you're going to pretend to debunk open source security, why not back it up with some numbers? Studies have been published recently, and original research and results would be welcome. How about demonstrating that user awareness training wastes money, because enough marks fall prey anyway? I'd also like to see research showing that frequent password changes are worse for security, not better. Wrap all of that in a coherent manner with substantial chapters and you have a real TMOS book.
16 of 21 people found the following review helpful
4.0 out of 5 stars A contrarian provides an interesting look at the information security industry Aug. 31 2009
By Ben Rothke - Published on
The Myths of Security: What the Computer Security Industry Doesn't Want You to Know is an interesting and thought-provoking book. Ultimately, the state of information security can be summed up in the book's final three sentences, in which John Viega writes that 'real, timely improvement is possible, but it requires people to care a lot more [about security] than they do. I'm not sure that's going to happen anytime soon. But I hope it does.'

The reality is that while security evangelists such as Viega write valuable books such as this, it is for the most part falling on deaf ears. Most people don't understand computer security and its risks, and therefore places themselves and the systems they are working in danger. Malware finds computers to load on, often in part to users who are oblivious to the many threats.

Much of the book is made up of Viega's often contrarian views of the security industry. With so much hype abound, many of the often skeptical views he writes about, show what many may perceive are information security truths, are indeed security myths.

From the title of the book, one might think that there is indeed a conspiracy in the computer security industry to keep users dumb and insecure. But as the author notes in chapter 45 -- An Open Security Industry, the various players in the computer security industry all work in their own fiefdoms. This is especially true when it comes to anti-virus, with each vendor to a degree reinventing the anti-virus wheel. The chapter shows how sharing amongst these companies is heavily needed. With that, the book's title of What the Computer Security Industry Doesn't Want You to Know is clearly meant to be provocative, but not true-life.

The book is made up of 48 chapters, on various so called myths. Most of the chapter are 2-3 pages in length and tackle each of these myths. The range of topics covers the entire security industry, with topics spanning from various security technologies, issues, risks, and people.

While not every chapter is a myth per se, many are. Perhaps the most evocative of the security myth is chapters 10 -- Four Minutes to Infection and chapter 22 -- Do Antivirus Vendors Write their own Viruses?. But the bulk of the book is not about myths per se, rather an overview of the state of information security, and why it is in such a state.

In chapter 16, The Cult of Schneier [full disclosure -- Bruce Schneier and I work for the same company], Viega takes Schneier to task for the fact that many people are using his book Applied Cryptography, even though it has not been updated in over a decade. It is not fair to blame him for that. While Viega admits that he holds Schneier in high esteem, the chapter reads like the author is somehow jealous of Schneier's security rock star status.

Chapter 18 is on the topic of security snake oil, ironically a topic Schneier has long been at the forefront of. The chapter gives the reader sage advice that it is important to do their homework on security products you buy and to make sure you have at least a high-level understanding of the technical merits and drawbacks of the security product at hand. The problem though is that the vast majority of end-users clearly don't have the technical wherewithal to do that. It is precisely that scenario that gives rise to far too many security snake-oil vendors.

Perhaps the best chapter in the book, and the one to likely get the most comments, is chapter 24 -- Open Source Security: A Red Herring. Viega takes on Eric Raymond's theory of open source security that "given enough eyeballs, all bugs are shallow." Viega notes that a large challenge with security and open source is that a lot of the things that make for secure systems are not well defined. Viega closes with the argument that one can argue open versus closed source forever, but there isn't strong evidence to suggest that it is the right question to be asking in the first place.

Overall, The Myths of Security: What the Computer Security Industry Doesn't Want You to Know is good introduction to information security. While well-written and though provoking, the book may be too conceptual and unstructured for an average end-user, and too basic for many experienced information security professionals. But for those that are interested, the book covers the entire gamut of the information security, and the reader, either security pro or novice, comes out much better informed.

While the author makes it clear he works for McAfee, and at times takes the company to task; the book references McAfee far too many times. At times the book seems like it is an advertisement for the company.

Viega does give interesting and often entertaining overviews of what we often take for granted. Some of the books arguments are debatable, but many more are a refreshing look at the dynamic information security industry. Viega has sat down and written his observations of what it going on. They are worth perusing, and the book is definitely worth reading.
9 of 12 people found the following review helpful
5.0 out of 5 stars A Rude Awakening for Many (Who Will Probably Try and Hide or Dismiss the Facts) July 9 2009
By Mark Curphey - Published on
I was lucky enough to be sent a pre-production copy of the book by John. As I read the TOC my jaw dropped. Finally someone has the balls to say whats really happening. Far too many people have been hiding behind marketing FUD or driving their opinions and defending their actions laregly to defend their careers and salaries. I am sure it's a tough message to swallow for many. I saw many things I am or have been guilty of in the book. That's all the more reason why it needed to be said. The industry needs to be cleaned up and the BS called out for what it is.

I applaude John for having the balls to write it.

Its not just a must read, its a must take note and must take action book!
3 of 4 people found the following review helpful
2.0 out of 5 stars A Working of Wind-Socking Feb. 7 2011
By Eddie-Oh! - Published on
Format:Paperback|Verified Purchase
The title of this book should be "Information Security: One Mans Battle With Himself and Everyone Else". The author doesn't know what he likes or dislikes, so he hedges his as he likes and dislike everything at once. In certain situations he feels the hassle for security protocol is worth the effort, in other yet remarkably similar situations he feels the same protocol a total waste of time. Only he knows, er, or maybe not, what the differences are, while the reader is feeling nauseous from the roller coaster ride of emotional opinion.
I rate it two stars only on account of the occasional tidbit of juicy security/technology bits that you can add to your repertoire. It's a shame that the author chose to road he took to convey his ideas. I think it would be more respected if it were a straight up techy book.
5 of 7 people found the following review helpful
2.0 out of 5 stars Dont be fooled by the Title July 25 2010
By Mr. Cutzpr - Published on
Like another commentator stated, I am not sure who the intended audience for this book, but if you have at least one MONTH of computer security experience, then you already know everything that's in this book. It is definitely not stimulating or thought provoking. If you are in any aspect of the IT industry and are looking for a book to expand your knowledge, then this book is not for you.

It was any easy read though, was able to finish it in two days. And believe me the only reason I finished it was because I forked over the money to buy it. It pretty much is a worthless read. Not sure what to do with it now. I wouldn't want to read it again.

Gave it two stars cause it had some security information but the book is not what it perceives to be.
Search Customer Reviews
Only search this product's reviews

Look for similar items by category