I have finally finished Foundations of Security: What Every Programmer Needs to Know. Yep, finally: it wasn’t done too easily.
Indeed, the book felt really dry. Nothing in it gives this willingness to read late into the night. Rather the other way around, it would make me fall asleep quicker.
However, it doesn’t say much about the content of the book. And there, this book clearly aims to be kind of exhaustive. Pushing it even a bit too far, like enumerating all the devices able to store a password, from PDA to file or code source. Still, this kind of completeness is a nice refresher.
Similarly, the book pointed out some potential issues I could have overlooked. Info leakage, esp credential, wasn’t present enough in my mind, notably through referer headers.
Regarding security practices themselves, I felt like this book was either too technical for a non IT guy or too simple for an IT guy. My case being more of the latter, I often felt frustrated by the lack of technical depth, the suggested solutions being quite often already known. Furthermore, this kind of enumerative text used made technical bits quite repetitive. I sometime asked myself is some stuff wasn’t already described earlier, or if I hadn’t already read it. It wasn’t the case, but the commonalities in presentation, description and structure really didn’t help.
At the end of the day, I don’t regret having read this book. My knowledge on security is now firmer. Yet I’m pretty sure some other security books exist which are more instructive and/or enjoyable to read.