Shostack + Friends Blog


A Vulnerable System

Andrew Stewart has an excellent new book, A Vulnerable System. A close up of the cover of a vulnerable system

A Vulnerable System is a new book from Andrew J. Stewart. Stewart traces the history of computer security from before the very start of computing in a rigorous and approachable way. Doing this helps us understand 'how we got to now' and why some of the problems we have persist. The book is worth your time if you work in security.

The book begins with the very first computers, and moves quickly through the emergence of timesharing to the question "can we rent time on this machine to the Air Force and others?" From there, the book takes the reader on a tour of the early papers and the folks who wrote them. (He misses the funny story that the "* property" was supposed to be renamed before publication, but very little else.) He covers the history of the rainbow books and their failures, and then gets to the rise of vulnerability discovery as a major driver of the field, the growth of the security products market, data breaches, and nation state hacking.

He also discusses how the field has reached a state of epistemic closure, where the debates we have are narrow, and (separately) how the field has achieved this state before we have deep understanding of what we're doing. I was at first taken aback when he pointed out that "The CIA triad, 'no security through obscurity,' and 'defense in depth' are not scientific or mathematical laws derived from first principles, nor are they inerrant. They are simply mantras, and so can be recast."

But he's right. These are more rules of thumb than they are statements like "Entropy always decreases." (Thermodynamics and information security may be opposites, and my cryptographic background leads me to think we never have enough entropy. That situation has changed somewhat with the rise of in-chip sources of unpredictability, but how do we measure how much it has changed?) Moving from the specifics to the general point, having studied the history, he can say that the field is young. He can also point out that while we have mantras that can help us day to day, as a field or aspiring profession, need to sometimes look more broadly at what we're doing.

Some readers may recognize Andrew's name because I was his co-author for The New School of Information Security. I get too much credit — he made that book happen. We both learned a tremendous amount from writing it, and writing together, and I'm thrilled that he has a book with only his name on it.