Using sample charts, graphics, case studies, and war stories, Yankee Group Security Expert Andrew Jaquith demonstrates exactly how to establish effective metrics based on your organization's unique requirements. You'll discover how to quantify hard-to-measure security activities, compile and analyze all relevant data, identify strengths and weaknesses, set cost-effective priorities for improvement, and craft compelling messages for senior management. Security Metrics successfully bridges management's quantitative viewpoint with the nuts-and-bolts approach typically taken by security professionals. It brings together expert solutions drawn from Jaquith's extensive consulting work in the software, aerospace, and financial services industries, including new metrics presented nowhere else. You'll learn how to: - Replace nonstop crisis response with a systematic approach to security improvement - Understand the differences between "good" and "bad" metrics - Measure coverage and control, vulnerability management, password quality, patch latency, benchmark scoring, and business-adjusted risk - Quantify the effectiveness of security acquisition, implementation, and other program activities - Organize, aggregate, and analyze your data to bring out key insights - Use visualization to understand and communicate security issues more clearly - Capture valuable data from firewalls and antivirus logs, third-party auditor reports, and other resources - Implement balanced scorecards that present compact, holistic views of organizational security effectiveness Whether you're an engineer or consultant responsible for security and reporting to management-or an executive who needs better information for decision-making-Security Metrics is the resource you have been searching for. Andrew Jaquith, program manager for Yankee Group's Security Solutions and Services Decision Service, advises enterprise clients on prioritizing and managing security resources. He also helps security vendors develop product, service, and go-to-market strategies for reaching enterprise customers. He co-founded @stake, Inc., a security consulting pioneer acquired by Symantec Corporation in 2004. His application security and metrics research has been featured in CIO, CSO, InformationWeek, IEEE Security and Privacy, and The Economist. Foreword Preface Acknowledgments About the Author Chapter 1 Introduction: Escaping the Hamster Wheel of Pain Chapter 2 Defining Security Metrics Chapter 3 Diagnosing Problems and Measuring Technical Security Chapter 4 Measuring Program Effectiveness Chapter 5 Analysis Techniques Chapter 6 Visualization Chapter 7 Automating Metrics Calculations Chapter 8 Designing Security Scorecards Index

     Coauthored by the designer of the Scala language, this authoritative book will teach you, one step at a time, the Scala language and the ideas behind it. The book is carefully crafted to help you learn. The first few chapters will give you enough of the basics that you can already start using Scala for simple tasks. The entire book is organized so that each new concept builds on concepts that came before - a series of steps that promises to help you master the Scala language and the important ideas about programming that Scala embodies. A comprehensive tutorial and reference for Scala, this book covers the entire language and important libraries.

    In his bestselling book How to Measure Anything, author Douglas W. Hubbard opened the business world's eyes to the critical need for better measurement. This book expands upon that premise and draws from The Failure of Risk Management to sound the alarm in the cybersecurity realm. Some of the field's premier risk management approaches actually create more risk than they mitigate, and questionable methods have been duplicated across industries and embedded in the products accepted as gospel. This book sheds light on these blatant risks, and provides alternate techniques that can help improve your current situation. You'll also learn which approaches are too risky to save, and are actually more damaging than a total lack of any security.Dangerous risk management methods abound; there is no industry more critically in need of solutions than cybersecurity. This book provides solutions where they exist, and advises when to change tracks entirely.Discover the shortcomings of cybersecurity's best practices Learn which risk management approaches actually create risk Improve your current practices with practical alterations Learn which methods are beyond saving, and worse than doing nothing Insightful and enlightening, this book will inspire a closer examination of your company's own risk management practices in the context of cybersecurity. The end goal is airtight data protection, so finding cracks in the vault is a positive thing--as long as you get there before the bad guys do. How to Measure Anything in Cybersecurity Risk is your guide to more robust protection through better quantitative processes, approaches, and techniques.

    Building on the successful top-down approach of previous editions, this fourth edition continues with an early emphasis on application-layer paradigms and application programming interfaces, encouraging a hands-on experience with protocols and networking concepts.

    This concise introduction shows you how to perform statistical analysis computationally, rather than mathematically, with programs written in Python.You'll work with a case study throughout the book to help you learn the entire data analysis process—from collecting data and generating statistics to identifying patterns and testing hypotheses. Along the way, you'll become familiar with distributions, the rules of probability, visualization, and many other tools and concepts.Develop your understanding of probability and statistics by writing and testing codeRun experiments to test statistical behavior, such as generating samples from several distributionsUse simulations to understand concepts that are hard to grasp mathematicallyLearn topics not usually covered in an introductory course, such as Bayesian estimationImport data from almost any source using Python, rather than be limited to data that has been cleaned and formatted for statistics toolsUse statistical inference to answer questions about real-world data

    This is the undisputed go-to guide to Rust, written by two members of the Rust core team, with feedback and contributions from 42 members of the community. The book assumes that you’ve written code in another programming language but makes no assumptions about which one, meaning the material is accessible and useful to developers from a wide variety of programming backgrounds.Known by the Rust community as "The Book," The Rust Programming Language includes concept chapters, where you’ll learn about a particular aspect of Rust, and project chapters, where you’ll apply what you’ve learned so far to build small programs.The Book opens with a quick hands-on project to introduce the basics then explores key concepts in depth, such as ownership, the type system, error handling, and fearless concurrency. Next come detailed explanations of Rust-oriented perspectives on topics like pattern matching, iterators, and smart pointers, with concrete examples and exercises--taking you from theory to practice.The Rust Programming Language will show you how to: Grasp important concepts unique to Rust like ownership, borrowing, and lifetimes Use Cargo, Rust’s built-in package manager, to build and maintain your code, including downloading and building dependencies Effectively use Rust’s zero-cost abstractions and employ your ownYou’ll learn to develop reliable code that’s speed and memory efficient, while avoiding the infamous and arcane programming pitfalls common at the systems level. When you need to dive down into lower-level control, this guide will show you how without taking on the customary risk of crashes or security holes and without requiring you to learn the fine points of a fickle toolchain.You’ll also learn how to create command line programs, build single- and multithreaded web servers, and much more.The Rust Programming Language fully embraces Rust’s potential to empower its users. This friendly and approachable guide will help you build not only your knowledge of Rust but also your ability to program with confidence in a wider variety of domains.

    With this hands-on guide, you'll learn how to write effective, idiomatic Python code by leveraging its best and possibly most neglected features. Author Luciano Ramalho takes you through Python's core language features and libraries, and shows you how to make your code shorter, faster, and more readable at the same time.Many experienced programmers try to bend Python to fit patterns they learned from other languages, and never discover Python features outside of their experience. With this book, those Python programmers will thoroughly learn how to become proficient in Python 3.This book covers:Python data model: understand how special methods are the key to the consistent behavior of objectsData structures: take full advantage of built-in types, and understand the text vs bytes duality in the Unicode ageFunctions as objects: view Python functions as first-class objects, and understand how this affects popular design patternsObject-oriented idioms: build classes by learning about references, mutability, interfaces, operator overloading, and multiple inheritanceControl flow: leverage context managers, generators, coroutines, and concurrency with the concurrent.futures and asyncio packagesMetaprogramming: understand how properties, attribute descriptors, class decorators, and metaclasses work"

    Accomplished pentester and author Phillip L. Wylie and cybersecurity researcher Kim Crawley walk you through the basic and advanced topics necessary to understand how to make a career out of finding vulnerabilities in systems, networks, and applications.You'll learn about the role of a penetration tester, what a pentest involves, and the prerequisite knowledge you'll need to start the educational journey of becoming a pentester. Discover how to develop a plan by assessing your current skillset and finding a starting place to begin growing your knowledge and skills. Finally, find out how to become employed as a pentester by using social media, networking strategies, and community involvement.Perfect for IT workers and entry-level information security professionals, The Pentester BluePrint also belongs on the bookshelves of anyone seeking to transition to the exciting and in-demand field of penetration testing.Written in a highly approachable and accessible style, The Pentester BluePrint avoids unnecessarily technical lingo in favor of concrete advice and practical strategies to help you get your start in pentesting. This book will teach you:The foundations of pentesting, including basic IT skills like operating systems, networking, and security systems The development of hacking skills and a hacker mindset Where to find educational options, including college and university classes, security training providers, volunteer work, and self-study Which certifications and degrees are most useful for gaining employment as a pentester How to get experience in the pentesting field, including labs, CTFs, and bug bounties

    The principal enhancement in Java 8 was the addition of functional programming constructs to Java's object-oriented roots. Java 7, 8, and 9 also introduced language features, such as the try-with-resources statement, the diamond operator for generic types, default and static methods in interfaces, the @SafeVarargs annotation, and modules. New library features include pervasive use of functional interfaces and streams, the java.time package for manipulating dates and times, and numerous minor enhancements such as convenience factory methods for collections. In this new edition of Effective Java, Bloch updates the work to take advantage of these new language and library features, and provides specific best practices for their use. Java's increased support for multiple paradigms increases the need for best-practices advice, and this book delivers. As in previous editions, each chapter consists of several "items," each presented in the form of a short, standalone essay that provides specific advice, insight into Java platform subtleties, and updated code examples. The comprehensive descriptions and explanations for each item illuminate what to do, what not to do, and why. Coverage includes:Updated techniques and best practices on classic topics, including objects, classes, methods, libraries, and generics How to avoid the traps and pitfalls of commonly misunderstood subtleties of the platform Focus on the language and its most fundamental libraries, such as java.lang and java.util

    Tribe of Hackers wants to change that. We asked for industry, career, and personal advice from 70 cybersecurity luminaries who are ready to break down barriers and shatter ceilings. It's about time.This book can be a catalyst for change for anyone, from beginners trying to enter the industry, to practitioners looking to start their own firms. What tips do the founders of Dragos, Inc. and Duo Security have on starting a company? Do you need a college degree or certification to be a cybersecurity professional? What is the biggest bang-for-the-buck action your organization can take to improve its cybersecurity posture? What "life hacks" to real hackers use to make their own lives easier? What resources can women in cybersecurity utilize to maximize their potential?All proceeds from the book will go towards: Bunker Labs, Sickle Cell Disease Association of America, Rainforest Partnership, and Start-Up! Kid's Club.We can't wait to show you the most epic cybersecurity thought leadership collaborative effort, ever.(Source: Amazon.com)

    It took the open source world by storm since its inception in 2005, and is used by small development shops and giants like Google, Red Hat, and IBM, and of course many open source projects.A book by Git experts to turn you into a Git expert. Introduces the world of distributed version control Shows how to build a Git development workflow.

    It is truly cutting-edge. As the only book on the subject, Rootkits will be of interest to any Windows security researcher or security programmer. It's detailed, well researched and the technical information is excellent. The level of technical detail, research, and time invested in developing relevant examples is impressive. In one word: Outstanding."--Tony Bautts, Security Consultant; CEO, Xtivix, Inc. "This book is an essential read for anyone responsible for Windows security. Security professionals, Windows system administrators, and programmers in general will want to understand the techniques used by rootkit authors. At a time when many IT and security professionals are still worrying about the latest e-mail virus or how to get all of this month's security patches installed, Mr. Hoglund and Mr. Butler open your eyes to some of the most stealthy and significant threats to the Windows operating system. Only by understanding these offensive techniques can you properly defend the networks and systems for which you are responsible."--Jennifer Kolde, Security Consultant, Author, and Instructor "What's worse than being owned? Not knowing it. Find out what it means to be owned by reading Hoglund and Butler's first-of-a-kind book on rootkits. At the apex the malicious hacker toolset--which includes decompilers, disassemblers, fault-injection engines, kernel debuggers, payload collections, coverage tools, and flow analysis tools--is the rootkit. Beginning where Exploiting Software left off, this book shows how attackers hide in plain sight."Rootkits are extremely powerful and are the next wave of attack technology. Like other types of malicious code, rootkits thrive on stealthiness. They hide away from standard system observers, employing hooks, trampolines, and patches to get their work done. Sophisticated rootkits run in such a way that other programs that usually monitor machine behavior can't easily detect them. A rootkit thus provides insider access only to people who know that it is running and available to accept commands. Kernel rootkits can hide files and running processes to provide a backdoor into the target machine."Understanding the ultimate attacker's tool provides an important motivator for those of us trying to defend systems. No authors are better suited to give you a detailed hands-on understanding of rootkits than Hoglund and Butler. Better to own this book than to be owned."--Gary McGraw, Ph.D., CTO, Cigital, coauthor of Exploiting Software (2004) and Building Secure Software (2002), both from Addison-Wesley "Greg and Jamie are unquestionably the go-to experts when it comes to subverting the Windows API and creating rootkits. These two masters come together to pierce the veil of mystery surrounding rootkits, bringing this information out of the shadows. Anyone even remotely interested in security for Windows systems, including forensic analysis, should include this book very high on their must-read list."--Harlan Carvey, author of Windows Forensics and Incident Recovery (Addison-Wesley, 2005) Rootkits are the ultimate backdoor, giving hackers ongoing and virtually undetectable access to the systems they exploit. Now, two of the world's leading experts have written the first comprehensive guide to rootkits: what they are, how they work, how to build them, and how to detect them. Rootkit.com's Greg Hoglund and James Butler created and teach Black Hat's legendary course in rootkits. In this book, they reveal never-before-told offensive aspects of rootkit technology--learn how attackers can get in and stay in for years, without detection. Hoglund and Butler show exactly how to subvert the Windows XP and Windows 2000 kernels, teaching concepts that are easily applied to virtually any modern operating system, from Windows Server 2003 to Linux and UNIX. They teach rootkit programming techniques that can be used for a wide range of software, from white hat security tools to operating system drivers and debuggers. After reading this book, readers will be able to Understand the role of rootkits in remote command/control and software eavesdropping Build kernel rootkits that can make processes, files, and directories invisible Master key rootkit programming techniques, including hooking, runtime patching, and directly manipulating kernel objects Work with layered drivers to implement keyboard sniffers and file filters Detect rootkits and build host-based intrusion prevention software that resists rootkit attacks

    With the 97 short and extremely useful tips for programmers in this book, you'll expand your skills by adopting new approaches to old problems, learning appropriate best practices, and honing your craft through sound advice.With contributions from some of the most experienced and respected practitioners in the industry--including Michael Feathers, Pete Goodliffe, Diomidis Spinellis, Cay Horstmann, Verity Stob, and many more--this book contains practical knowledge and principles that you can apply to all kinds of projects.A few of the 97 things you should know:"Code in the Language of the Domain" by Dan North"Write Tests for People" by Gerard Meszaros"Convenience Is Not an -ility" by Gregor Hohpe"Know Your IDE" by Heinz Kabutz"A Message to the Future" by Linda Rising"The Boy Scout Rule" by Robert C. Martin (Uncle Bob)"Beware the Share" by Udi Dahan

    Quite the contrary; mistakes are easy to make and can often fully compromise security. Bulletproof SSL and TLS is the first SSL book written with users in mind. It is the book you will want to read if you need to assess risks related to website encryption, manage keys and certificates, configure secure servers, and deploy secure web applications. Bulletproof SSL and TLS is based on several years of work researching SSL and how SSL is used in real life, implementing and supporting a comprehensive assessment tool running on the SSL Labs website (https://www.ssllabs.com), and assessing most of the public SSL servers on the Internet. The assessment tool helped many site owners identify and solve issues with their SSL deployments. The intent of this book is to provide a definitive reference for SSL deployment that is full of practical and relevant information.

    Targeting American utility companies, NATO, and electric grids in Eastern Europe, the strikes became ever more brazen, eventually leading to the first-ever blackouts triggered by hackers. They culminated in the summer of 2017 when malware known as NotPetya was unleashed, compromising, disrupting, and paralyzing some of the world's largest companies. At the attack's epicenter in Ukraine, ATMs froze. The railway and postal systems shut down. NotPetya spread around the world, inflicting an unprecedented ten billions of dollars in damage--the largest, most penetrating cyberattack the world had ever seen.The hackers behind these attacks are quickly gaining a reputation as the most dangerous team of cyberwarriors in the internet's history: Sandworm. Believed to be working in the service of Russia's military intelligence agency, they represent a persistent, highly skilled, state-sponsored hacking force, one whose talents are matched by their willingness to launch broad, unrestrained attacks on the most critical infrastructure of their adversaries. They target government and private sector, military and civilians alike.From WIRED senior writer Andy Greenberg comes Sandworm, the true story of the desperate hunt to identify and track those attackers. It considers the danger this force poses to our national stability and security. And as the Kremlin's role in manipulating foreign governments and sparking chaos globally comes into greater focus, Sandworm reveals the realities not just of Russia's global digital offensive, but of an era where warfare ceases to be waged on the battlefield--where the line between digital and physical conflict begins to blur, with world-shaking implications.