Software security is an important yet neglected issue. Most developers will immediately recognize its importance because, with the Internet, so much of the computing infrastructure (the “surface”) is vulnerable to attack. Yet it’s simultaneously neglected because it relies on mastering the unknown – an unsurmountable topic. Reviewing security issues in one’s own code is often a painful process, much like reading an editor’s notes on one’s own writing. Into this ongoing conversation, Kohnfelder, a developer with around 50 years of experience in computing and (an impressive) 20 focused on cybersecurity, interjects an update that comprehensively covers concepts important for the present and the future.

This book indeed mostly addresses ideas and contains few code examples. This correlates with its main contention – that security issues need to be first addressed in the design process. The Internet was designed as an open system for exchange, and security was more of an afterthought. In today’s world, where even computers in our pockets are open to a potentially dangerous web, developers and designers of software need to think through securing software on their own.

Kohnfelder divides this book into three sections: Concepts, Design, and Implementation. He deftly moves from the big picture into pragmatics and back again. He discusses the high points of cybersecurity history and their implications for today’s coding efforts. In the conclusion, he even points to important current trends that might have impact in the near future.

I particularly appreciated his section on encryption. He addresses cryptography in an accessible way. In contrast to many works in the field that focus on mathematics or technical detail, he presents the big picture with keywords that can be researched more in-depth. While completing his PhD from MIT in 1978, he focused his research on RSA cryptography, and his clarity of thought shows well when talking about this subject.

Obviously, this book addresses software developers and designers, but it also has potential impact for those involved anywhere in the production of software. IT project managers in particular can benefit from this concept-heavy presentation because they need not wade into the waters of code. It provides a healthy update to the ongoing and unending conversation around cybersecurity. I hope to use some of the insights gleaned from the field of this book into my own software efforts. Upcoming developers would do well to learn from the teachings of this grand master. ( )