Free Google Book: Building Secure and Reliable Systems

Google added another book into their excellent SRE series: Building Secure and Reliable Systems. It's free to download, so don't be shy.

It's not short: 557 pages and 21 chapters! So what's it about? In short it's about "reliability through the lens of security."

In long, Ana Oprea, one of the authors, gave a good overview. anaoprea:

There are multiple questions about what this book is about, who it's for and what might be relevant for me. We recommend going through the Preface to get answers to these questions. Copy/pasting a few paragraphs: "In this book we talk generally about systems, which is a conceptual way of thinking about the groups of components that cooperate to perform some function.
We wanted to write a book that focuses on integrating security and reliability directly into the software and system lifecycle, both to highlight technologies and practices that protect systems and keep them reliable, and to illustrate how those practices interact with each other.
We’d like to explicitly acknowledge that some of the strategies this book recommends require infrastructure support that simply may not exist where you’re currently working.
Because security and reliability are everyone’s responsibility, we’re targeting a broad audience: people who design, implement, and maintain systems. We’re challenging the dividing lines between the traditional professional roles of developers, architects, SREs, systems administrators, and security engineers.
Building and adopting the widespread best practices we recommend in this book requires a culture that is supportive of such change. We feel it is essential that you address the culture of your organization in parallel with the technology choices you make to focus on both security and reliability, so that any adjustments you make are persistent and resilient.
We recommend you start with Chapters 1 and 2, and then read the chapters that most interest you. Most chapters begin with a boxed preface or executive summary that outlines the following:
  • The problem statement
  • When in the software development lifecycle you should apply these principles and practices
  • The intersections of and/or tradeoffs between reliability and security to consider
Within each chapter, topics are generally ordered from the most fundamental to the most sophisticated. We also call out deep dives and specialized subjects with an alligator icon."

I've only had time to browse through the book. One thing I like is they use as examples actual security and design issues they've experienced at Google and then explain how those were solved. Google has problems, just like you.

One thing I always dislike about security books is that empty feeling I get when I go to write that next line of code and I realize I still don't have any idea if that line is secure or not. Even though Chapter 12 is on Writing Code, I'll still get that feeling. Perhaps that's just the nature of the beast. It will take much more practical work before security and reliability can truly become inherent properties of all information systems.

This book is a top to bottom look at a complete organizational response to security and reliability. It's not for the meek:

For those who are passionate about security and reliability, we conclude with the following advice: your ability to work across knowledge domains and embed expertise in the right places is key to your organization’s success. Security and reliability need to be an integrated part of the entire computing environment. All these pieces must work together in harmony to solve problems. No checklist or silver-bullet advice we could give can compensate for your own ability to help your organization flex and grow as the nature of the security and reliability challenges it faces evolves.