Jason Andress has refreshed his introductory security text for No Starch Press. He writes in the introduction that the term security now extends past data center servers to cloud resources, mobile devices, the Internet of Things, and AI.
About the author
Jason Andress is an experienced security professional with 15+ years in the industry. He has been writing on security topics for over a decade, covering data security, network security, hardware security, penetration testing, and digital forensics.
Inside the book
The book is aimed at newcomers to the field, network and system administrators, and managers who need a working grasp of security concepts. The author presents the material in 18 chapters organized into four parts: core principles, architecture and system security, operations and management, and human factors with professional development.
The first part covers the basics that any security curriculum tends to start with: the CIA triad, the Parkerian Hexad, threats and risk, defense in depth, threat actors, identification, authentication, access controls, auditing, and cryptography. Cryptography gets about 18 pages, moving from the Caesar cipher through symmetric and asymmetric systems, hash functions, and digital signatures.
A key addition in this edition is Chapter 12 on AI security. Andress explains why AI systems differ from deterministic software and walks through threats such as prompt injection, excessive agency, adversarial inputs, embedding exploits, and model and data poisoning. The chapter follows the structure of the OWASP Top 10 for LLM Applications 2025, which gives readers a recognizable frame they can carry into other resources. Don’t expect deep dives here. Andress keeps things at the concept level, which fits a book pitched as a starting point.
Other new material includes chapters on security operations and the SOC, governance and compliance, and expanded coverage of social engineering and security awareness, the latter built around a case study of the 2023 MGM Resorts attack.
Each chapter ends with a guided lab project. These range from password entropy testing and PGP encryption to audit log review, Zenmap scanning, app permission auditing, and linking CWEs with CVEs. The exercises pull readers away from passive reading and into the kind of work a junior analyst does on the job. Review questions also appear at the end of each chapter, suggesting classroom use.
The closing chapter on career development is direct. Andress lays out three routes into the field, weighs generalist and specialist tracks, and runs through certifications including Security+, CASP, SSCP, CISSP, GSEC, GPEN, and OSCP. He notes that HR filters often screen for credentials such as the CISSP, and that lacking these can mean a candidate is filtered out before a hiring manager sees the application.
The book has limits worth noting for buyers. Cloud security and operational technology security get scattered references across the text and no dedicated chapter. Hands-on practitioners may find the technical depth thin in places.
If you’re new to security or work in IT and want to get your bearings, the second edition of Foundations of Cybersecurity gives you a solid lay of the land and points you toward where to dig in next.
