I'm of two minds about this book.

One the one hand, it's an amazingly comprehensive reference. If you're not a security geek, this book will tell you everything you never knew you wanted to know. It doesn't just cover code or web applications, but it covers just about every single security scheme humanity has invented, from nuclear launch codes to PINs to PKI to passive snooping through Van Eck phreaking. It's solid.

BUT. It's also all over the place. The book is not a "guide to building dependable distributed systems" as it says, because it's far too broad for that. The chapter on attacking APIs in particular is embarrassingly short, and only covers a few pages when there's an entire book that could be written on that topic alone. This book is more about the general makeup of the security landscape rather than how to design secure web applications or software architectures. Also, as much as I hate saying this about a book that covers everything from banking to bots, it does feel a little dated in places.

So I give it three stars, because honestly this should have been split into three books.