Logo What's New

Let our core competencies complement yours...

 Company  About Us  Services  Technology  News  Contact Us  Search
Bar

Web Security Sourcebook: A Complete Guide to Web Security Threats and Solutions
by Aviel D. Rubin, Daniel Geer, and Marcus J. Ranum, John Wiley & Sons, ISBN: 0-471-18148-X, paperback.

Given the tremendous respect the networking industry has for the authors of the Web Security Sourcebook, my expectations for what I would encounter in this book were extraordinarily high.  I'm delighted to report that in nearly all respects, my expectations were met or exceeded.

The authors of the Web Security Handbook promise that the book will help the reader

  • improve the security of Web clients and servers
  • write secure Java applets and CGI scripts
  • avoid security holes in popular browsers.

I think that promise is met in nearly all respects, and do so in a style that should be unintimidating for most readers moderately familiar with the Web, and yet sufficiently informative to maintain the attention of the more advanced reader.

The book covers four topics related to the Web and Security: browser security, server-side security, secure scripts, and electronic commerce.  I found all four  interesting and well...topical.

I will freely admit that I am a lazy browser user.  I use different browsers on many machines in our office, and change their configurations only under duress.  A consequence of this slovenly behavior on my part is that every browser I use looks and behaves differently.  I have begged off correcting this situation by claiming never to have time to attend to such mundane tasks.  Messrs. Rubin, Geer, and Ranum provided me with plenty of incentive to pay closer attention to who is leaving cookies on my machines, what might  be revealed from my work and personal browsing behavior, and the very real threats I might expose my systems and information to if I continue to ignore my responsibilities.  The authors explain the problems you can encounter if your browser eats a bad or poisoned CGI script. There's also a great discussion about the privacy implications associated with web and email use, which concludes with several very practical ways for you to maintain your anonymity on the Internet.

Whether you outsource your public or "extranet" web site to an ISP, as we do, or host your external and "intranet" sites on machines you maintain, the server-side security and the chapter that discusses the relationship between firewalls and the web should prove invaluable.  The authors note that the three most common ways to break into a server are to

  1. circumvent host security,
  2. exploit a bug in the Web server software, or
  3. exploit a badly written CGI script,

and address (3) by providing sound guidelines for writing secure CGI scripts. If you have not considered the spectrum of security measures and safeguards described in this book, you will be well served to do so; if you do, you should lament the fact that someone else has written the book you might have written!

The final chapters discuss how to manage and conduct secure transactions over the web, or in plain-speak, how to buy, sell, and transact business where information to be exchanged must remain private, unaltered, and attributed without repudiation to the originator (did I say plain-speak?). A wide range of mechanisms are covered here, ranging from security technology you can introduce at the IP layer to technology that is web application-specific.  There's also a very nice summary of secure payment systems that at the very least, will help you understand who the players are and what they purport to offer.

I highly recommend this book.  Steve Bellovin, co-author of Firewalls and Internet Security, concludes the foreword he contributed to the book  by saying

"About the only thing they don't cover is bed monsters, ...".

That pretty much says it all.

Bar
[Company] [About Us] [Services] [Technology] [News] [Contact Us] [Search]

Contact our webmaster with questions or comments regarding this site.
Copyright 2008 Core Competence, Inc. All rights reserved.