Loading ...
Sorry, an error occurred while loading the content.
 

[techbooks] REVIEW: "Securing Java", Gary McGraw/Edward W. Felten

Expand Messages
  • Rob Slade, doting grandpa of Ryan and Tr
    BKSECJAV.RVW 990501 Securing Java , Gary McGraw/Edward W. Felten, 1999, 0-471-31952-X, U$34.99/C$54.50 %A Gary McGraw gem@rstcorp.com %A Edward W.
    Message 1 of 1 , Jun 22, 1999
      BKSECJAV.RVW 990501

      "Securing Java", Gary McGraw/Edward W. Felten, 1999, 0-471-31952-X,
      U$34.99/C$54.50
      %A Gary McGraw gem@...
      %A Edward W. Felten felten@...
      %C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8
      %D 1999
      %G 0-471-31952-X
      %I John Wiley & Sons, Inc.
      %O U$34.99/C$54.50 416-236-4433 fax: 416-236-4448 rlangloi@...
      %P 324 p.
      %T "Securing Java: Getting Down to Business with Mobile Code"

      Unlike Oaks "Java Security" (cf. BKJAVASC.RVW), this book concentrates
      on Java in the popular perception: as a means of providing active code
      on the Web. As such it is intended not simply for techies, but also
      for dedicated users.

      Chapter one provides a readily accessible backgrounder, covering
      portability, the Internet, the Web, active content, security risks,
      other active content systems, and a rough outline of the Java security
      model with particular regard to applets. The original Java applet
      security model, or "sandbox," is covered in chapter two. The security
      model is now complicated by signed code, and chapter three points out
      the changes made. Chapter four outlines a number of malicious
      applets, but also gives clear directions for disabling Java on both
      the Netscape and Internet Explorer browsers. The authors outline a
      second class of hostile applets, in chapter five, that are intended to
      breach system security and allow an attack to bypass normal security
      mechanisms. There are suggestions for improving the security model,
      as well as a review of third party attempts to enhance it, in chapter
      six. (I was amused to see the slight lifting of the skirts of ICSA
      [International Computer Security Association]: the history of the
      outfit is a lot more interesting and convoluted even than is portrayed
      here.) Chapter seven is directed at programmers, but the advice
      provided looks at practices and policies rather than APIs
      (Applications Programming Interfaces) and chunks of sample code. A
      version of Java specifically designed for Smart Cards is available,
      and chapter eight looks at its promises and problems. A recap and
      restatement of the major security issues in mobile code is given in
      chapter nine. Appendices provide a Java security FAQ, security
      resource pointers, and directions on Java code signing.

      The text is quite readable. The authors have made a very serious
      attempt to ensure that the book does not depend upon previous
      technical background. For the most part, they have succeeded. The
      diligent reader would be able to understand most of the concepts as
      presented, even without having worked with computers or computer
      security. However, the key word is "diligent:" it *feels* like a
      technical book, and newcomers to the topic may be put off by the
      style.

      In addition, McGraw and Felten are careful to avoid any bias. They
      obviously feel that Java has some worthwhile security measures, but
      admit to its faults and point out its shortcomings. This makes the
      book extremely useful: much more so than an uncritical paean of
      praise.

      An effective book on an important subject with a wide audience. But
      you don't have to take my word for it. You can try before you buy.
      The www.securingjava.com site does not simply contain a few press
      releases and the errata, but has the whole text of the book online. A
      bold step. (You can help justify it by then buying the book.)

      copyright Robert M. Slade, 1999 BKSECJAV.RVW 990501

      ====================== (quote inserted randomly by Pegasus Mailer)
      rslade@... rslade@... slade@... p1@...
      The client interface is the boundary of trustworthiness.
      - Tony Buckland, UBC
      http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade

      ------------------------------------------------------------------------

      eGroups.com home: http://www.egroups.com/group/techbooks
      http://www.egroups.com - Simplifying group communications
    Your message has been successfully submitted and would be delivered to recipients shortly.