"Security Fundamentals for E-Commerce", Vesna Hassler, 2001,
%A Vesna Hassler hassler@...
%C 685 Canton St., Norwood, MA 02062
%I Artech House/Horizon
%O U$83.00 800-225-9977 fax: 617-769-6334 artech@...
%P 409 p.
%T "Security Fundamentals for E-Commerce"
"The purpose of this book is to give an in-depth overview of all the
basic security problems and solutions that can be relevant for an
e-commerce application." I'm sorry, but "in-depth overview" sounds a
bit like "jumbo shrimp": it's an oxymoron. And "all the basic
security problems and solutions that can be relevant for an e-commerce
application" covers a lot of ground. (Which is, I suppose, why this
text has twenty two chapters.)
Part one explains the basics of information security. Chapter one
defines some of the basic jargon, but misses a number of the important
fundamental terms. For example, the relationship between threats,
vulernabilities and exploits is fairly basic to security and risk
analysis, and yet all security problems seem to be lumped together as
threats. The examination of security mechanisms, in chapter two, is
limited to cryptography. Key management is restricted to X.509
certificates and Diffie-Hellman in chapter three.
Part two looks specifically at security of electronic payment systems.
Chapter four briefly lists a wide variety of payment systems. A terse
set of payment security problems is given in chapter five, while some
seemingly random cryptographic solutions are given in six. A little
bit of math for functions directed at electronic cash and cheques is
presented in chapters seven and eight, respectively. Chapter nine
describes the Internet Open Trading Protocol.
Part three deals with communications security. Chapter ten is a
general look at networking. Chapters eleven to fourteen examine
different systems for security at different layers, but the depth of
coverage is very inconsistent: extremely terse in some cases, with
many gaps, and yet delving into minute detail in others.
Part four examines Web security. Chapter fifteen details the
HyperText Transfer Protocol (HTTP), which is good, since few texts
bother to do. Random topics related to Web servers make up chapter
sixteen. Web client security topics are dealt with somewhat better in
chapter seventeen, although cookies aren't given any significant
discussion. Active content does get its own chapter: eighteen
concentrates almost exclusively on Java. Chapter nineteen contains
Part five covers some special issues for mobile or agent computing.
Agent technology is described in chapter twenty, some cellular phone
topics are reviewed in twenty one, and smart card security is
discussed in twenty two.
Well, overview it is. The book does cover a variety of topics,
although there are a great many gaps and holes. However, "in-depth"
can't be supported, except in a very few cases. There are some topics
that are discussed in excruciating detail, but they are definitely in
the minority. As a college text this undoubtedly has its uses, but
professionals or businesspeople will find the inconsistent coverage
copyright Robert M. Slade, 2002 BKSCFUEC.RVW 20020108
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... rslade@... slade@... p1@...
I've got a PhD and no one listens. I take off my clothes off,
and here you all are. - Briony Penn to the media, 20010123