Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "The Tangled Web: A Guide to Securing Modern Web Applications", Michael Zalewski

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Han
    BKTNGWEB.RVW 20121207 The Tangled Web: A Guide to Securing Modern Web Applications , Michael Zalewski, 2012, 978-1-59327-388-0, U$49.95/C$52.95 %A Michael
    Message 1 of 1 , Jul 4, 2013
    View Source
    • 0 Attachment
      BKTNGWEB.RVW 20121207

      "The Tangled Web: A Guide to Securing Modern Web Applications",
      Michael Zalewski, 2012, 978-1-59327-388-0, U$49.95/C$52.95
      %A Michael Zalewski
      %C 555 De Haro Street, Suite 250, San Francisco, CA 94107
      %D 2012
      %G 978-1-59327-388-0 1-59327-388-6
      %I No Starch Press
      %O U$49.95/C$52.95 415-863-9900 fax 415-863-9950 info@...
      %O http://www.amazon.com/exec/obidos/ASIN/1593273886/robsladesinterne
      http://www.amazon.co.uk/exec/obidos/ASIN/1593273886/robsladesinte-21
      %O http://www.amazon.ca/exec/obidos/ASIN/1593273886/robsladesin03-20
      %O Audience a Tech 2 Writing 1 (see revfaq.htm for explanation)
      %P 299 p.
      %T "The Tangled Web: A Guide to Securing Modern Web Applications"

      In the preface, the author dismisses security experts as academic,
      ineffectually worried, and unaware of the importance of the Web.
      (Zalewski makes reference to a "confused deputy problem" being
      "regularly" referred to in academic security literature. I've never
      heard of it.) He blames them for the current insecure state of Web
      applications. I suspect this is a bit unfair, given the "citizen
      programmer" status of huge numbers of Web projects, and the time and
      feature pressure this places on the rest. It is unfortunate that some
      security specialists have not regarded the Web as significant, but it
      is critical that most security specialist don't know how to program,
      and most programmers don't care anything about security.

      He also says the book is about repentance, and a step towards
      normalcy. (Normalcy is not defined.)

      Chapter one is an introduction, both to information security, and to
      Web application development. Starting off by misattributing one of
      Gene Spafford's quotes, the author complains about any and all
      attempts to structure or define security. (Rather inconsistently,
      while he derides taxonomies, he does recommend designing systems so as
      to deal with "classes" of bugs. The difference between a class and a
      taxon is not explained.)

      Part one outlines the principal concepts of the Web. Chapter two
      starts us off with the URL (Uniform Resource Locator), noting some of
      the problems with different types of encoding. From this point in the
      book, each chapter concludes with a "Security Engineering Cheat
      Sheet," listing potential problems, and suggesting broad approaches
      (without details) to dealing with those issues. HTTP (the HyperText
      Transfer Protocol) is the subject of chapter three, primarily
      concerning the handling of user data. (Since the author is fond of
      quotes, I'll give him one from Tony Buckland, several years before the
      invention of the Web: "The client interface is the boundary of
      trustworthiness.") Chapters four to eight cover HTML (HyperText
      Markup Language), CSS (Cascading Style Sheets), browser scripting
      (concentrating exclusively on JavaScript), non-HTML data (mostly XML),
      and plug-ins.

      Part two turns to browser security features. Chapter nine talks about
      isolating content, so that different sites or documents don't
      interfere with each other. Determining where and to whom a page
      belongs is addressed in chapter ten. Chapter eleven expands the
      details of problems caused by allowing disparate documents to
      interact. Other security boundaries, such as local storage, networks,
      ports, and cookies, are reviewed in chapter twelve. Recognizing
      content, when the "Content-Type" description may be problematic, is in
      chapter thirteen. Chapter fourteen suggests ways to deal with
      malicious scripts. Specifically setting or raising permissions is
      discussed in chapter fifteen.

      Part three looks ahead to Web application security issues as they may
      develop in the future. New and coming security features are noted in
      chapters sixteen and seventeen. Chapter eighteen reviews the all-too-
      common Web vulnerabilities (such as cross-site scripting and "Referer"
      leakage).

      Absent the complaints about the rest of the security field, this is a
      decent and technical guide to problems which should be considered for
      any Web application project. It's not a cookbook, but provides solid
      advice for designers and developers.

      copyright, Robert M. Slade 2013 BKTNGWEB.RVW 20121207


      ====================== (quote inserted randomly by Pegasus Mailer)
      rslade@... slade@... rslade@...
      A man who jibbed at authority in other things as some people do
      in religion would have to be content to know nothing all his life
      - C. S. Lewis
      victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links
      http://blogs.securiteam.com/index.php/archives/author/p1/
      http://twitter.com/rslade
    Your message has been successfully submitted and would be delivered to recipients shortly.