REVIEW: "The Tangled Web: A Guide to Securing Modern Web Applications", Michael Zalewski
- BKTNGWEB.RVW 20121207
"The Tangled Web: A Guide to Securing Modern Web Applications",
Michael Zalewski, 2012, 978-1-59327-388-0, U$49.95/C$52.95
%A Michael Zalewski
%C 555 De Haro Street, Suite 250, San Francisco, CA 94107
%G 978-1-59327-388-0 1-59327-388-6
%I No Starch Press
%O U$49.95/C$52.95 415-863-9900 fax 415-863-9950 info@...
%O Audience a Tech 2 Writing 1 (see revfaq.htm for explanation)
%P 299 p.
%T "The Tangled Web: A Guide to Securing Modern Web Applications"
In the preface, the author dismisses security experts as academic,
ineffectually worried, and unaware of the importance of the Web.
(Zalewski makes reference to a "confused deputy problem" being
"regularly" referred to in academic security literature. I've never
heard of it.) He blames them for the current insecure state of Web
applications. I suspect this is a bit unfair, given the "citizen
programmer" status of huge numbers of Web projects, and the time and
feature pressure this places on the rest. It is unfortunate that some
security specialists have not regarded the Web as significant, but it
is critical that most security specialist don't know how to program,
and most programmers don't care anything about security.
He also says the book is about repentance, and a step towards
normalcy. (Normalcy is not defined.)
Chapter one is an introduction, both to information security, and to
Web application development. Starting off by misattributing one of
Gene Spafford's quotes, the author complains about any and all
attempts to structure or define security. (Rather inconsistently,
while he derides taxonomies, he does recommend designing systems so as
to deal with "classes" of bugs. The difference between a class and a
taxon is not explained.)
Part one outlines the principal concepts of the Web. Chapter two
starts us off with the URL (Uniform Resource Locator), noting some of
the problems with different types of encoding. From this point in the
book, each chapter concludes with a "Security Engineering Cheat
Sheet," listing potential problems, and suggesting broad approaches
(without details) to dealing with those issues. HTTP (the HyperText
Transfer Protocol) is the subject of chapter three, primarily
concerning the handling of user data. (Since the author is fond of
quotes, I'll give him one from Tony Buckland, several years before the
invention of the Web: "The client interface is the boundary of
trustworthiness.") Chapters four to eight cover HTML (HyperText
Markup Language), CSS (Cascading Style Sheets), browser scripting
Part two turns to browser security features. Chapter nine talks about
isolating content, so that different sites or documents don't
interfere with each other. Determining where and to whom a page
belongs is addressed in chapter ten. Chapter eleven expands the
details of problems caused by allowing disparate documents to
interact. Other security boundaries, such as local storage, networks,
ports, and cookies, are reviewed in chapter twelve. Recognizing
content, when the "Content-Type" description may be problematic, is in
chapter thirteen. Chapter fourteen suggests ways to deal with
malicious scripts. Specifically setting or raising permissions is
discussed in chapter fifteen.
Part three looks ahead to Web application security issues as they may
develop in the future. New and coming security features are noted in
chapters sixteen and seventeen. Chapter eighteen reviews the all-too-
common Web vulnerabilities (such as cross-site scripting and "Referer"
Absent the complaints about the rest of the security field, this is a
decent and technical guide to problems which should be considered for
any Web application project. It's not a cookbook, but provides solid
advice for designers and developers.
copyright, Robert M. Slade 2013 BKTNGWEB.RVW 20121207
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... slade@... rslade@...
A man who jibbed at authority in other things as some people do
in religion would have to be content to know nothing all his life
- C. S. Lewis