[ISN] REVIEW: "Web Security Sourcebook"

From: mea culpa (jerichoat_private)
Date: Sat Sep 26 1998 - 02:24:36 PDT

  • Next message: mea culpa: "[ISN] High Security Encryption System Contest"

    Original source: Risks Digest 19.97
    From: "Rob Slade" <rsladeat_private>
    
    BKWBSCSB.RVW   980711
    
    "Web Security Sourcebook", Aviel D. Rubin/Daniel Geer/Marcus J. Ranum,
    1997, 0-471-18148-X, U$29.99/C$42.50
    %A   Aviel D. Rubin rubinat_private
    %A   Daniel Geer
    %A   Marcus J. Ranum
    %C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
    %D   1997
    %G   0-471-18148-X
    %I   John Wiley & Sons, Inc.
    %O   U$29.99/C$42.50 416-236-4433 fax: 416-236-4448
    %P   350 p.
    %T   "Web Security Sourcebook"
    
    As Steve Bellovin notes in the foreword, complexity and security are
    antithetical.  To have a complete picture of the security of a single
    transaction in World Wide Web activity one must consider the hardware of
    the user, the operating system of the user, the client software of the
    user, the hardware of the host, the operating system of the host, the
    server software of the host, the base transport protocol, the higher level
    (generally HTTP:  the HyperText Transport Protocol) protocol, the general
    structure of the network itself, and the various forms of content.  To
    expect a short book to cover all of this material is unrealistic.  The
    current work, however, is of inconsistent quality and falls short even of
    a much reduced target. 
    
    Chapter one looks at basic Web history and technology plus a few
    illustrative security loopholes.  While basic browser security information
    is presented in chapter two, the presentation is disorganized and seems to
    stress some relatively improbable risks.  On the other hand, it does point
    out some important and little known problems with Internet Explorer. 
    Advanced browser security lists a good deal of misinformation about
    cookies (along with some real dope) and discusses anonymous remailers in
    chapter three. 
    
    The discussion of scripting, in chapter four, is simplistic in the
    extreme.  While I would personally agree with the assessment that
    JavaScript and ActiveX are not worth the security hazards they represent,
    these technologies deserve more than the terse dismissal they receive in
    the text.  Java gets somewhat more detailed discussion but the authors do
    not appear to distinguish between design factors and specific
    implementation bugs limited to a given platform.  Server security is
    limited to UNIX permissions in chapter five.  Chapter six looks primarily
    at commercial cryptographic products, but without having built a solid
    foundation for their effective use.  Scripting is again reviewed in
    chapter seven, this time concentrating on (again) UNIX CGI (Common Gateway
    Interface) programming for sanitizing input from users.
    
    The overview of firewall technologies in chapter eight is reasonable and
    balanced, citing the different types of firewalls, their strengths and
    weaknesses, and the fact that firewalls can only be one tool in a larger
    security strategy, never a complete answer.  Chapter nine presents the
    different protocols in transaction security quite well, but fails to give
    an analysis of the social and market forces that are equally important to
    the overall picture.  Some systems for electronic payment are compared in
    chapter ten.  Predicting the future is, of course, problematic, but
    chapter eleven seems to contains more faults than can legitimately be said
    to be inherent to the process.  As only one example, the authors look
    forward with trepidation to "network aware" viruses.  I'm sorry to tell
    you this, guys, but the proof of that concept happened in the wild more
    than a decade before you wrote the book, and has transpired depressingly
    often since.
    
    The presentation of this text as a sourcebook is probably valid on the one
    hand: the primary value of the tome lies in the mention of various
    commercial systems related to Web security.  It cannot, however, be
    recommended as a sole source.  Both a conceptual background and an overall
    review of the totality of Web security factors are missing.  There are
    interesting points in the book, and even useful tips, but while it may
    belong on the bookshelf of the dedicated Web administrator it is not
    necessarily a must read for those with limited resources.
    
    copyright Robert M. Slade, 1998   BKWBSCSB.RVW   980711
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:06:03 PDT