Original source: Risks Digest 19.97 From: "Rob Slade" <rsladeat_private> BKWBSCSB.RVW 980711 "Web Security Sourcebook", Aviel D. Rubin/Daniel Geer/Marcus J. Ranum, 1997, 0-471-18148-X, U$29.99/C$42.50 %A Aviel D. Rubin rubinat_private %A Daniel Geer %A Marcus J. Ranum %C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8 %D 1997 %G 0-471-18148-X %I John Wiley & Sons, Inc. %O U$29.99/C$42.50 416-236-4433 fax: 416-236-4448 %P 350 p. %T "Web Security Sourcebook" As Steve Bellovin notes in the foreword, complexity and security are antithetical. To have a complete picture of the security of a single transaction in World Wide Web activity one must consider the hardware of the user, the operating system of the user, the client software of the user, the hardware of the host, the operating system of the host, the server software of the host, the base transport protocol, the higher level (generally HTTP: the HyperText Transport Protocol) protocol, the general structure of the network itself, and the various forms of content. To expect a short book to cover all of this material is unrealistic. The current work, however, is of inconsistent quality and falls short even of a much reduced target. Chapter one looks at basic Web history and technology plus a few illustrative security loopholes. While basic browser security information is presented in chapter two, the presentation is disorganized and seems to stress some relatively improbable risks. On the other hand, it does point out some important and little known problems with Internet Explorer. Advanced browser security lists a good deal of misinformation about cookies (along with some real dope) and discusses anonymous remailers in chapter three. The discussion of scripting, in chapter four, is simplistic in the extreme. While I would personally agree with the assessment that JavaScript and ActiveX are not worth the security hazards they represent, these technologies deserve more than the terse dismissal they receive in the text. Java gets somewhat more detailed discussion but the authors do not appear to distinguish between design factors and specific implementation bugs limited to a given platform. Server security is limited to UNIX permissions in chapter five. Chapter six looks primarily at commercial cryptographic products, but without having built a solid foundation for their effective use. Scripting is again reviewed in chapter seven, this time concentrating on (again) UNIX CGI (Common Gateway Interface) programming for sanitizing input from users. The overview of firewall technologies in chapter eight is reasonable and balanced, citing the different types of firewalls, their strengths and weaknesses, and the fact that firewalls can only be one tool in a larger security strategy, never a complete answer. Chapter nine presents the different protocols in transaction security quite well, but fails to give an analysis of the social and market forces that are equally important to the overall picture. Some systems for electronic payment are compared in chapter ten. Predicting the future is, of course, problematic, but chapter eleven seems to contains more faults than can legitimately be said to be inherent to the process. As only one example, the authors look forward with trepidation to "network aware" viruses. I'm sorry to tell you this, guys, but the proof of that concept happened in the wild more than a decade before you wrote the book, and has transpired depressingly often since. The presentation of this text as a sourcebook is probably valid on the one hand: the primary value of the tome lies in the mention of various commercial systems related to Web security. It cannot, however, be recommended as a sole source. Both a conceptual background and an overall review of the totality of Web security factors are missing. There are interesting points in the book, and even useful tips, but while it may belong on the bookshelf of the dedicated Web administrator it is not necessarily a must read for those with limited resources. copyright Robert M. Slade, 1998 BKWBSCSB.RVW 980711 -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:06:03 PDT