[ISN] REVIEW: "E-Commerce Security"

From: mea culpa (jerichoat_private)
Date: Thu Nov 05 1998 - 19:55:20 PST

  • Next message: mea culpa: "[ISN] Wanted: Computer hackers to test the latest technology!"

    From: "Rob Slade, doting grandpa of Ryan and Trevor" <rsladeat_private>
    
    BKECMSEC.RVW   981003
    
    "E-Commerce Security", Anup K. Ghosh, 1998, 0-471-19223-6,
    U$24.99/C$35.50
    %A   Anup K. Ghosh
    %C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
    %D   1998
    %G   0-471-19223-6
    %I   John Wiley & Sons, Inc.
    %O   U$24.99/C$35.50 416-236-4433 fax: 416-236-4448
    %P   288 p.
    %T   "E-Commerce Security: Weak Links, Best Defenses"
    
    The title is ever so slightly misleading in that the topic is not
    electronic commerce as a whole, but the (admittedly most popular) Web
    segment of it.  However, within this limit, the book does provide solid
    coverage and good advice for a whole range of issues. 
    
    Chapter one is a general introduction to the factors involved, looking at
    some recent "attacks" of various types, and then reviewing the client,
    transport, server, and operating system components to be examined in the
    remainder of the book.  Client (generally browser)  flaws are covered
    thoroughly in chapter two.  The breadth of coverage even includes mention
    of topics such as the concern for privacy considerations with cookies. 
    Active content is the major concern, with an excellent discussion of
    ActiveX (entitled "ActiveX [In]security"), a reasonably detailed review of
    the Java security model, and a look at JavaScript.  Unfortunately, very
    little of this touches directly on e-commerce as such, except insofar as
    insecure client technology is going to make e-commerce a harder sell to
    the general public.  While covering the transport of transaction
    information, in chapter three, Ghosh makes an interesting distinction
    between stored account systems (where you want to secure the transmission
    of identification data) and stored value systems (where the data, once
    transmitted, is useless to an eavesdropper).  Many books concentrate on
    either channel security or electronic cash systems, so this comparison is
    instructive. 
    
    A server involves multiple programs, and may involve multiple machines. 
    Server security can quickly become complex, and this is quite evident in
    chapter four.  While a great deal of useful and thought-provoking
    information is presented, the complicated nature of the undertaking works
    against this chapter.  Not all topics are dealt with thoroughly, or as
    well as the previous material was.  Oddly, one issue not covered in depth
    is the firewall, which is handled very well in chapter five, with
    operating system problems.  Ghosh sets up a classification scheme for OS
    attacks, illustrated by specific weaknesses in Windows NT and UNIX. 
    
    The book ends in chapter six with a call for certification of software,
    greater attention to security in all forms of software, and,
    interestingly, for greater use of component software.  (From the jacket
    material, it appears that Ghosh is currently involved in the promotion of
    component software systems.) 
    
    Each chapter ends with a set of references.  Unlike all too many books
    with bibliographies stuff with obscure citations from esoteric journals,
    the bulk of the material listed is available on the Internet. 
    (RISKS-FORUM Digest readers may already have seen much of it.)  A separate
    section lists Web sites used in the text. 
    
    The various issues dealt with in the book are explained clearly, and
    generally present counsel on the best practices for secure online
    commerce.  A compact but comprehensive guide to the current state of
    electronic transaction security. 
    
    copyright Robert M. Slade, 1998   BKECMSEC.RVW   981003
    ---------------------------------------------
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:10:14 PDT