Slashdot Mirror
Web Security, Privacy and Commerce
My single biggest problem is typically that, while highly technical , I don't do security as a full time job. Reading the literature needed to become really expert just isn't in the cards. It's enough to keep up with Java, Python, C++ and grid computing stuff. Even though there is substantial overlap between grids and security, much of grid thought is separate from the implementations that are dealt with in this book. Besides, my group does large-scale data storage. We leave the security infrastructure to specialists.
Garfinkel's book is great for a guy like me. They take every subject from a level that is trivial to understand down to as much detail as you need. Even in areas that I understand pretty well, I found this book taught me new stuff. For example, in their section dealing with the history of browsers I had a handful of false memories corrected, despite having been around for longer than the web.
They've broken the book down into four sections, Web Technology, Privacy and Security for Users, Web Server Security and Security for Content Providers.
Web Technology
This section deals with the pieces that all the other sections depend on. Particularly interesting are the parts about the different kinds of cryptographic systems. They talk about symmetric and public key systems and message digest functions. These building blocks are then put to use in chapters on SSL/TLS and digital identification. This section also gives a brief history of the web and how it was assembled.
Privacy and Security for Users
These chapters are split between mobile code, Java, ActiveX, Flash and such and all other safety/privacy issues. In the chapter on backups, the authors tell an amusing story about backups that were being done by someone who hadn't been properly trained. She would start the job, then go and read a book. The backup would throw errors, but when the session timed out the errors were lost and the screen looked like a normal termination when she returned. This apparently went on for quite some time before being caught. So check your backups, kids!
This sections also has an interesting chapter on email privacy and a couple different services/methods for using encryption to secure your mail and, better yet, send email that cannot be read after a certain date.
Web Server Security
Every sysad in the business should make sure to read this section, which starts out talking about physical security (because if you don't have that the rest may not matter), and continues all the way down to deploying certificates.
Security for Content Providers
Finally, the book finishes up with a few chapters that are mostly about the legalities of running a site. This combines client authentication with privacy policies, digital payments and intellectual property into a good if less technical ending.
Overall
One interesting aspect of the authors' overall approach is that they are so platform neutral. I didn't expect this from a team that wrote books on Unix security, but they have chapters on ActiveX issues and it isn't dealt with in the flip manner that Unix people often use toward other OSes. Even their screen shots are in Windows. You definitely get the feeling these guys know there stuff from more than one perspective.
We happen to be talking a lot about public key infrastructures at work lately, and the chapters on digital certificates were quite handy in getting up to speed on the different issues. As with other sections, they deal not only with the bit twiddling involved but also with history and policy. The human issues. Very useful stuff about an area that not many think about and about which the existing writing is fairly opaque.
So, if you're needing to learn more about this subject I can't think of another book I would recommend before it. I've been motivated enough to write a review on it, and for most of us that's probably a ringing endorsement by itself!
You can purchase Web Security, Privacy and Commerce at Fatbrain.
(And as always with books from Garfinkel, a good and fun read)
What that review doesn't tell me is whether the book addresses security as a software issue. Many system exploits can be traced to specific programming practices, often to kernel level, but more often in userspace code.
This book is not a programmers manual, so you will have to keep looking if that's what you want.
I understand what you are looking for, but I wonder if it isn't too language specific to be a practical seller.
I received an advance copy of this book from Simson. I agree that it is a very good book. However there is one topic that was not discussed. I've emailed Simson about this and if another revision is done, they will include more info on it.
The topic left out is the issue of third-party servers. Many companies, particularly small business, use third party hosting. As such, the SSL provided for their form submission process only protects the information from the client computer (the consumer) to the web server (at the third party location). It does nothing to protect how that information gets from that third-party server back to the company. You would be surprised how many companies simply take that sensitive information (credit card numbers, etc.) and package it into an email message and send it to the company via plaintext email. Not very secure.
I wrote a paper on this subject in 1999 which is still posted at http://jsweb.net/paper.htm entitled "Are Secure Internet Transactions Really Secure?" I encourage you to take a look at it to learn more about how many companies are only providing a false sense of security, and not really protecting your information as it transits the Internet.
Crispin
----
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc.
Immunix: Security Hardened Linux Distribution
Available for purchase