Web Security, Privacy and Commerce

Slashdot reader rw2 (aka Rich Wellner) writes: "I was excited about this book because rarely does one come out that so directly applies to what I do day to day. I work at a national research lab, help out at a web hosting facility and run poliglut in my spare time. So, I'm used to dealing with the cleanup that occurs after a successful attack." The book is O'Reilly's updated Web Security, Privacy and Commerce. Read on for more of Rich's take on it. Web Security, Privacy and Commerce author Simson Garfinkel, Gene Spafford (Contributor), Debby Russell pages 800 publisher O'Reillly & Associates rating 10 reviewer rw2 ISBN 0596000456 summary A needed update to a reliable classic by well respected security experts.

My single biggest problem is typically that, while highly technical , I don't do security as a full time job. Reading the literature needed to become really expert just isn't in the cards. It's enough to keep up with Java, Python, C++ and grid computing stuff. Even though there is substantial overlap between grids and security, much of grid thought is separate from the implementations that are dealt with in this book. Besides, my group does large-scale data storage. We leave the security infrastructure to specialists.

Garfinkel's book is great for a guy like me. They take every subject from a level that is trivial to understand down to as much detail as you need. Even in areas that I understand pretty well, I found this book taught me new stuff. For example, in their section dealing with the history of browsers I had a handful of false memories corrected, despite having been around for longer than the web.

They've broken the book down into four sections, Web Technology, Privacy and Security for Users, Web Server Security and Security for Content Providers.

Web Technology

This section deals with the pieces that all the other sections depend on. Particularly interesting are the parts about the different kinds of cryptographic systems. They talk about symmetric and public key systems and message digest functions. These building blocks are then put to use in chapters on SSL/TLS and digital identification. This section also gives a brief history of the web and how it was assembled.

Privacy and Security for Users

These chapters are split between mobile code, Java, ActiveX, Flash and such and all other safety/privacy issues. In the chapter on backups, the authors tell an amusing story about backups that were being done by someone who hadn't been properly trained. She would start the job, then go and read a book. The backup would throw errors, but when the session timed out the errors were lost and the screen looked like a normal termination when she returned. This apparently went on for quite some time before being caught. So check your backups, kids!

This sections also has an interesting chapter on email privacy and a couple different services/methods for using encryption to secure your mail and, better yet, send email that cannot be read after a certain date.

Web Server Security

Every sysad in the business should make sure to read this section, which starts out talking about physical security (because if you don't have that the rest may not matter), and continues all the way down to deploying certificates.

Security for Content Providers

Finally, the book finishes up with a few chapters that are mostly about the legalities of running a site. This combines client authentication with privacy policies, digital payments and intellectual property into a good if less technical ending.

Overall

One interesting aspect of the authors' overall approach is that they are so platform neutral. I didn't expect this from a team that wrote books on Unix security, but they have chapters on ActiveX issues and it isn't dealt with in the flip manner that Unix people often use toward other OSes. Even their screen shots are in Windows. You definitely get the feeling these guys know there stuff from more than one perspective.

We happen to be talking a lot about public key infrastructures at work lately, and the chapters on digital certificates were quite handy in getting up to speed on the different issues. As with other sections, they deal not only with the bit twiddling involved but also with history and policy. The human issues. Very useful stuff about an area that not many think about and about which the existing writing is fairly opaque.

So, if you're needing to learn more about this subject I can't think of another book I would recommend before it. I've been motivated enough to write a review on it, and for most of us that's probably a ringing endorsement by itself!

You can purchase Web Security, Privacy and Commerce at Fatbrain.

the problem i've noticed..

[MoceanWorker]

as amazing and helpful as these books are, and other great online resources not to mention, a majority of sys admins don't apply what they've learned on their servers... at the last company I worked for... our department specifically hired a "security" guy... of course he was just a guy who just got his MCSE 2000 :-P but that's another thing... the thing is, the guy knew squat.. in the time we hired this guy, till the company i worked for went out of business... 2 servers in the company got hacked (NT boxes.. nothing special).. he did nothing about it... maybe it was just where i worked.. but it's just sad how anyone can just get some sort of a certificate and automatically classify them as a "sys admin" or something ridiculous like that

*sigh* just my 2 cents as always ;-)

MCSE = Microsoft Certified Solitaire Expert