Slashdot Mirror

← Back to Stories (view on slashdot.org)

Web Security, Privacy and Commerce

Posted by timothy on from the prying-eyes-need-removal-and-squashing dept.

Slashdot reader rw2 (aka Rich Wellner) writes: "I was excited about this book because rarely does one come out that so directly applies to what I do day to day. I work at a national research lab, help out at a web hosting facility and run poliglut in my spare time. So, I'm used to dealing with the cleanup that occurs after a successful attack." The book is O'Reilly's updated Web Security, Privacy and Commerce. Read on for more of Rich's take on it. Web Security, Privacy and Commerce author Simson Garfinkel, Gene Spafford (Contributor), Debby Russell pages 800 publisher O'Reillly & Associates rating 10 reviewer rw2 ISBN 0596000456 summary A needed update to a reliable classic by well respected security experts.

My single biggest problem is typically that, while highly technical , I don't do security as a full time job. Reading the literature needed to become really expert just isn't in the cards. It's enough to keep up with Java, Python, C++ and grid computing stuff. Even though there is substantial overlap between grids and security, much of grid thought is separate from the implementations that are dealt with in this book. Besides, my group does large-scale data storage. We leave the security infrastructure to specialists.

Garfinkel's book is great for a guy like me. They take every subject from a level that is trivial to understand down to as much detail as you need. Even in areas that I understand pretty well, I found this book taught me new stuff. For example, in their section dealing with the history of browsers I had a handful of false memories corrected, despite having been around for longer than the web.

They've broken the book down into four sections, Web Technology, Privacy and Security for Users, Web Server Security and Security for Content Providers.

Web Technology

This section deals with the pieces that all the other sections depend on. Particularly interesting are the parts about the different kinds of cryptographic systems. They talk about symmetric and public key systems and message digest functions. These building blocks are then put to use in chapters on SSL/TLS and digital identification. This section also gives a brief history of the web and how it was assembled.

Privacy and Security for Users

These chapters are split between mobile code, Java, ActiveX, Flash and such and all other safety/privacy issues. In the chapter on backups, the authors tell an amusing story about backups that were being done by someone who hadn't been properly trained. She would start the job, then go and read a book. The backup would throw errors, but when the session timed out the errors were lost and the screen looked like a normal termination when she returned. This apparently went on for quite some time before being caught. So check your backups, kids!

This sections also has an interesting chapter on email privacy and a couple different services/methods for using encryption to secure your mail and, better yet, send email that cannot be read after a certain date.

Web Server Security

Every sysad in the business should make sure to read this section, which starts out talking about physical security (because if you don't have that the rest may not matter), and continues all the way down to deploying certificates.

Security for Content Providers

Finally, the book finishes up with a few chapters that are mostly about the legalities of running a site. This combines client authentication with privacy policies, digital payments and intellectual property into a good if less technical ending.

Overall

One interesting aspect of the authors' overall approach is that they are so platform neutral. I didn't expect this from a team that wrote books on Unix security, but they have chapters on ActiveX issues and it isn't dealt with in the flip manner that Unix people often use toward other OSes. Even their screen shots are in Windows. You definitely get the feeling these guys know there stuff from more than one perspective.

We happen to be talking a lot about public key infrastructures at work lately, and the chapters on digital certificates were quite handy in getting up to speed on the different issues. As with other sections, they deal not only with the bit twiddling involved but also with history and policy. The human issues. Very useful stuff about an area that not many think about and about which the existing writing is fairly opaque.

So, if you're needing to learn more about this subject I can't think of another book I would recommend before it. I've been motivated enough to write a review on it, and for most of us that's probably a ringing endorsement by itself!

You can purchase Web Security, Privacy and Commerce at Fatbrain.

19 of 68 comments (clear)

  1. the problem i've noticed.. by MoceanWorker · · Score: 2, Troll

    as amazing and helpful as these books are, and other great online resources not to mention, a majority of sys admins don't apply what they've learned on their servers... at the last company I worked for... our department specifically hired a "security" guy... of course he was just a guy who just got his MCSE 2000 :-P but that's another thing... the thing is, the guy knew squat.. in the time we hired this guy, till the company i worked for went out of business... 2 servers in the company got hacked (NT boxes.. nothing special).. he did nothing about it... maybe it was just where i worked.. but it's just sad how anyone can just get some sort of a certificate and automatically classify them as a "sys admin" or something ridiculous like that

    *sigh* just my 2 cents as always ;-)

    MCSE = Microsoft Certified Solitaire Expert

    --


    "The ones who dont do anything are always the ones who try to pull you down" -- Henry Rollins
    1. Re:the problem i've noticed.. by HMC+CS+Major · · Score: 3, Interesting

      Maybe instead of flaming an obviously standardized course known to produce a lot of windows admins, most of who know only what the book says and nothing more, you should flame those in charge of hiring at your company, for choosing someone from that course rather than someone with proven experience?

      I'm all up for microsoft bashing in some situations. Bitching about security caused by poor admins is not one of them. Fix the admins, by not hiring the bad ones, and maybe they'll realize that if none of the brand new MCSE's can get a job, there's something wrong with the course.

      --
      Video for Online Dating Profiles
    2. Re:the problem i've noticed.. by BigBir3d · · Score: 2, Interesting

      There are a few good reasons people do get an MCSE:

      1. Pay is generally increased
      2. Easy to do, if you know your stuff.
      3. Resume fluff.
      4. In a crappy economy, if you don't have one, the person who does, gets the job :-(

  2. dynamic-ness by kresmoi · · Score: 4, Insightful

    problem is, how often are you going to have to buy the update to the book to stay on top of things, and how far behind 'the scene' is the book already by the time it's published? I would think the dynamic nature of these things would make books on web security a trifle behind the times and impractical, kind of like a dictionary of street slang: It'll get the general stuff right, but the details and inflection are always changing, and the world's in the details.

    However, this ringing review would indicate otherwise. please enlighten?

  3. Interesting review, but... by CatherineCornelius · · Score: 4, Insightful
    What that review doesn't tell me is whether the book addresses security as a software issue. Many system exploits can be traced to specific programming practices, often to kernel level, but more often in userspace code. The above review tells me it's that kind of book I might take a look at, but I'm left wondering if perhaps the book that would give me an insight into how to produce more secure system configurations and help my team to write more secure code has not yet been written.

    As a senior web and database developer, I'm probably more likely to check into security mailing lists and watch out for advisories about the core products of my service delivery systems (whether PHP, JSP, Vignette, Apache, IAS, or whatever). Still, any book that raises awareness of security issues and introduces key concepts in an easy to understand manner is to be applauded.

    1. Re:Interesting review, but... by rw2 · · Score: 3, Informative

      What that review doesn't tell me is whether the book addresses security as a software issue. Many system exploits can be traced to specific programming practices, often to kernel level, but more often in userspace code.

      This book is not a programmers manual, so you will have to keep looking if that's what you want.

      I understand what you are looking for, but I wonder if it isn't too language specific to be a practical seller.

    2. Re:Interesting review, but... by Crispin+Cowan · · Score: 2, Informative
      For a good book on security and programming, try "Building Secure Software" by John Viega and Gary McGraw. I am going to use this book as the course text in the next offering of my graduate security course.

      Crispin
      ----
      Crispin Cowan, Ph.D.
      Chief Scientist, WireX Communications, Inc.
      Immunix: Security Hardened Linux Distribution
      Available for purchase

  4. Eyes Glazing Over by Alien54 · · Score: 2
    While this obviously is important, still we can see plenty of people with their eyes glazing over, even as we type.

    Of course, that is likely why most folks will need this, and why many sites are deficient on security. You need to be fairly expert to run a secure site, and this is an area where alot of folks sorta fall down.

    --
    "It is a greater offense to steal men's labor, than their clothes"
    1. Re:Eyes Glazing Over by 4of12 · · Score: 3, Funny

      still we can see plenty of people with their eyes glazing over, even as we type.

      There are a lot of analogies between doing proper computer security and life in the Army.

      Mind numbing bureaucracy, paperwork, jargon, 98% of the time you are bored stiff, and, then, 2% of the time is pure terror.

      --
      "Provided by the management for your protection."
  5. Knowing multiple platforms is a good thing by Junks+Jerzey · · Score: 3, Insightful

    You definitely get the feeling these guys know there stuff from more than one perspective.

    Grammar aside, that's a good recommendation for the book. I'm getting tired of all the dismissals of anything Windows with flippant, often incorrect, remarks. (For example, it seems that many Slashdotters don't realize that Windows XP is based on Windows NT, not Windows 95.) When you expand your horizons, you expand your knowledge. And as a bonus it makes you less bitter.

  6. Another good resource by the_rev_matt · · Score: 2

    I'm definitely going to check this one out, as I'm something of a security freak. I'm currently reading "Security Engineering" by Ross Anderson (Wiley) and while the author has an obvious bias in favor of Windows, it is a great look at designing security for distributed systems.

    --
    this is getting old and so are you

    blog

  7. You made two statements ... by TheViffer · · Score: 3, Insightful

    Garfinkel's book is great for a guy like me. They take every subject from a level that is trivial to understand down to as much detail as you need.

    One interesting aspect of the authors' overall approach is that they are so platform neutral. I didn't expect this from a team that wrote books on Unix

    I believe there is only so much that this book (which I have not seen yet) can cover. If there were "levels" of detail regarding a book, this sounds like it covers the first three, and leave the bottom two to that of the reader to explore furthor.

    As for being "platform neutral", it should be. The "web" was never designed to be used for a particular OS or browser (though Microsoft would like to believe otherwise).

    The book covers "web" issues and not OS issues.

    --
    -- Knowing too much can get you killed, but knowing who knows too much can make you rich.
  8. To Improve Security 100%...... by tagplazen · · Score: 5, Interesting

    ..remove the words "Well, it's okay because that box is sitting behind our firewall" from everybodys lexicon.

    The point was raised above about how out of date this book would be by the time it was released. I honestly don't believe that's as big of an issue as people seem to think, 99% of the battle with keeping our networks secure is just getting people to consider the issue in the first place. Any book I can throw at our apps developers that gets them even thinking about the broad issues is a good thing, because once the seed is planted, then they come over and ask us what we would reccomend as they're working on their apps. Over the past six months we've seen the 'Ooops, you mean that travel site with the form for people to put their CC number in should be SSL'd?' to almost daily informal meetings about what they're doing and how we can support them.

    Our biggest nightmare has been the sysadmins. The NT sysadmin refuses to apply any patches, 'because then things break', and won't close a single port, 'if you want features, you have to leave things open'. Lots of guerilla midnight work going on behind that boy. ;-)

    Our solaris sysadmin is no better, if you could take the words 'Well, back at Siemans..' out of his vocabulary, he wouldn't have anything to say. Yet, he's very good at the above mentioned meetings for arguing that we're too paranoid, 'Only a very skilled attacker could sniff passwords of our switched network,' and this after multiple times of showing him dsniff and ettercap in action, complete with grabbing his passwords several times. Once again, lots of midnight cowboy fixes behind the back.

    There's a really good book out, Building Secure Software where he brings out some very good points. The best one being that security is put on networkings shoulders, when the real problem is that the developers don't build their applications with security in mind. Therefore, the strategy is to deny attackers access to the errors in the code, when the best practice would be to remove those errors in the first place. That and the quote about ecrypting information in transit is like a guy living on the sidewalk using an armored car to send his credit card information to a man living on the beach in a cardboard box is simply priceless.

  9. Re:Simpson Garfinkel by Brummund · · Score: 3, Informative
    Also, the slightly (ahem) outdated Practical Unix & Internet Security is also recommended. A good walk-through of all things related to security, from social hacking to securing NFS. It's a bit outdated, but it will give you a good start on security basics.

    (And as always with books from Garfinkel, a good and fun read)

  10. yoda? by MemeRot · · Score: 2

    talking weird grammar you are, yes.
    ancient wizard, you?
    Jedi mind tricking your way past security, yes.

  11. One subject that was left out. by mencik · · Score: 4, Informative

    I received an advance copy of this book from Simson. I agree that it is a very good book. However there is one topic that was not discussed. I've emailed Simson about this and if another revision is done, they will include more info on it.

    The topic left out is the issue of third-party servers. Many companies, particularly small business, use third party hosting. As such, the SSL provided for their form submission process only protects the information from the client computer (the consumer) to the web server (at the third party location). It does nothing to protect how that information gets from that third-party server back to the company. You would be surprised how many companies simply take that sensitive information (credit card numbers, etc.) and package it into an email message and send it to the company via plaintext email. Not very secure.

    I wrote a paper on this subject in 1999 which is still posted at http://jsweb.net/paper.htm entitled "Are Secure Internet Transactions Really Secure?" I encourage you to take a look at it to learn more about how many companies are only providing a false sense of security, and not really protecting your information as it transits the Internet.

  12. in 3 years? by MemeRot · · Score: 2

    What's your point? In 10 years everything anyone does in computers today will be obsolete. Does that mean nobody should bother? If nobody bothered then nobody would make the advances...

    There is no perfect security. That doesn't mean you should just be happy with no security.

  13. The real security hole... by MemeRot · · Score: 2

    Social hacking. "Hey yeah, this is uh, Joe from finance. What's the password to log into the database again? Thanks." No use building million dollar impregnable walls if the gatekeeper waves the invading hordes right on through....

    I agree that SSL does give a false sense of security, especially with credit card numbers. Truly private info like credit card numbers should always be stored in ecrypted form, not just transmitted in encrypted form. I'm amazed especially at stories of dot-coms where a hacker managed to penetrate a database and then have access to a million credit cards. Ridiculous. You can keep 9 out of 10 hackers out with good external security. Out of the ones that get thru, the 1 in 100 who could deal with and decrypt the card numbers in the database will probably decide it's not worthwhile and go steal them from someone less cautious.

  14. The book will be outdated? Think again. by gordguide · · Score: 3, Insightful

    "The book will be outdated in (insert your favorite timetable here)" should all be moderated as obvious. I mean, really, there are people out there trying to make sex itself outdated sometime in the future, but I live in the here and now. What this or any well-written book does is it gives us an understanding of the issues and a foundation for future learning. Read it and forget it is no more a stragegy than not reading it at all.

    If it is a good read that makes the complicated less intimidating, I would consider it an excellent foundation for those who aren't up on the issues but want to get started.