REVIEW: “The Tangled Web: A Guide to Securing Modern Web Applications”, Michael Zalewski

BKTNGWEB.RVW   20121207

“The Tangled Web: A Guide to Securing Modern Web Applications”, Michael Zalewski, 2012, 978-1-59327-388-0, U$49.95/C$52.95
%A   Michael Zalewski
%C   555 De Haro Street, Suite 250, San Francisco, CA   94107
%D   2012
%G   978-1-59327-388-0 1-59327-388-6
%I   No Starch Press
%O   U$49.95/C$52.95 415-863-9900 fax 415-863-9950 info@nostarch.com
%O  http://www.amazon.com/exec/obidos/ASIN/1593273886/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/1593273886/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1593273886/robsladesin03-20
%O   Audience a Tech 2 Writing 1 (see revfaq.htm for explanation)
%P   299 p.
%T   “The Tangled Web: A Guide to Securing Modern Web Applications”

In the preface, the author dismisses security experts as academic, ineffectually worried, and unaware of the importance of the Web.  (Zalewski makes reference to a “confused deputy problem” being “regularly” referred to in academic security literature.  I’ve never heard of it.)  He blames them for the current insecure state of Web applications.  I suspect this is a bit unfair, given the “citizen programmer” status of huge numbers of Web projects, and the time and feature pressure this places on the rest.  It is unfortunate that some security specialists have not regarded the Web as significant, but it is critical that most security specialist don’t know how to program, and most programmers don’t care anything about security.

He also says the book is about repentance, and a step towards normalcy.  (Normalcy is not defined.

Chapter one is an introduction, both to information security, and to Web application development.  Starting off by misattributing one of Gene Spafford’s quotes, the author complains about any and all attempts to structure or define security.  (Rather inconsistently, while he derides taxonomies, he does recommend designing systems so as to deal with “classes” of bugs.  The difference between a class and a taxon is not explained.)

Part one outlines the principal concepts of the Web.  Chapter two starts us off with the URL (Uniform Resource Locator), noting some of the problems with different types of encoding.  From this point in the book, each chapter concludes with a “Security Engineering Cheat Sheet,” listing potential problems, and suggesting broad approaches (without details) to dealing with those issues.  HTTP (the HyperText Transfer Protocol) is the subject of chapter three, primarily concerning the handling of user data.  (Since the author is fond of quotes, I’ll give him one from Tony Buckland, several years before the invention of the Web: “The client interface is the boundary of trustworthiness.”)  Chapters four to eight cover HTML (HyperText Markup Language), CSS (Cascading Style Sheets), browser scripting (concentrating exclusively on JavaScript), non-HTML data (mostly XML), and plug-ins.

Part two turns to browser security features.  Chapter nine talks about isolating content, so that different sites or documents don’t interfere with each other.  Determining where and to whom a page belongs is addressed in chapter ten.  Chapter eleven expands the details of problems caused by allowing disparate documents to interact.  Other security boundaries, such as local storage, networks, ports, and cookies, are reviewed in chapter twelve.  Recognizing content, when the “Content-Type” description may be problematic, is in chapter thirteen.  Chapter fourteen suggests ways to deal with malicious scripts.  Specifically setting or raising permissions is discussed in chapter fifteen.

Part three looks ahead to Web application security issues as they may develop in the future.  New and coming security features are noted in chapters sixteen and seventeen.  Chapter eighteen reviews the all-too-common Web vulnerabilities (such as cross-site scripting and “Referer” leakage).

Absent the complaints about the rest of the security field, this is a decent and technical guide to problems which should be considered for any Web application project.  It’s not a cookbook, but provides solid advice for designers and developers.

copyright, Robert M. Slade   2013   BKTNGWEB.RVW   20121207

Share