REVIEW: “The Tangled Web: A Guide to Securing Modern Web Applications”, Michael Zalewski
“The Tangled Web: A Guide to Securing Modern Web Applications”, Michael Zalewski, 2012, 978-1-59327-388-0, U$49.95/C$52.95
%A Michael Zalewski
%C 555 De Haro Street, Suite 250, San Francisco, CA 94107
%G 978-1-59327-388-0 1-59327-388-6
%I No Starch Press
%O U$49.95/C$52.95 415-863-9900 fax 415-863-9950 firstname.lastname@example.org
%O Audience a Tech 2 Writing 1 (see revfaq.htm for explanation)
%P 299 p.
%T “The Tangled Web: A Guide to Securing Modern Web Applications”
In the preface, the author dismisses security experts as academic, ineffectually worried, and unaware of the importance of the Web. (Zalewski makes reference to a “confused deputy problem” being “regularly” referred to in academic security literature. I’ve never heard of it.) He blames them for the current insecure state of Web applications. I suspect this is a bit unfair, given the “citizen programmer” status of huge numbers of Web projects, and the time and feature pressure this places on the rest. It is unfortunate that some security specialists have not regarded the Web as significant, but it is critical that most security specialist don’t know how to program, and most programmers don’t care anything about security.
He also says the book is about repentance, and a step towards normalcy. (Normalcy is not defined.
Chapter one is an introduction, both to information security, and to Web application development. Starting off by misattributing one of Gene Spafford’s quotes, the author complains about any and all attempts to structure or define security. (Rather inconsistently, while he derides taxonomies, he does recommend designing systems so as to deal with “classes” of bugs. The difference between a class and a taxon is not explained.)
Part two turns to browser security features. Chapter nine talks about isolating content, so that different sites or documents don’t interfere with each other. Determining where and to whom a page belongs is addressed in chapter ten. Chapter eleven expands the details of problems caused by allowing disparate documents to interact. Other security boundaries, such as local storage, networks, ports, and cookies, are reviewed in chapter twelve. Recognizing content, when the “Content-Type” description may be problematic, is in chapter thirteen. Chapter fourteen suggests ways to deal with malicious scripts. Specifically setting or raising permissions is discussed in chapter fifteen.
Part three looks ahead to Web application security issues as they may develop in the future. New and coming security features are noted in chapters sixteen and seventeen. Chapter eighteen reviews the all-too-common Web vulnerabilities (such as cross-site scripting and “Referer” leakage).
Absent the complaints about the rest of the security field, this is a decent and technical guide to problems which should be considered for any Web application project. It’s not a cookbook, but provides solid advice for designers and developers.
copyright, Robert M. Slade 2013 BKTNGWEB.RVW 20121207