[prev in list] [next in list] [prev in thread] [next in thread] 

List:       isn
Subject:    [ISN] REVIEW: "Web Security Sourcebook"
From:       mea culpa <jericho () dimensional ! com>
Date:       1998-09-26 9:24:36
[Download RAW message or body]


Original source: Risks Digest 19.97
From: "Rob Slade" <rslade@sprint.ca>

BKWBSCSB.RVW   980711

"Web Security Sourcebook", Aviel D. Rubin/Daniel Geer/Marcus J. Ranum,
1997, 0-471-18148-X, U$29.99/C$42.50
%A   Aviel D. Rubin rubin@bellcore.com
%A   Daniel Geer
%A   Marcus J. Ranum
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   1997
%G   0-471-18148-X
%I   John Wiley & Sons, Inc.
%O   U$29.99/C$42.50 416-236-4433 fax: 416-236-4448
%P   350 p.
%T   "Web Security Sourcebook"

As Steve Bellovin notes in the foreword, complexity and security are
antithetical.  To have a complete picture of the security of a single
transaction in World Wide Web activity one must consider the hardware of
the user, the operating system of the user, the client software of the
user, the hardware of the host, the operating system of the host, the
server software of the host, the base transport protocol, the higher level
(generally HTTP:  the HyperText Transport Protocol) protocol, the general
structure of the network itself, and the various forms of content.  To
expect a short book to cover all of this material is unrealistic.  The
current work, however, is of inconsistent quality and falls short even of
a much reduced target. 

Chapter one looks at basic Web history and technology plus a few
illustrative security loopholes.  While basic browser security information
is presented in chapter two, the presentation is disorganized and seems to
stress some relatively improbable risks.  On the other hand, it does point
out some important and little known problems with Internet Explorer. 
Advanced browser security lists a good deal of misinformation about
cookies (along with some real dope) and discusses anonymous remailers in
chapter three. 

The discussion of scripting, in chapter four, is simplistic in the
extreme.  While I would personally agree with the assessment that
JavaScript and ActiveX are not worth the security hazards they represent,
these technologies deserve more than the terse dismissal they receive in
the text.  Java gets somewhat more detailed discussion but the authors do
not appear to distinguish between design factors and specific
implementation bugs limited to a given platform.  Server security is
limited to UNIX permissions in chapter five.  Chapter six looks primarily
at commercial cryptographic products, but without having built a solid
foundation for their effective use.  Scripting is again reviewed in
chapter seven, this time concentrating on (again) UNIX CGI (Common Gateway
Interface) programming for sanitizing input from users.

The overview of firewall technologies in chapter eight is reasonable and
balanced, citing the different types of firewalls, their strengths and
weaknesses, and the fact that firewalls can only be one tool in a larger
security strategy, never a complete answer.  Chapter nine presents the
different protocols in transaction security quite well, but fails to give
an analysis of the social and market forces that are equally important to
the overall picture.  Some systems for electronic payment are compared in
chapter ten.  Predicting the future is, of course, problematic, but
chapter eleven seems to contains more faults than can legitimately be said
to be inherent to the process.  As only one example, the authors look
forward with trepidation to "network aware" viruses.  I'm sorry to tell
you this, guys, but the proof of that concept happened in the wild more
than a decade before you wrote the book, and has transpired depressingly
often since.

The presentation of this text as a sourcebook is probably valid on the one
hand: the primary value of the tome lies in the mention of various
commercial systems related to Web security.  It cannot, however, be
recommended as a sole source.  Both a conceptual background and an overall
review of the totality of Web security factors are missing.  There are
interesting points in the book, and even useful tips, but while it may
belong on the bookshelf of the dedicated Web administrator it is not
necessarily a must read for those with limited resources.

copyright Robert M. Slade, 1998   BKWBSCSB.RVW   980711

-o-
Subscribe: mail majordomo@sekurity.org with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

[prev in list] [next in list] [prev in thread] [next in thread]