The Tangled Web: A Guide to Securing Modern Web Applications – #programming #bookreview

The Tangled Web: A Guide to Securing Modern Web Applications
By Michal Zalewski
(No Starch Press, paperback, list price $49.95 ; Kindle edition, list price $31.95)

When Michal Zalewski writes, people listen. And many software programmers pay — or should pay — very close attention to what he recommends.

Zalewski is an internationally respected information security expert who has uncovered hundreds of major Internet security vulnerabilities

“The dream of inventing a brand-new browser security model,” he states in The Tangled Web, “is strong within the community, but it is always followed by the realization that it would require rebuilding the entire Web. Therefore, much of the practical work focuses on more humble extensions to the existing approach, necessarily increasing the complexity of the security-critical sections of the browser codebase.”

Today’s Web indeed is a mess, a complex morass of “design flaws and implementation shortcomings” within a technology “that never aspired to its current status and never had a chance to pause and look back at previous mistakes,” he says. And: “The resulting issues have emerged as some of the most significant and prevalent threats to data security today….”

In his well-written new “Guide to Securing Modern Web Applications,” Zalewski states that “a substantial dose of patience, creativity, and real technical expertise is required from all the information security staff.”

Anyone who works with the Web application stack needs to clearly understand its built-in security vulnerabilities and the consequences that can occur when unwanted penetrations occur.

Zalewski’s 299-page book is structured into three parts – Anatomy of the Web, Browser Security Features, and A Glimpse of Things to Come — and 18 chapters:

  1. Security in the World of Web Applications
  2. It Starts with a URL
  3. Hypertext Transfer Protocol
  4. Hypertext Markup Language
  5. Cascading Style Sheets
  6. Browser-Side Scripts
  7. Non-HTML Document Types
  8. Content Rendering with Browser Plug-ins
  9. Content Isolation Logic
  10. Origin Inheritance
  11. Life Outside Same-Origin Rules
  12. Other Security Boundaries
  13. Content Recognition Mechanisms
  14. Dealing with Rogue Scripts
  15. Extrinsic Site Privileges
  16. New and Upcoming Security Features
  17. Other Browser Mechanisms of Note
  18. Common Web Vulnerabilities

Zalewski’s other published works include Silence on the Wire and Google’s Browser Security Handbook.

Despite the software industry’s many efforts to find security “silver bullets,” Zalewski contends that “[a]ll signs point to security being largely a nonalgorithmic problem for now.” What still works best, he says are three “rudimentary, empirical recipes”:

  1. Learning from (preferably other people’s) mistakes
  2. Developing tools to detect and correct problems
  3. Planning to have everything compromised.

“These recipes are deeply incompatible with many business management models,” he warns, “but they are all that have really worked for us so far.”

Zalewski’s book puts a bright, uncomfortable spotlight on the fundamental insecurities of Web browsers, but it also shows you how to improve the security of Web applications.

Whether you program Web apps, or manage Web app programmers, or are studying to become a Web app programmer, you likely need this book.

Si Dunn‘s latest book is a detective novel, Erwin’s Law. His other published works include Jump, a novella, and a book of poetry, plus several short stories, all available on Kindle. He is a freelance book reviewer for the Dallas Morning News and a former technical writer and software/hardware QA tester.

About these ads

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s